Introduction
Description
July 18, 2012 - version 1.0
Update to December 4, 2013
On January 19, 2012, Rockwell Automation was notified by Digital Bond, Inc. of vulnerabilities discovered in an Allen-Bradley ControlLogix controller. The public disclosure of these findings occurred at the S4 conference and included details to allow for potential reproduction and exploitation of these vulnerabilities.
<Update A>
Vulnerability #1 has been addressed in Logix release V16.023 / V20.011 and higher.
Controller firmware issued with Logix release V16.023 / V20.012 and higher addresses the product vulnerability (see Vulnerability #2 below) in affected ControlLogix and GuardLogix controllers.
<Update A>
VULNERABILITY DETAILS
Vulnerability #1
A Denial of Service (DOS) condition results when an affected controller receives a malformed CIP packet that causes the controller to enter a fault state requiring the reloading of the user program. Receipt of such a message from an unauthorized source has the potential to cause loss of product availability and a disruption to the operation of other products in a system that depend on instructions issued by the affected controller. Recovery from successful exploitation requires the controller mode switch to be cycled. In addition, the user program must be reloaded either automatically from the local CompactFlash card, or manually via RSLogix 5000 software.
Vulnerability #2
A Denial of Service (DOS) condition results when an affected controller receives a valid CIP message that instructs the controller to stop logic execution and enter a fault state requiring the reloading of the user program. Receipt of such a message from an unintended or unauthorized source has the potential to cause loss of product availability and a disruption to the operation of other products in a system that depend on instructions issued by the affected controller. Recovery from successful exploitation requires the controller mode switch to be cycled. In addition, the user program must be reloaded either automatically from the local CompactFlash card, or manually via RSLogix 5000 software.
AFFECTED PRODUCTS
Rockwell Automation’s Security Taskforce has determined the following Rockwell Automation products are affected by this vulnerability. Investigations continue to evaluate if other Rockwell Automation products are similarly affected:
Vulnerability #1
- Version 18 and prior releases of ControlLogix, CompactLogix, GuardLogix and SoftLogix
NOTES: This vulnerability does not exist in controller products using V19 and higher.
Vulnerability #2
- Version 19 and prior releases of CompactLogix and SoftLogix controllers
- Version 20 and prior releases of ControlLogix and GuardLogix controllers
RISK MITIGATION
To help reduce the likelihood of compromise and the associated security risk, Rockwell Automation recommends the following immediate mitigation strategies. When possible, multiple strategies should be employed simultaneously:
Vulnerability #1: Mitigation
- Where possible, we recommend users upgrade affected products to Logix release V20 and higher.
Vulnerability #2: Mitigations
1. Where possible, upgrade CompactLogix and SoftLogix affected products to Logix release V20 and higher.
<Update B>
2. Where possible, upgrade ControlLogix and GuardLogix to Logix firmware release v20.012 or higher.
<Update B>
3. Block all traffic to the EtherNet/IP or other CIP protocol based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Port# 2222 and Port# 44818 using appropriate security technology (e.g. a firewall, UTM devices, or other security appliance).
4. Employ a Unified Threat Management (UTM) appliance that specifically supports CIP message filtering designed to block the CIP stop service.
NOTE: Rockwell Automation continues to investigate and evaluate other ControlLogix controller product-level strategies to address this vulnerability.
In addition to the above, we recommend concerned customers remain vigilant and continue to follow security strategies that help reduce risk and enhance overall control system security. Where possible, we suggest you apply multiple recommendations and complement this list with your own best-practices:
1. Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.
2. If appropriate for the application, isolate the Industrial Control System network from the Enterprise network and other points of potential remote network access.
3. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment.
4. Employ firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked.
5. Use up to date end-point protection software (e.g. antivirus/anti-malware software) on all PC-based assets.
6. Make sure that software and control system device firmware is patched to current releases.
7. Periodically change passwords in control system components and infrastructure devices.
8. Where applicable, set the controller key-switch/mode-switch to RUN mode
9. Enlist additional security expertise by engaging Rockwell Automation’s Network & Security Services team for specialized, consultative services. For more detail visit http://www.rockwellautomation.com/services/security/
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security
.
KCS Status
