Introduction
Description
November 29, 2012 - version 1.0
On November 25, 2012, Exodus Intelligence, Inc. (Exodus) disclosed a limited amount of information relating to purported vulnerabilities in some Rockwell Automation products. In addition, they identified associated risks relating to third-party software that is included with the Rockwell Automation product installation. As a result of this information disclosure, Rockwell Automation’s Security Taskforce independently reached out to Exodus to request greater details to help us validate these claims and assess risk so we could rapidly establish a responsible risk mitigation strategy for our customers.
On November 28, 2012, Exodus provided greater details of their findings directly to Rockwell Automation. This included specific information about affected products, product versions and also proof-of-concept exploitation code that demonstrates the particular product weaknesses. With our receipt of this information, Rockwell Automation launched a detailed technical evaluation of the claims and we further expanded our preparations to support our customers in risk remediation activities, if such actions should become necessary.
As a result of Rockwell Automation’s technical evaluations, the vulnerability claims made by Exodus have been validated and verified to affect an older version of a component of the Rockwell Automation FactoryTalk services platform. The particular affected component had been previously identified and has since evolved to already remove any risk associated with Exodus’ findings.
Rockwell Automation’s Security Taskforce evaluations specifically determined:
-
One vulnerability identified by Exodus was a re-discovery of a previous known anomaly in a component version of a software service. Rockwell Automation addressed this vulnerability via software patch first issued on October 4, 2011. In addition to releasing the patch, specific process improvement steps were put in place to remove risk of re-introducing the anomaly in subsequent product releases.
- A second vulnerability identified by Exodus had already been internally identified and isolated by Rockwell Automation as a result of our ongoing code review processes within our Security Development Lifecycle (SDL). This vulnerability was similarly addressed in the same above product patch issued on October 4, 2011. Similar process improvement steps were put in place at that time to avoid potential to carry the anomaly forward in newer software releases.
For specifics relating to the publicized vulnerabilities and resulting patch, refer to: https://rockwellautomation.custhelp.com/app/answers/detail/a_id/456144
- Exodus’ observation is accurate that Rockwell Automation software installations sometimes include third-party content such as Adobe® Reader. Such software is often included as a convenience for customers who may lack immediate access to the Internet to obtain a PDF viewer necessary to read certain electronic documentation included with our products.
In July 2008, at the time of the particular Rockwell Automation RSLogix 5000 product release evaluated by Exodus, Adobe® Reader Version 8 was a current version of PDF reader software. Since our initial product release, our subsequent software releases and master installation files have undergone numerous incremental and major revisions. These incremental product releases lead to the ongoing creation of newer software master installs which, where possible include more-current third-party content such as Adobe Reader. A customer who acquires today the particular 2008 release of RSLogix 5000 software from Rockwell Automation receives a software installation that includes more contemporary versions of third-party content, e.g. Adobe Reader X (Version 10).
We continue to encourage all customers to be proactive and stay current where possible with software patches and new product releases for all software used in their control systems.
CONTINUOUS IMPROVEMENT AND MATURITY MODEL
Rockwell Automation shares in the same concerns as our customers, product users, security research community and the public at large with regard to the industrial control system security.
- We continue to make significant investment in our product development and testing processes and also provide relevant product and system security features to our customers to help protect assets, information and operational integrity.
- Our internal Security Development Lifecycle (SDL) continues to mature and demonstrate tangible value to help proactively address potential product and system design weaknesses.
- We parallel our product security developments, testing and overall SDL investments with added lessons learned from our formal approach to product security Threat Management and Incident Response.
These combined efforts and others result in a maturity model allowing for continuous improvements in our contemporary solution that successfully enhance product and system security. Where technically feasible, some of these same improvements are also made available for many legacy products and systems too.
ADDED RECOMMENDATIONS FOR RISK MITIGATION
Rockwell Automation advocates that all industrial control system asset owners invest to assess security risks in their automation systems and take appropriate measures to reduce known risks to an acceptable level. A balance of both technical and non-technical measures comprises a successful Security Program, therefore risk-reducing compensating controls should include a combination of careful product selection, network and infrastructure design and installation, maintenance and upgrade planning and consistent personnel training complemented by structured policies and procedures for employees to follow.
In particular, keeping software and hardware products and system components up to date remains a key imperative to help maintain and enhance the security posture of industrial control systems. The following links provide basic foundational information on security best practices proven suitable for all control systems:
For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security
KCS Status
