PN692 | MicroLogix™ 1100 and 1400 Controller Vulnerability

Introduction

Description

July 18, 2012 - version 1.0

Update to May 4, 2012

On January 19, 2012, Rockwell Automation was notified by Digital Bond, Inc. of vulnerabilities discovered in an Allen-Bradley MicroLogix controller. The public disclosure of these findings occurred at the S4 conference and included details to allow for potential reproduction and exploitation of these vulnerabilities.

<Update A>

Rockwell Automation released firmware for the MicroLogix 1400 controller in June 2012 to address the identified product vulnerability in a potential replay attack directed at the product’s webserver.

Due to technical limitations in the MicroLogix 1100 platform, to reduce associated risk with this vulnerability Rockwell Automation recommends concerned customers follow good industrial control system design and security practices including those listed below in RISK MITIGATION.

AFFECTED PRODUCTS

Rockwell Automation’s Security Taskforce has determined the following Rockwell Automation products are affected by this vulnerability

• MicroLogix 1100
• MicroLogix 1400

VULNERABILITY DETAILS

The webserver password authentication mechanism employed by the affected products is vulnerable to a Man-in-the-Middle (MitM) and Replay attack. Successful exploitation of this vulnerability will allow unauthorized access of the product’s webserver to view and alter product configuration and diagnostics information. Recovery from successful exploitation of this vulnerability may require the product to be reset to its factory-default settings.

RISK MITIGATION

Enhancements to the MicroLogix 1400 firmware are being released that reduce the potential for a successful replay attack targeting the product’s webserver.

MicroLogix 1400

<Update A>

MicroLogix 1100 and 1400

To help reduce the likelihood of compromise and the associated security risk, Rockwell Automation recommends the following immediate mitigation strategies. When possible, multiple strategies should be employed simultaneously:

1. Where possible for affected products, disable the web server in the Ethernet Channel 1 configuration in RSLogix 500 software. This is done by unchecking the HTTP Server Enable checkbox (checked by default) and power cycling the controller.

2. Change all default Administrator and Guest passwords.

3. If webserver functionality is desired in the MicroLogix 1100 or 1400 controllers, we recommend the product’s firmware be upgraded to the most current version that includes enhanced protections including:

a. When a controller receives two consecutive invalid authentication requests from any HTTP client, the controller resets the Authentication Counter after 60 minutes.

b. When a controller receives 10 invalid authentication requests from any HTTP client, it will not accept any valid or invalid Authentication packets until a 24-hour HTTP Server Lock Timer timeout.

WARNING/REMINDER: Upgrading the controller firmware clears the web server configuration. It is necessary to manually record the web server settings prior to a firmware upgrade so the configuration can be manually re-entered into the web server settings after the firmware upgrade is complete.

NOTE: The latest MicroLogix 1100 and 1400 firmware versions are posted at: http://www.ab.com/linked/programmablecontrol/PLC/MicroLogix/downloads.html

4. If webserver functionality is desired in the MicroLogix 1100 or 1400 controllers, we recommend you configure User Accounts to only provide READ access to the product (e.g. do not configure READ/WRITE for Users). In addition, where possible exclusively access the product via User Accounts to minimize potential for a Replay attack to the Administrator’s account. User-administration is done through the product’s webserver.

NOTE: Rockwell Automation continues to investigate and evaluate other product-level strategies to address this vulnerability.

In addition to the above, we recommend concerned customers remain vigilant and continue to follow security strategies that help reduce risk and enhance overall control system security. Where possible, we suggest you apply multiple recommendations and complement this list with your own best-practices:

1. Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.

2. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment.

3. Employ firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked.

4. Use up to date end-point protection software (e.g. antivirus/anti-malware software) on all PC-based assets.

5. Make sure that software and control system device firmware is patched to current releases.

6. Periodically change passwords in control system components and infrastructure devices.

7. Where applicable, set the controller key-switch/mode-switch to RUN mode

8. Enlist additional security expertise by engaging Rockwell Automation’s Network & Security Services team for specialized, consultative services. For more detail visit http://www.rockwellautomation.com/services/security/

Based on the outcome of our ongoing investigation, we will communicate relevant recommended mitigation strategies to our concerned customers.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security

KCS Status