Introduction
Description
Version 1.0 - April 4, 2017
Cisco Systems, Inc. ("Cisco") has reported that several vulnerabilities exist in versions the Stratix® 5900 Services Router software. The Stratix 5900 Services Router is capable of providing bridging, multi-protocol routing, and remote access services in industrial control systems.
Customers using affected versions of this software are encouraged to evaluate the mitigations provided below, and apply the applicable mitigations to their deployed products. Additional details relating to the discovered vulnerabilities, including affected products and recommended countermeasures, are provided herein.
AFFECTED PRODUCTS
Stratix 5900, All Versions prior to 15.6.3
VULNERABILITY DETAILS
Rockwell Automation evaluated the vulnerabilities using the Common Vulnerability Scoring System ("CVSS") v3.0.
Security Advisories that Affect this Release
RISK MITIGATIONS and RECOMMENDED USER ACTIONS
Rockwell Automation has provided firmware version v15.6.3 as remediation for these vulnerabilities.
| Product Name | Catalog Number | Suggested Actions |
| Stratix 5900 Services Router | 1783-SRKIT | Update to v15.6.3 (Download) |
Customers using affected products are encouraged to update to this latest version, which addresses the associated risk and includes added improvements to further harden the software and enhance its resilience against similar malicious attacks.
Customers who are unable to update their software are directed toward risk mitigation strategies provided below.
Where feasible, it is recommended to use the additional precautions and risk mitigation strategies listed below. When possible, multiple strategies should be employed simultaneously. Please click "Subscribe for Updates" in the upper right corner if you would like an email notification when this advisory is updated.
GENERAL SECURITY GUIDELINES
1. Help minimize any unnecessary network exposure by assessing all control system devices and/or systems, and confirm that firmware is kept up to date
2. Use proper network infrastructure controls, such as firewalls. As an extension to this approach, the Allen-Bradley® Stratix 5950 Industrial Network Security Appliance offers an Intrusion Prevention System and an Intrusion Detection (IDS/IPS) System, and Deep Packet Inspection (DPI) technology of the Common Industrial Protocol (CIP). With the introduction of this new product, Rockwell Automation can offer customers an intrusion detection system to provide real-time visibility in the event that a vulnerability is being exploited. The Stratix 5950 Security Appliance uses Cisco FirePOWER™ technology, which allows created rules to be processed by Cisco TALOS for a variety of known security issues. Once configured with rules, the FirePOWER engine inspects the contents of every packet, looking for datapoints that correspond to one or more rules. Packets that have these signatures can be either logged using IDS or blocked using IPS. For further information on Rockwell Automation’s Vulnerability Handling process, please refer to our FAQs document.
For additional information on deploying the Stratix 5950, please see our Deploying Industrial Firewalls within a CPwE Architecture Guide.
Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures.page for comprehensive information about implementing validated architectures designed to deliver these measures.
Refer to http://www.rockwellautomation.com/global/services/network-services/overview.page for information on Rockwell Automation network and security services to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend concerned customers continue to monitor this advisory with the Rockwell Automation Security Advisory Index at https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html, and the company public security webpage at http://www.rockwellautomation.com/security for new and relevant information relating to this matter.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.
ADDITIONAL LINKS
Security Advisory Index, Knowledgebase article KB:54102
Industrial Firewalls within a CPwE Architecture
Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
·
KCS Status
