Advisory ID:
PN1594
Date de publication:
May 06, 2022
Date de la dernière mise à jour:
May 06, 2022
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
Non
Corrected:
Non
Workaround:
Non
Résumé
APT Cyber Tools Targeting ICS/SCADA Devices (PIPEDREAM/INCONTROLLER)
Revision History
Revision History
Version 1.0 – May 6, 2022
Executive Summary
On April 13, 2022, researchers announced a new set of tools that was developed by an Advanced Persistent Threat (APT). This set of tools allows threat actors to attack specific ICS and OT hardware and software. Rockwell Automation is providing this advisory to notify customers of our response to this threat.
We are diligently working through our process to evaluate the threat and provide security mitigations as needed. Rockwell Automation recommends that customers apply hardening techniques, in addition to security best practices for a comprehensive defense in depth approach.
We are diligently working through our process to evaluate the threat and provide security mitigations as needed. Rockwell Automation recommends that customers apply hardening techniques, in addition to security best practices for a comprehensive defense in depth approach.
Affected Products
We are aware that the tool set contains modules that target OPC UA servers, CODESYS runtimes, and ASRock drivers. After evaluation, Rockwell Automation is aware that the products, listed below, use one of the targeted components. This list may be updated if more products are identified.
Products that use OPC UA servers:
Products that use OPC UA servers:
- FactoryTalk® Linx Gateway
- Editions include embedded, basic, standard, extended distributed, professional
- Versions include 6.10, 6.11, 6.20, 6.21 and 6.30
Risk Mitigation & User Action
We recommend the following compensating controls for customers using Rockwell Automation products that use the targeted hardware and software:
- Disable anonymous authentication and configure the use of FactoryTalk Security using the following guidance. FactoryTalk Linx Gateway Getting Result Guide FTLG-GR001E
- Chapter 4 - UA Server Endpoints - Endpoint Properties
- Appendix D - Secure FactoryTalk Linx Gateway using FactoryTalk Security
- Enforce a lockout threshold for failed authentication attempts and configure audit logs using the following guidance to detect signs of an attack. FactoryTalk Security System Configuration Guide Publication FTSEC-QS001R - Chapter 9
- Set system policies - Account Policy Settings
- Set audit policies - Monitor security-related events
General Security Guidelines
Refer to the Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
See the Industrial Security Services website for information on security services from Rockwell Automation to assess, help protect, detect, respond, and recover from incidents. These services include assessments, designs, implementations, industrial anomaly detection, patch management, and remote infrastructure monitoring and administration.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation in PN1354 – Industrial Security Advisory Index
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.
If you have questions regarding this notice, please send an email to our product security inbox at: PSIRT@rockwellautomation.com
See the Industrial Security Services website for information on security services from Rockwell Automation to assess, help protect, detect, respond, and recover from incidents. These services include assessments, designs, implementations, industrial anomaly detection, patch management, and remote infrastructure monitoring and administration.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation in PN1354 – Industrial Security Advisory Index
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.
If you have questions regarding this notice, please send an email to our product security inbox at: PSIRT@rockwellautomation.com
Additional Links
Copyright ©2022 Rockwell Automation, Inc.