PN402 | ControlLogix 1756-ENBT/A EtherNet/IP Bridge - Potential Security Vulnerability

Introduction

Description

Rockwell Automation has identified a potential security vulnerability in the firmware upgrade process employed by the ControlLogix 1756-ENBT/A EtherNet/IP Bridge Module (the "Product"). Details of this potential vulnerability are as follows:

• The potential for an unauthorized replacement of Rockwell Automation Product firmware with a corrupted firmware image that may render the Product inoperable and/or change its otherwise normal operation.

The results from an attacker’s successful exploitation of this vulnerability could include Denial of Service (DoS) to the Product and other components dependent on the Product. In an extreme case, successful exploitation could result in a potential misrepresentation of data or a repurposing of the Product for other malicious activities.

To help reduce the likelihood of exploitation and to help reduce associated security risk, Rockwell Automation recommends the following short-term mitigation strategies (Note: multiple strategies can be employed simultaneously):

1. Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to Industrial Network Architectures for comprehensive information about implementing validated architectures designed to deliver these measures.
2. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment and perform product firmware upgrades to that equipment.
3. Block all traffic to the EtherNet/IP or other CIP protocol based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Port# 2222 and Port# 44818 using appropriate security technology (E.g. a firewall, UTM devices, or other security appliance).

In addition to these short-term mitigation strategies, Rockwell Automation continues our investigation and evaluation of other long-term mitigation strategies that include, but are not limited to:

1. Product and system-level techniques and functional enhancements to verify the authenticity of firmware updates and help reduce the likelihood of file tampering.
2. Enhancements to the joint Rockwell Automation / Cisco Plantwide Reference Architecture that detail methods and recommendations which can further strengthen control system security.

For your information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at https://www.rockwellautomation.com/global/capabilities/industrial-security/overview.page.

KCS Status