PN566 | Password Security Vulnerability in PLC5® and SLC™ 5/0x Controllers

Introduction

Description

February 2, 2010 - Version 1.0

Rockwell Automation has identified a potential security vulnerability in the programming and configuration client software authentication mechanism employed by certain versions of the PLC5 and SLC family of programmable controllers. The particular vulnerability affects older versions the following catalog numbers: 1785-Lx and 1747-L5x (the "Product"). Newer Products, programmed with current versions of RSLogix 5 or RSLogix 500, can enable specific security features like FactoryTalk Security services to effectively enhance security and reduce risks associated with this vulnerability. When coupled with contemporary network design practices, remaining risks linked to this vulnerability can be further reduced.

Details of this potential vulnerability to the affected Product are as follows:

• The potential exists for a highly skilled, unauthorized person, with specific tools and know-how, to intercept the Product’s password over a communications link to potentially gain access and interrupt the Product’s intended operation.

Customers who are concerned about unauthorized access to their Products can take immediate steps as outlined below to reduce associated security risk from this potential vulnerability. These same steps can also serve as a checklist to verify available security capabilities are in place in a system configuration too.

For instance, to directly mitigate associated risk in PLC5 controllers, Rockwell Automation recommends use of the following mitigation strategy:

• For PLC5 controllers, enable and configure "Passwords and Privileges" via RSLogix 5 configuration software to restrict access to critical data and improve overall password security.

To help further reduce the likelihood of exploitation and to help reduce associated security risk in the PLC5 and SLC family of controllers, Product users can follow these added remediation strategies (Note: when possible, multiple strategies should be employed simultaneously):

1. When applicable, upgrade Product firmware to a version that includes enhanced security functionality compatible with Rockwell Automation’s FactoryTalk Security services. This functionality can be enabled via RSLogix 5 or RSLogix 500 software. Recommended firmware revisions are as follows:
   
   1. The 1747-L5x firmware should be OS Series C FRN 10, or higher.
   2. 1785-Lx processor firmware should be at or above the following (refer to included table):
      
      

      Catalog Number	Series A	Series B	Series C	Series D	Series E	Series F
      Enhanced	Revision	Revision	Revision	Revision	Revision	Revision
      1785-L11B	R.2		U.2	L.2	K.2
      1785-L20B	R.2		U.2	L.2	K.2
      1785-L30B	S.2		U.2	L.2	K.2
      1785-L40B		S.2	U.2	L.2	K.2
      1785-L40L		S.2	U.2	L.2	K.2
      1785-L60B		S.2	U.2	L.2	K.2
      1785-L60L		S.2	U.2	L.2	K.2
      1785-L80B			U.2	L.2	K.2
      Protected	Revision	Revision	Revision	Revision	Revision	Revision
      1785-L26B	R.2		U.2	L.2	K.2
      1785-L46B		S.2	U.2	L.2	K.2
      1785-L46L		S.2	U.2
      1785-L86B			U.2	L.2	K.2
      Ethernet	Revision	Revision	Revision	Revision	Revision	Revision
      1785-L20E			U.2	L.2	K.2	A.2
      1785-L40E			U.2	L.2	K.2	A.2
      1785-L80E			U.2	L.2	K.2	A.2
      ControlNet	Revision	Revision	Revision	Revision	Revision	Revision
      1785-L20C15			U.2	L.2	K.2	E.2
      1785-L40C15			U.2	L.2	K.2	E.2
      1785-L46C15					K.2	E.2
      1785-L60C15				L.2
      1785-L80C15				L.2	K.2	E.2

   
   
2. Use the latest version of RSLogix 5 or RSLogix 500 configuration software and enable FactoryTalk Security services.
   
3. Disable where possible the capability to perform remote programming and configuration of the Product over a network to a controller by placing the controller’s key switch into RUN mode.
   
4. For SLC controllers, enable static protection on all critical data table files to prevent any remote data changes to critical data.
   
5. Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to https://www.rockwellautomation.com/en-us/capabilities/industrial-networks/industrial-network-services.html for comprehensive information about implementing validated architectures designed to deliver these measures.
   
6. Block all traffic to the CSP, EtherNet/IP or other CIP protocol based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Port# 2222 and Port# 44818 using appropriate security technology (e.g. a firewall, UTM devices, or other security appliance).
   
7. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to make changes to control system equipment.
   
8. Periodically and frequently change the Product’s password and obsolete previously used passwords to reduce exposure to threat from a Product password becoming known.

Rockwell Automation is committed to making additional security enhancements to our systems in the future.

For more information and for assistance with assessing the state of security of your existing controls system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/en-us/capabilities/industrial-networks/industrial-network-services.html.

KCS Status