PN715 | Advisory on web search tools that identify ICS devices and systems connected to the Internet

Introduction

Description

Version 1.1 - September 20, 2018

SUMMARY

This Industrial Security Advisory is intended to raise the awareness to control system owners and operators of increased risks that stem from publicly-available web search tools that identify Internet-connected devices. These types of tools and search utilities can be used for legitimate research purposes; however, they also bear a potential for misuse by threat actors seeking to gather added intelligence about prospective cyber targets.

Rockwell Automation recognizes the potential risk to any device connected in a network that is accessible by unauthorized people, whether the device is isolated within a protected facility or if it is accessible through a remote connection, including the Internet. We are aware that such Internet search tools have the ability to identify Rockwell Automation branded products that are connected, either intentionally or unintentionally by the device owners to the Internet. For this reason, recommendations to mitigate associated risks are provided herein.

BACKGROUND

Web-based tools, including SHODAN and the Every Routable IP Project (ERIPP) provide a means for users to discover information about networked devices that are either knowingly or unknowingly connected to the Internet. Such connected products include, but are not limited to: web servers, routers, webcams, smart phones, VoIP phones, printers and in some cases industrial control products.

The information collected by these search tools about these Internet-facing devices includes device IP addresses and can also include geographic location (i.e. country, city and approximate latitude/longitude), specific product identity information or user-added descriptors that can be learned through device fingerprinting techniques. Some of these tools also provide a means to both search and filter databases for devices that match specific user-defined search criteria.

POTENTIAL RISK to INDUSTRIAL CONTROL DEVICES and SYSTEMS

Many devices cataloged by these search tools have been designed and installed with the full knowledge they are directly connected to the Internet; however, other devices identified by these tools were not intended by the manufacturer, or potentially the device installer to ever carry a direct connection.

As with all networked device and systems, industrial control systems are at risk of both accidental and potentially malicious attacks. The availability of search tools that simplify the process of locating and identifying devices unintentionally connected to the Internet raises associated risk to these devices and systems. It is evident based on the device information that some of these devices and accompanying systems lack recommended security protections facilitated by good security design and infrastructure-level appliances (e.g. firewalls, SIEMs, and intrusion detection systems).

As a consequence, these types of devices and systems may not operate with obscurity and may become exposed to additional unintended risks. Information provided through search tools could aid a curious individual or malicious threat actor in device-tampering activities or even a penetration into the product or connected system in order to facilitate a cyberattack.

RISK MITIGATIONS and RECOMMENDED USER ACTIONS

Whether or not Internet-facing industrial control devices are identified by these tools, Rockwell Automation encourages all industrial control system (ICS) owners and operators to follow good security design practices.

https://www.rockwellautomation.com/en_NA/capabilities/industrial-networks/technical-data/overview.page?

These practices must also include careful evaluation and monitoring of all industrial control system connection points to an enterprise system and external remote access connections enabled via modems or direct connections to the Internet.

We recommend concerned customers remain vigilant and continue to follow sound security strategies that help reduce risk and enhance overall control system security. Where possible, we suggest customers apply some of the following recommendations and complement this list with their own best-practices:

1. Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to http://www.rockwellautomation.com/global/products-technologies/network-technology/architectures.page for comprehensive information about implementing validated architectures designed to deliver these measures.
2. If appropriate for the application, isolate the Industrial Control System network from the Enterprise network and other points of potential remote network access.
3. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment.
4. Employ firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked.
5. Use up to date end-point protection software (e.g. antivirus/anti-malware software) on all PC-based assets.
6. Make sure that software and control system device firmware is patched to current releases.
7. Periodically change passwords in control system components and infrastructure devices.
8. Where applicable, set the controller key-switch/mode-switch to RUN mode.
9. Enlist additional security expertise by engaging Rockwell Automation’s Network & Security Services team for specialized, consultative services. For more detail visit http://www.rockwellautomation.com/services/security/.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

ADDITIONAL LINKS

• 54102 - Industrial Security Advisory Index
• https://ics-cert.us-cert.gov/alerts/ICS-ALERT-10-301-01
• https://ics-cert.us-cert.gov/alerts/ICS-ALERT-11-343-01A

REVISION HISTORY

KCS Status