Content
This policy is created for customer notification in the event of a reported vulnerability in a Rockwell Automation product or service. This document will describe how the organization receives, tracks, investigates, assesses and disclosing security vulnerabilities provided by sources internal and external to the company and associated with the use of Rockwell Automation technologies, products, services, or solutions.
Rockwell Automation Product Security Incident Response Team
The Rockwell Automation Product Security Incident Response Team will respond to incidents that involve Rockwell Automation product security. This team is comprised of individuals working in the Office of Product Security and Safety. The PSIRT team can be reached at any time via the PSIRT email box (PSIRT@rockwellautomation.com) with any security-related submissions.
Vulnerability Submission
It is recommended that all security related submissions be sent to the PSIRT inbox. This inbox is managed by the PSIRT team, and all items are read. Rockwell Automation encourages submissions to the inbox to utilize encryption for sensitive items when sending them to the PSIRT inbox. The public PGP/GNU key is available for download at the following link: PGPSecurityKey.zip. When a report is received in the inbox, the submitter will be contacted to acknowledge receipt of the report within 24 business hours. Rockwell Automation defines a vulnerability as an unintended weakness or flaw that can negatively affect product security.
Vulnerability Management Process
The vulnerability management process consists of five stages.
Stage 1 - Reception
When a report is received in the inbox, the submitter will be contacted to acknowledge receipt of the report within 24 business hours. PSIRT will do a first look at the information and work collaboratively with the submitter to confirm the nature, gather additional information, and ascertain appropriate remedial action.
Stage 2 - Verification
The verification of the product vulnerability will be independently assessed by a tester outside of the product development team in the suspected product(s). The PSIRT team will engage with product team(s) in the organization for the affected product(s). The product team and security subject matter experts will evaluate the vulnerability and work to reproduce the issue. Once it has been reproduced, it will be considered a valid issue. The PSIRT will create a Product Security Vulnerability Record with a unique internal tracking number for the security-related issue.
Stage 3 - Assessment
Rockwell Automation uses version 3.1 of the Common Vulnerability Scoring System (CVSS) as part of its standard process for evaluating all substantiated vulnerabilities in Rockwell Automation products. Multiple parameters are considered in the vulnerability assessment as detailed in figure 1. These are the Base Metrics for CVSS scoring and represent the intrinsic and fundamental characteristics of a vulnerability that are constant over time and user environments.
Each of these metrics as well as the rating choices shown are fully defined on the CVSS scoring site. The metrics assigned to the vulnerability are the output of the investigation of the vulnerability report by the PSIRT. Rockwell Automation will provide the base score upon disclosure of the vulnerability. Customers are encouraged to utilize this score as a baseline for prioritizing response but to also take into consideration the environment that the products are located within.
Figure 1:
Stage 4 - Resolution
The resolution plan will be decided based on the nature of the vulnerability, the product(s) affected, and the lifecycle state of the product. The PSIRT will coordinate with the product teams and ensure the vulnerability goes through the vulnerability management process.
Stage 5 - Disclosure
Rockwell Automation follows a standard approach to promptly addressing security vulnerabilities. Rockwell Automation reserves the right to determine when it is in the best interest of our customers to disclose security vulnerabilities. Factors that influence the timing and content of our disclosure include the nature of the vulnerability, risks to our customer installed base, the progress made toward a mitigation strategy, and any existing mitigations and guidance that we have already provided to our customers. We are committed to customer security and follow a well-established process in line with industry standards.
Rockwell Automation coordinates with CERT/CC through ICS-CERT when disclosing vulnerabilities. Rockwell Automation utilizes the Knowledgebase Advisory to communicate security vulnerabilities. This advisory will be posted on an agreed-upon date in coordination with an ICS-CERT security advisory. It is recommended that customers subscribe to receive email updates when a new advisory is posted for products that affect them through the Knowledgebase.
Third-Party Vulnerabilities
Rockwell Automation also monitors advisories to include those produced by third-party software organizations for components that are used in Rockwell Automation products. In the case of a vulnerability in a third-party component used by Rockwell Automation, the CVSS score assigned by the third-party organization will typically be used unless the nature of the product merits a change of scoring.
Rockwell Automation will consider a third-party vulnerability high visibility in the case of the following criteria: