Revision Number
1.6
Version 1.2 - March 5, 2021. Updated for clarity.
Version 1.3 - May 5, 2021. Mitigations updated – 1783-CSP CIP Security Proxy.
Version 1.4 - July 20, 2022. Rearranged placement of general mitigations.
Executive Summary
FactoryTalk® Security, part of the FactoryTalk® Services Platform, provides user authentication and authorization for a particular set of actions within RSLogix 5000® and Studio 5000 Logix Designer®. For customers who have deployed FactoryTalk® Security, this vulnerability may allow an attacker to bypass the protections provided between Rockwell Automation software and the controller. CIP Security reduces the likelihood that this vulnerability could be used to circumvent role‑based access controls.
This vulnerability was independently co-discovered by Lab of Information Systems Security Assurance (Eunseon Jeong, Youngho An, Junyoung Park, Insu Oh, Kangbin Yim) of Soonchunhyang University, Kaspersky, and by Claroty, a cybersecurity technology vendor and partner of Rockwell Automation.
Affected Products
Software:
RSLogix 5000® software v16-20, Studio 5000 Logix Designer® v21 and later, and corresponding Logix controllers running these versions.
FactoryTalk® Security, part of the FactoryTalk® Services Platform, if configured and deployed v2.10 and later.
Controllers:
1768 CompactLogix®
1769 CompactLogix®
CompactLogix® 5370
CompactLogix® 5380
CompactLogix® 5480
ControlLogix® 5550
ControlLogix® 5560
ControlLogix® 5570
ControlLogix® 5580
ControlLogix® 5590
DriveLogix™ 5730
FlexLogix™ 1794-L34
Compact GuardLogix® 5370
Compact GuardLogix® 5380
GuardLogix® 5560
GuardLogix® 5570
GuardLogix® 5580
SoftLogix™ 5800
Vulnerability Details
Studio 5000 Logix Designer® uses a key to verify Logix controllers are communicating with Rockwell Automation products. If successfully exploited, this vulnerability could allow a remote, unauthenticated attacker to bypass a verification mechanism and authenticate with Logix controllers. If exploited, this vulnerability could enable an unauthorized third-party tool to make changes to the controller configuration and/or application code.
CVSS v3.1 Base Score: 10.0/CRITICAL
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Risk Mitigation & User Action
FactoryTalk® Security allows a controller to be bound to a security authority which manages configuration of role-based access control. If FactoryTalk® Security and CIP Security are both configured, binding a controller to a FactoryTalk® Security Authority significantly reduces the likelihood that this vulnerability could be used to circumvent role‑based access controls.
If it is not feasible in your environment to deploy CIP Security to protect the connection between programming workstations and controllers, other mitigations and detection strategies can be applied. For details of all mitigation options, please see the table below.
Product Family and Version |
Risk Mitigation and Recommended User Actions |
ControlLogix® 5590 v38 or later. |
If the above cannot be deployed, the followings mitigations are recommended:
|
|
If the above cannot be deployed, the followings mitigations are recommended:
|
|
If the above cannot be deployed, the following mitigations are recommended:
|
ControlLogix® 5570 v31 or later. |
If the above cannot be deployed, the following mitigations are recommended:
|
CompactLogix® 5380 v28 or later. |
If the above cannot be deployed, the following mitigations are
|
CompactLogix® 5370 v20 or later |
If the above cannot be deployed, the following mitigations are
|
ControlLogix® 5580 v28-v30 |
|
SoftLogix™ 5800 |
|
- Monitor controller change log for any unexpected modifications or anomalous activity.
- If using v17 or later, utilize the Controller Log feature.
- If using v20 or later, utilize Change Detection in the Logix Designer Application.
- If using ControlLogix® 5580 or GuardLogix® 5580 firmware revision 34.011 or later, or ControlLogix® 5590 firmware revision 38.011 or later, configure Syslog to report unexpected modifications or anomalous activity to a Syslog collector.
- If available, use the functionality in FactoryTalk® AssetCentre software to detect changes.
- Consult the product documentation for specific features, such as a hardware Mode Switch setting, which may be used to block unauthorized changes, etc.
- Do not click on or open URL links from untrusted sources.
- Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
Customers using the affected products are directed towards risk mitigation and are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense-in-depth strategy.
Rockwell Automation has determined that this vulnerability cannot be mitigated with a patch. Rockwell Automation encourages customers to implement the mitigation strategies outlined in this disclosure.
A comprehensive defense-in-depth strategy can reduce the risk of this vulnerability. To leverage this vulnerability, an unauthorized user requires network access to the controller. Customers should confirm that they are employing proper networking segmentation and security controls. Including, but not limited to:
- Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
- Minimizing network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet.
- Locating control system networks and devices behind firewalls and isolating them from the enterprise/business network.
- Restricting or blocking traffic on TCP 44818 from outside of the industrial control system network zone. For more information on the TCP/UDP ports used by Rockwell Automation products, see BF7490 - TCP/UDP Ports Used by Rockwell Automation Products.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. VPN is only as secure as the connected devices.
Customers can refer to the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide (Publication ENET-TD001E) for best practices for deploying network segmentation and broader defense in depth strategies. Customers can also refer to the Rockwell Automation System Security Design Guidelines (Publication secure-rm001) on how to use Rockwell Automation products to improve the security of their industrial automation systems.
CIP Security mitigates this vulnerability as it provides the ability to deploy TLS and DTLS based secure communications to supported products. CIP Security is an enhancement to the ODVA EtherNet/IP industrial communication standard and directly addresses the vulnerability noted in this disclosure. CIP Security allows for users to leverage and manage certificates and/or pre-shared keys and does not make use of any hardcoded keys.
As of May 5, 2021, a new mitigation option is now available. The 1783-CSP CIP Security Proxy is a standalone hardware solution that provides CIP Security for devices that do not natively support CIP Security. See below for how this product can be deployed to address CompactLogix® based applications.
Customers requiring setup or deployment guidance for CIP Security protocol should refer to the CIP Security deployment refence guide (Publication secure-at001) for more information.
*Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.
We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.
Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com).
ADDITIONAL LINKS
