IMPORTANT NOTICE: Rockwell Automation Reiterates Customer Guidance to Disconnect Devices from the Internet and Harden PLCs to Protect from Cyber Threats

IMPORTANT NOTICE: Rockwell Automation Reiterates Customer Guidance to Disconnect Devices from the Internet and Harden PLCs to Protect from Cyber Threats

Rockwell Automation has become aware of potential threat actor activity targeting Rockwell Automation controllers. We are reaching out proactively to inform our customers and to provide immediate recommendations for strengthening the security of their installed base. Rockwell Automation recommends customers take these IMMEDIATE actions:

Recommended Immediate Actions

1.      Customers should ensure that controllers are not exposed to the public internet.

2.      Customers should ensure security protections are enabled on their controllers. Information on available security features in controllers can be found in the System Security Design Guidelines. See below for additional guidance on security features for specific product lines.

3.      When possible, combine the above guidance with general security guidelines for a comprehensive defense-in-depth strategy. Please refer to our Industrial Network Architectures Page for comprehensive information to help segment and protect your OT assets.

Removing Devices from the Internet

Customers should check if they have devices facing the public internet. If so, remove that connectivity for devices not designed for public internet connectivity. For example, customers should ensure that unauthenticated open ports are closed on edge router appliances.

Rockwell Automation has previously published guidance for devices not specifically designed for public internet connectivity. Users should never configure their devices to be directly connected to the public-facing internet. Removing that connectivity is a proactive step that significantly reduces the attack surface. This can immediately reduce exposure to unauthorized and malicious cyber activity from external threat actors.

Below are resources on how to identify exposed assets and disconnect them from the public internet.

• Rockwell Automation | Advisory on web search tools that identify ICS devices and systems connected to the Internet [login required]
• CISA | NSA and CISA Recommend Immediate Actions to Reduce Exposure Across Operational Technologies and Control Systems
• CISA | How-to Guide: Stuff Off Shodan

ControlLogix/CompactLogix Hardening Guidance

• The Controller’s mode switch should be put into the “Run” position.
• Upload project files from all controllers and store the files offline for disaster recovery.
• FactoryTalk^® Policy Manager can be used to deploy a CIP Security policy that requires connections to the controller to be authenticated using strong cryptographic protections.  For more information on deploying CIP Security to protect against this vulnerability, see https://www.rockwellautomation.com/en-us/capabilities/industrial-cybersecurity/ot-practices/cip-security.html
• FactoryTalk^® Security allows a controller to be bound to a security authority which manages configuration of role-based access control. If FactoryTalk^® Security and CIP Security are both configured, binding a controller to a FactoryTalk^® Security Authority reduces the likelihood to circumvent role‑based access controls.
• If it is not feasible in your environment to deploy CIP Security to protect the connection between programming workstations and controllers, other mitigations and detection strategies can be applied. For details of additional mitigation options, please see further guidance in our recently updated PN1550.
• Implement security features found in the following resources:
  • Logix 5000® Controllers Information and Status (Chapters 3 and 4)
  • Logix 5000® Controller Security

Micro800™ Series Hardening Guidance

• Security features for the Micro820^® controller can be found in Chapter 8 of 2080-UM005H-EN-E Micro820® Programmable Controllers User Manual.
• Security features for the Micro850^® and Micro870^®  controllers can be found in Chapter 11 of 2080-UM002R-EN-E Micro830®, Micro850®, and Micro870® Programmable Controllers User Manual.
• For Micro850® and Micro870®, the Controller’s mode switch should be put into the “Run” position.
• Upload project files from all controllers and store the files offline for disaster recovery.

Additional Resources

Industrial Security Administrators should be familiar with and follow the system security guidelines in the System Security Design Guidelines Reference Manual.

Industrial Security Administrators should refer to Appendix A of the CIP Security with Rockwell Automation Products Application Technique to determine if devices on the network support CIP Security. Industrial Security Administrators should evaluate and plan to migrate to a secure industrial protocol.

Customers can refer to the Converged Plantwide Ethernet (CPwE) Design and Implementation Guide (Publication ENET-TD001E) for best practices for deploying network segmentation and broader defense in depth strategies.

See the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Customers should be aware of the following related CVEs and evaluate mitigations for their specific environments:

Revision History

Glossary:

• Public Internet: Networks or systems that are directly reachable from the global internet without intermediary protections such as firewalls, VPNs, or network segmentation.

Get Up-to-Date Product Security Information

Visit the Rockwell Automation security advisories on the Trust Center page to:

•  Subscribe to product security alerts
• Review the current list of Rockwell Automation security advisories
• Report a possible security issue in a Rockwell Automation product
• Learn more about the vulnerability policy

We also recommend that concerned customers continue to monitor this advisory by subscribing to PSA/PN/Security Notifications. This can be done by updating settings in Account Overview within the Knowledgebase.

Support

If you have any questions regarding the security issue(s) above and how to mitigate them, contact TechConnect for help. More information can be found at Contact Us | Rockwell Automation | US.

If you have any questions regarding this disclosure, please contact PSIRT
Email: PSIRT@rockwellautomation.com

Legal Disclaimer

ROCKWELL AUTOMATION DOES NOT WARRANT THE COMPLETENESS, TIMELINESS OR ACCURACY OF ANY OF THE DATA CONTAINED IN THIS WEB SITE AND MAY MAKE CHANGES THERETO AT ANY TIME IN ITS SOLE DISCRETION WITHOUT NOTICE. FURTHER, ALL INFORMATION CONVEYED HEREBY IS PROVIDED TO USERS "AS IS." IN NO EVENT SHALL ROCKWELL BE LIABLE FOR ANY DAMAGES OF ANY KIND INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS PROFIT OR DAMAGE, EVEN IF ROCKWELL AUTOMATION HAS BEEN ADVISED ON THE POSSIBILITY OF SUCH DAMAGES. ROCKWELL AUTOMATION DISCLAIMS ALL WARRANTIES WHETHER EXPRESSED OR IMPLIED IN RESPECT OF THE INFORMATION (INCLUDING SOFTWARE) PROVIDED HEREBY, INCLUDING THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, AND NON-INFRINGEMENT. Note that certain jurisdictions do not countenance the exclusion of implied warranties; thus, this disclaimer may not apply to you.