Rockwell urges users to disconnect ICS equipment

JT Jeeraphun – stock.adobe.com

ICS systems maker Rockwell Automation calls on users to take steps to secure their equipment and reminds them that there is no reason to ever have its hardware connected to the public internet, as it tracks an increase in global threat activity

Alex Scroxton,
Security Editor

Published: 22 May 2024 21:36

American industrial control systems (ICS) specialist Rockwell Automation has urged users across the world to disconnect their equipment from the public-facing internet, citing geopolitical tensions and a dramatic increase in threat actor activity targeting its hardware through a number of known common vulnerabilities and exposures (CVEs).

The Milwaukee, Wisconsin-based firm’s warning is accompanied by an alert issued by the United States’ Cybersecurity and Infrastructure Security Agency (CISA), advising users to follow its advice.

“Rockwell Automation is issuing this notice urging all customers to take immediate action to assess whether they have devices facing the public internet and, if so, urgently remove that connectivity for devices not specifically designed for public internet connectivity,” the firm said.

“Consistent with Rockwell Automation’s guidance for all devices not specifically designed for public internet connectivity (for example, cloud and edge offerings), users should never configure their assets to be directly connected to the public-facing internet.

“Removing that connectivity as a proactive step reduces attack surface and can immediately reduce exposure to unauthorised and malicious cyber activity from external threat actors,” Rockwell added.

The organisation is also urging users to pay particular attention to remediating a series of seven known vulnerabilities in various products.

These flaws are CVE-2021-22681 in Logix Controllers; CVE-2022-1159 in Studio 5000 Logix Designer; CVE-2023-3595 in Select Communication Modules; CVE-2023-46290 in FactoryTalk Services Platform; CVE-2023-21914 in FactoryTalk View ME; CVE-2024-21915 in FactoryTalk Service Platform, and CVE-2024-21917, also in FactoryTalk Service Platform. Details of these vulnerabilities are available in the linked advisory.

Ken Dunham, director of cyber threat at the Qualys Threat Research Unit (TRU), said: “The Rockwell Automation alert recommends immediate removal of any device that is currently installed with public Internet connectivity, for which it was not designed. This may seem like common sense, but all too often in a world of ‘Hello, it works’, organisations find themselves in a situation where hardware and software are installed and configured in ways that are not recommended and are vulnerable to attack.”

Dunham urged Rockwell customers to pay close attention, saying: “Automated industrial control systems (ICS) are a prime target for attack by adversaries that wish to impact critical infrastructure, especially in a high-volatility year of elections and war.”

Forescout research vice president Elisa Costante added: “Despite decades of efforts, the threat to critical infrastructure via industrial control systems remains alarmingly high, with Forescout Research – Vedere Labs ranking these systems as the fifth-riskiest in operational technology.

“Even as cyber attacks bridge the digital and physical worlds, impacting our physical health and safety, advisories often fall short of offering comprehensive risk assessments. Forescout recently uncovered 90,000 vulnerabilities without a CVE ID and identified network-attached storage (NAS), IP cameras, building automation devices, and VoIP equipment as the most exploited OT and IoT devices.

“It’s crucial that we adopt network-centric defence strategies, harden devices, segment networks, and vigilantly monitor systems to mitigate rising OT threats and secure all managed and unmanaged devices. Now is the time to address this and prevent a potential mass attack,” she said.

Rockwell’s warning comes amid a growing sense of alarm across the cyber security industry over the activities of state-backed espionage operations, such as China’s Volt Typhoon, which is known to have targeted critical infrastructure operations – heavy users of ICS tech – for intrusion and according to the US authorities, may be laying the groundwork for a major, multi-pronged cyber offensive should the geopolitical situation deteriorate.

In a related development, researchers at Mandiant today reported on the growing use of operational relay box, or ORB, networks by Chinese state threat actors.

ORB networks are short-lived, frequently-cycled networks that function somewhat like traditional botnets, comprising largely virtual private servers rented by contractors, and compromised internet of things (IoT) devices and even consumer routers. Because they are frequently changed up, ORB networks render so-called indicator of compromise (IoC) extinction – where a known IoC ceases to be used or valid – a greater concern, leaving defenders struggling to keep up.

Mandiant said that while ORBs are not new in and of themselves, their enthusiastic adoption in the Chinese cyber espionage community points to a growing investment in sophisticated tradecraft.

Read more on Hackers and cybercrime prevention

Ivanti vulnerabilities explained: Everything you need to know