Hardware, often used to control equipment in factories and other industrial environments, can be remotely controlled by exploiting a newly disclosed vulnerability with a severity level of 10 out of 10.
The vulnerability resides in Rockwell Automation programmable controllers, sold under the Logix brand. Ranging from the size of a small toaster to a large bread box or even larger, these devices help control devices and processes on assembly lines and in other manufacturing environments. Engineers program the PLC using Rockwell Studio 5000 Logix Designer software.
On Thursday, the US Cybersecurity & Infrastructure Security Administration warned of a critical vulnerability that could allow hackers to remotely connect to Logix controllers and change their configuration or application code from there. The vulnerability requires low skill levels to be exploited, CISA said.
The vulnerability tracked as CVE-2021-22681 results from the Studio 5000 Logix Designer software that enables hackers to extract a secret encryption key. This key is hard-coded in both Logix controllers and engineering stations and checks communication between the two devices. A hacker who obtained the key could then impersonate an engineering workstation and manipulate PLC code or configurations that directly affect a manufacturing process.
"Every affected Rockwell Logix controller available on the Internet is potentially vulnerable and exploitable," said Sharon Brizinov, principal vulnerability researcher at Claroty, one of three organizations that Rockwell is credited with independently discovering the bug. "To successfully exploit this vulnerability, an attacker must first obtain the secret key and understand the cryptographic algorithm used in the authentication process."
Brizinov said Claroty notified Rockwell of the vulnerability in 2019. Rockwell only announced it on Thursday. Rockwell also attributed Kaspersky Lab and Soonchunhyang University researchers to Eunseon Jeong, Youngho An, Junyoung Park, Insu Oh, and Kangbin Yim.
The vulnerability affects nearly every Logix PLC Rockwell sold, including:
- CompactLogix 1768
- CompactLogix 1769
- CompactLogix 5370
- CompactLogix 5380
- CompactLogix 5480
- ControlLogix 5550
- ControlLogix 5560
- ControlLogix 5570
- ControlLogix 5580
- DriveLogix 5560
- DriveLogix 5730
- DriveLogix 1794-L34
- Compact GuardLogix 5370
- Compact GuardLogix 5380
- GuardLogix 5570
- GuardLogix 5580
- SoftLogix 5800
Rockwell is not releasing a patch that directly addresses the problems arising from the hard-coded key. Instead, the company recommends SPS users to follow certain risk mitigation steps. In these steps the controller mode switch is put into operation. If this is not possible, follow other recommendations that are specific to each PLC model.
These steps are detailed in a report Rockwell is making available to its customers, as well as the CISA report linked above. Rockwell and CISA also recommend that PLC users follow standard safety recommendations. One of the most important recommendations is to ensure that control system devices are not accessible over the Internet.
Security experts generally admonish engineers to put critical industrial systems behind a firewall so that they are not exposed to the Internet. Unfortunately, engineers struggling with heavy workloads and limited budgets often ignore advice. The last reminder of this came earlier this month when a municipal water treatment plant in Florida said an intruder had accessed a remote system and tried to string potable water with lye. The employees at the plant used the same TeamViewer password and did not put the system behind a firewall.
With Logix PLC users segmenting industrial control networks and following other best practices, the risk from CVE-2021-22681 is unlikely to be minimal. And if people haven't implemented these practices, hackers likely have easier ways to hijack the devices. However, the vulnerability is serious enough that all Logix PLC users should read the CISA and Rockwell notices.
Claroty has published its own article here.