Rockwell’s ICS Advisory Amid Rising Critical Infrastructure Threats

June 12, 2024

The rising threats to critical infrastructure, driven by enhanced geopolitical tensions and increased adversarial cyber activity worldwide, have prompted Rockwell Automation, a leading industrial control systems (ICS) provider, to advise its clients to disconnect their devices from the Internet. This move not only highlights the escalating cyber risk to critical infrastructure but also the unique security obstacles that the sector encounters.

The US Cybersecurity and Infrastructure Security Agency (CISA) has been warning for months about the heightened threats to various sectors, including water supply organizations, power plants, manufacturing, telecom carriers, and military installations. These attacks are primarily led by advanced persistent threats (APTs) sponsored by China, Russia, and Iran. "These nation-states are targeting critical infrastructure for political or economic gain," says Gary Southwell, general manager at ARIA Cybersecurity.

In addition to these threats, the security landscape is further complicated by a multitude of security vulnerabilities that significantly increase the risk of compromise for ICS equipment exposed online. These vulnerabilities, including CVE-2021-22681, CVE-2022-1159, CVE-2023-3595, CVE-2023-3596, CVE-2023-46290, CVE-2024-21914, CVE-2024-21915, and CVE-2024-21917, are challenging to patch without specialized expertise and typically require downtime for remediation, making it an unfeasible solution for many organizations.

Rockwell's advisory highlights several alarming vulnerabilities that can lead to attacks such as denial-of-service (DoS) efforts that can disrupt electrical grids, privilege escalation, and lateral movement to gain deeper control of the operational technology (OT) environment, and even destructive Stuxnet-style attacks that can permanently disable a site's functionality.

In response to these threats, Rockwell suggests that "removing connectivity [from ICS] as a proactive step reduces attack surface and can immediately reduce exposure to unauthorized and malicious cyber activity from external threat actors." This measure, the company recommends, should be taken "immediately."

However, the challenge lies in the fact that most ICS equipment found online, including thousands of legacy programmable logic controllers (PLCs), were not designed for public Internet connectivity. A search for "Rockwell" returned more than 7,000 results, indicating the magnitude of the problem.

The disconnect between IT security staff and those managing the ICS assets further complicates the situation. In many manufacturing environments, the manufacturing team, not IT, sets up OT devices, which can inadvertently expose them to the Internet. Additionally, these exposed devices often lack basic security controls when it comes to authentication.

To sum up, the critical infrastructure sector is facing increasing threats to physical processes, with thousands of devices exposed online with weak authentication and riddled with exploitable bugs. Disconnecting these devices from the Internet, despite the challenges it presents, appears to be the safest solution to address these concerns.

Related News

• APT Group Targets Rockwell Automation Flaws, Poses Threat to Critical Infrastructure

Latest News

• Google Addresses Android Zero-Day Exploit on Pixel Devices
• Black Basta Ransomware Group Suspected of Exploiting Windows Zero-Day Vulnerability
• Microsoft Rectifies 51 Security Flaws Including a Critical MSMQ Vulnerability
• JetBrains Issues Warning About IntelliJ IDE Bug That Exposes GitHub Access Tokens
• Chinese Cyber-Espionage Campaign Breaches 20,000 FortiGate Systems Globally: MIVD