Rockwell’s ICS Advisory Amid Rising Critical Infrastructure Threats

June 12, 2024

The rising threats to critical infrastructure, driven by enhanced geopolitical tensions and increased adversarial cyber activity worldwide, have prompted Rockwell Automation, a leading industrial control systems (ICS) provider, to advise its clients to disconnect their devices from the Internet. This move not only highlights the escalating cyber risk to critical infrastructure but also the unique security obstacles that the sector encounters.

The US Cybersecurity and Infrastructure Security Agency (CISA) has been warning for months about the heightened threats to various sectors, including water supply organizations, power plants, manufacturing, telecom carriers, and military installations. These attacks are primarily led by advanced persistent threats (APTs) sponsored by China, Russia, and Iran. "These nation-states are targeting critical infrastructure for political or economic gain," says Gary Southwell, general manager at ARIA Cybersecurity.

In addition to these threats, the security landscape is further complicated by a multitude of security vulnerabilities that significantly increase the risk of compromise for ICS equipment exposed online. These vulnerabilities, including CVE-2021-22681, CVE-2022-1159, CVE-2023-3595, CVE-2023-3596, CVE-2023-46290, CVE-2024-21914, CVE-2024-21915, and CVE-2024-21917, are challenging to patch without specialized expertise and typically require downtime for remediation, making it an unfeasible solution for many organizations.

Rockwell's advisory highlights several alarming vulnerabilities that can lead to attacks such as denial-of-service (DoS) efforts that can disrupt electrical grids, privilege escalation, and lateral movement to gain deeper control of the operational technology (OT) environment, and even destructive Stuxnet-style attacks that can permanently disable a site's functionality.

In response to these threats, Rockwell suggests that "removing connectivity [from ICS] as a proactive step reduces attack surface and can immediately reduce exposure to unauthorized and malicious cyber activity from external threat actors." This measure, the company recommends, should be taken "immediately."

However, the challenge lies in the fact that most ICS equipment found online, including thousands of legacy programmable logic controllers (PLCs), were not designed for public Internet connectivity. A search for "Rockwell" returned more than 7,000 results, indicating the magnitude of the problem.

The disconnect between IT security staff and those managing the ICS assets further complicates the situation. In many manufacturing environments, the manufacturing team, not IT, sets up OT devices, which can inadvertently expose them to the Internet. Additionally, these exposed devices often lack basic security controls when it comes to authentication.

To sum up, the critical infrastructure sector is facing increasing threats to physical processes, with thousands of devices exposed online with weak authentication and riddled with exploitable bugs. Disconnecting these devices from the Internet, despite the challenges it presents, appears to be the safest solution to address these concerns.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.