The Cybersecurity and Infrastructure Security Agency has released an advisory for Rockwell Automation Logix Controllers. PLCs from Rockwell Automation that are marketed under the Logix brand have received a severity score of 10 out of 10, indicating significant risk. The vulnerability, tracked as CVE-2021-22681 was independently reported to Rockwell by several different groups of researchers. The US Cybersecurity & Infrastructure Administration have warned of a critical vulnerability that could allow attackers to remotely connect to Logix controllers and alter their configuration or application code.
The cause of the issue is related to the Logix Designer software using a private cryptographic key to verify communications with controllers, which is not adequately protected. This could allow a remote unauthenticated attacker to bypass the verification mechanism and connect to the controller. From there, an attacker could upload malicious code to the controller, replace the firmware, or otherwise substantially disrupt the manufacturing environment.
The following versions of Rockwell software are affected:
- RSLogix 5000: Versions 16 through 20
- Studio 5000 Logix Designer: Versions 21 and later
The following Rockwell Logix Controllers are affected:
- CompactLogix 1768
- CompactLogix 1769
- CompactLogix 5370
- CompactLogix 5380
- CompactLogix 5480
- ControlLogix 5550
- ControlLogix 5560
- ControlLogix 5570
- ControlLogix 5580
- DriveLogix 5560
- DriveLogix 5730
- DriveLogix 1794-L34
- Compact GuardLogix 5370
- Compact GuardLogix 5380
- GuardLogix 5570
- GuardLogix 5580
- SoftLogix 5800
There are opportunities to mitigate the risks, which include converting at risk PLCs to “run” mode (not “remote program”) and to deploy CIP Security for Logix Designer connections. Additionally, an IT/OT environment designed around Rockwell and Cisco’s Network model known as CPwE would impose network segmentation and security controls that would reduce, or eliminate the risks associated with this vulnerability.
We recommend that all companies take inventory of all of automation and computerized systems, regardless of platform. If you need assistance identifying and addressing security vulnerability concerns, contact E Technologies Group.
Resources: US-CERT Advisory – https://us-cert.cisa.gov/ics/advisories/icsa-21-056-03
CIP Security with Rockwell Automation – https://literature.rockwellautomation.com/idc/groups/literature/documents/at/secure-at001_-en-p.pdf
We will be keeping up with developments regarding this and other vulnerabilities to industrial networks. If you’d like to stay informed, enter your email below.