Rockwell advises disconnecting Internet-facing ICS devices amid cyber threats

May 22, 2024EditorialICS Security / Vulnerability

Rockwell Automation is asking its customers to disconnect all industrial control systems (ICS) that are not intended to connect to the public Internet to mitigate unauthorized or malicious cyber activity.

The company said it is issuing the advisory due to “heightened geopolitical tensions and adversarial cyber activity globally.”

To that end, customers are asked to take immediate action to determine if they have devices that are accessible over the Internet and, if so, to disconnect those that are not meant to be exposed.

“Users should never configure their assets to connect directly to the public Internet,” Rockwell Automation added.

“Removing this link as a proactive step reduces the attack surface and can immediately reduce exposure to unauthorized and malicious cyber activity from external threat actors.”

Additionally, organizations are required to ensure that they have adopted the necessary mitigations and patches to secure against the following flaws affecting their products –

The alert has also been shared by the US Cybersecurity and Infrastructure Security Agency (CISA), which also recommends that users and administrators follow the appropriate measures outlined in the guidance to reduce exposure.

This includes a 2020 advisory issued jointly by CISA and the National Security Agency (NSA) warning of malicious actors exploiting Internet-accessible operational technology (OT) assets to conduct cyber activity that could pose serious threats for critical infrastructure.

“Cyber ​​actors, including advanced persistent threat groups (APTs), have targeted OT/ICS systems in recent years to achieve political gain, economic advantage, and possibly execute destructive effects,” the NSA noted in September 2022.

Adversaries have also been observed connecting to publicly exposed programmable logic controllers (PLCs) and modifying the control logic to cause undesirable behavior.

In fact, recent research presented by a group of academics from the Georgia Institute of Technology at the NDSS Symposium in March 2024 has found that it is possible to carry out a Stuxnet-style attack by compromising the web application (or human-machine interfaces) of hosted by web servers embedded within PLCs.

This involves exploiting the PLC’s web-based interface, used for remote monitoring, programming and configuration, in order to gain initial access and then take advantage of legitimate application programming interfaces (APIs) to sabotage the basic machinery of the real world.

“Such attacks include falsifying sensor readings, disabling security alarms, and manipulating physical triggers,” the researchers said. “The emergence of Internet technology in industrial control environments has brought new security concerns not present in the domain of IT or consumer IoT devices.”

The new web-based PLC malware has significant advantages over existing PLC malware techniques, such as platform independence, ease of deployment, and higher levels of persistence, allowing an attacker to stealthily perform actions malicious without having to set control logic malware.

To secure OT and ICS networks, it is advisable to limit the exposure of system information, control and secure remote access points, limit network access and control system application tools and scripts for legitimate users, perform periodic reviews security and implement a dynamic network environment.