In light of mounting cyber threats, Rockwell Automation advises disconnecting internet-facing Industrial Control Systems (ICSs) to thwart unauthorized or malevolent digital activities.
The company cites escalated geopolitical tensions and adversarial cyber operations worldwide as the impetus for this advisory.
In response, clients must promptly assess if their devices are accessible via the internet and, if so, sever connectivity for those not intended to be exposed.
Rockwell Automation strongly discourages configuring assets for direct internet exposure, advocating for proactive disconnection to shrink the attack surface and swiftly mitigate exposure to external cyber threats.
Additionally, organizations must ensure the adoption of necessary patches and mitigations to address vulnerabilities affecting their products:
- CVE-2021-22681 (CVSS score: 10.0)
- CVE-2022-1159 (CVSS score: 7.7)
- CVE-2023-3595 (CVSS score: 9.8)
- CVE-2023-46290 (CVSS score: 8.1)
- CVE-2024-21914 (CVSS score: 5.3/6.9)
- CVE-2024-21915 (CVSS score: 9.0)
- CVE-2024-21917 (CVSS score: 9.8)
This alert has been disseminated by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which advises users and administrators to adhere to appropriate measures outlined in the guidance to mitigate exposure, echoing a 2020 advisory jointly issued by CISA and the National Security Agency (NSA).
The NSA previously highlighted malicious actors targeting Operational Technology (OT) assets accessible via the internet, posing grave threats to critical infrastructure.
In September 2022, the NSA emphasized the targeting of OT/ICS systems by cyber actors, including advanced persistent threat (APT) groups, for political, economic, and potentially destructive objectives.
These adversaries have been observed accessing publicly-exposed programmable logic controllers (PLCs) and manipulating control logic to induce undesirable outcomes.
Recent research presented by academics from the Georgia Institute of Technology in March 2024 revealed the feasibility of executing a Stuxnet-style attack by compromising web applications (or human-machine interfaces) hosted by embedded web servers within PLCs.
This method involves exploiting the PLC’s web-based interface for remote monitoring, programming, and configuration to gain initial access, then leveraging legitimate application programming interfaces (APIs) to sabotage real-world machinery.
The researchers highlighted potential attacks, including falsifying sensor readings, disabling safety alarms, and manipulating physical actuators, underscoring the introduction of novel security concerns in industrial control environments.
Web-based PLC Malware offers distinct advantages over existing techniques, such as platform independence, ease of deployment, and heightened persistence, facilitating covert malicious actions without deploying control logic malware.
To bolster security in OT and ICS networks, it’s recommended to minimize system information exposure, secure remote access points, restrict network and control system tool access to authorized users, conduct regular security assessments, and establish a dynamic network environment.