Critical flaw in Rockwell Automation's ICS component gave hackers complete access

News by Jay Jay

A critical infrastructure component driving a range of motor and software controls in industrial applications such as conveyors, fans, pumps, and mixers was recently found containing a critical vulnerability.

A critical infrastructure component driving a range of motor and software controls in industrial applications such as conveyors, fans, pumps, and mixers was recently found containing a critical vulnerability that allowed an attacker to gain complete access over the device.

The denial-of-service vulnerability was discovered by researchers at Applied Risk in Rockwell Automation’s PowerFlex 525, a logic-controlled mechanical component that is used widely in the IIoT industry to control the frequency of industrial motors and also in a wide range of motor and software controls.

According to the researchers, the vulnerability allows an attacker to crash the Common Industrial Protocol (CIP) in a way that it does not accept any new connection. The current connections however, are kept active, giving attackers complete control over the device. An attacker can exploit this by sending the sequence after having initiated a CIP session to disconnect all operators and control the process exclusively.

Describing the flaw in greater detail, the researchers said that unauthenticated attackers can crash the CIP network stack by sending a precise sequence of a packet, thereby creating an error in the control and configuration software which results in disconnection.
As it is not possible for an authenticated user to initiate a new connection after the CIP crash, the user cannot recover control over Rockwell Automation’s PowerFlex 525, thereby allowing unauthenticated attackers to gain complete access over the device.

The vulnerability was first identified in version 5.001 of PowerFlex 525 industrial component in July last year and upon being informed by Applied Risk via responsible disclosure norms, Rockwell Automation has issued a software update to patch the vulnerability.

Commenting on the discovery of the vulnerability in an ICS component, Eoin Keary, CEO of edgescan, told SC Magazine UK that firstly, the logic of exposing such devices to the public Internet must be questioned and also if such devices should be accessible from the corporate LAN.

In an advice to organisations running industrial control systems, he added that organisations must consider using a firewall to help ensure CIP (Common Industrial Protocol) messages from unauthorised sources are blocked including restricting access to TCP and UDP Port 2222 and Port 44818.

"Also, consider implementing a continuous asset profiling solution to constantly detect exposures relating to services, ports or protocols. Visibility is "half the battle" when it comes to vulnerability management. And lastly, a core aspect of risk management is to reduce "attack surface" and needless exposure of systems," he added.

Tony Atkins, regional director, EMEA at Nozomi Networks, said that this is a clear case of customers requiring visibility into their industrial networks. Many organisations will have a difficult task in being able to accurately assess their exposure to vulnerability disclosures such as this.

"Drive controllers typically sit within the Level 1 (Purdue Model) networks, such networks and devices should not be publicly accessible or accessible from corporate networks but this best practice guidance is not always followed.

"By restricting CIP communication between L1 and L2 networks, organisations can reduce their exposure to such attacks, however, a defence in depth approach is critical to securing industrial networks, which would be expected to include network monitoring, patch management and traffic policy enforcement," he added.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Webcasts and interviews 

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop