Critical Infrastructure Security, Vulnerability Management, Patch/Configuration Management

Rockwell to customers: Remove public-facing ICS devices from internet

Developer programmer using laptop with warning triangle sign for alert found error and maintenance concept

In response to heightened geopolitical tensions and potential attacks on critical infrastructure sectors, Rockwell Automation released guidance encouraging users to remove connectivity to all industrial control systems (ICS) devices with public-facing internet access.  

In an advisory to customers, Rockwell said users should never configure their assets to be directly connected to the public-facing internet. The large industrial manufacturer said removing that connectivity as a proactive step reduces attack surface and can immediately reduce exposure to unauthorized and malicious cyber activity from external threat actors.

The Cybersecurity and Infrastructure Security Agency (CISA) on May 21 followed up Rockwell’s advisory with a post of its own to bring attention to Rockwell’s post.

SecurityWeek reported that a recent Shodan search for “Rockwell” returned more than 7,000 results, including thousands of what appear to be Allen-Bradley programmable logic controllers (PLCs). 

The Rockwell Automation alert recommends immediate removal of any device that’s currently installed with public internet connectivity, for which it was not designed, pointed out Ken Dunham, cyber threat director at Qualys.

While it may seem like common sense, Dunham said organizations find themselves in situations where hardware and software are installed and configured in ways that are not recommended, leaving them vulnerable.

“Automated industrial control systems are a prime target for attack by adversaries that wish to impact critical infrastructure, especially in a high-volatility year of elections and war,” said Dunham.

John Gallagher, vice president of Viakoo Labs, added that while manufacturers do use the internet for a variety of functions ranging from office equipment to cloud-connected manufacturing systems, the issue here is with devices and systems that were not tested and designed to be internet connected, yet ended up configured that way.  

Gallagher explained that in many manufacturing organizations it's the manufacturing team and not IT that sets systems up, which introduces possible internet-facing connections. 

Even if the network is fully segmented and firewalled off from the internet, Gallagher said as time goes on "punch-throughs" can happen, such as the overnight security guard figuring out a way to watch Netflix or someone temporarily enabling internet connectivity then forgetting to reset it. 

When asked if shutting down public-facing internet devices will cause plant slowdowns, Gallagher said with many ICS systems even regular maintenance must be carefully planned to minimize disruptions, so shutting off ICS systems will very likely have a business impact. 

“However, the recommendation is to disable internet connectivity — not shut them down — and since these devices were never meant to be internet-connected, it's possible that disabling internet would have minimal impact,” said Gallagher.   

The Rockwell advisory listed five patched vulnerabilities that security teams should take action on because they could potentially let attackers launch denial-of-service attacks, escalate privileges, or remotely attack PLCs:

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.