Once hackers gain control over this vendor’s programmable logic controllers, critical manufacturing and operational infrastructure will be severely compromised.

Cybersecurity researchers have discovered a severe vulnerability (CVE-2021-22681, CVSS 10.0) in a mechanism that verifies communication between Rockwell Automation PLCs and engineering stations. The vulnerability affects Studio 5000 Logix Designer, RSLogix 5000, and many Logix Controllers, according to Claroty Research.

Exploiting this flaw enables an attacker to remotely connect to almost any of the company’s programmable logic controllers (PLCs), and upload malicious code, download information from the PLC, or install new firmware.

The vulnerability lies in the fact that Studio 5000 Logix Designer software may allow a secret cryptographic key to be discovered. This key is used to verify communication between Rockwell Logix controllers and their engineering stations. If successfully exploited, this vulnerability could allow a remote, unauthenticated attacker to bypass this verification mechanism and connect to Logix controllers.

Key facts

  • Severity:
    • CVSS score of 10.0, the highest possible
    • According to the advisory, the affected software is deployed worldwide across multiple critical infrastructure sectors 
  • Affects a verification mechanism between Rockwell Automation programmable logic controllers (PLCs) and engineering stations.
  • What a successful exploitation would look like: 
    • An attacker could bypass verification and remotely connect to almost any of Rockwell’s Logix PLCs
    • They could then upload malicious code, download information from the PLC, or install new firmware. An attacker who is able to extract the secret key would be able to authenticate to any Rockwell Logix controller, mimic a workstation and therefore manipulate configurations or code running on the PLC (upload/download logic), and directly impact a manufacturing process.
    • This could compromise a wide range of manufacturing processes that PLCs are used for, such as those involving motors, pumps, lights, fans, circuit breakers, and other machinery.

Mitigation measures

Rockwell Automation recommends a number of specific mitigations including putting the controller in ‘Run’ mode and deploying CIP Security for Logix Designer connections. CIP Security prevents unauthorized connections when deployed properly.

Other generic mitigations to blunt the effects of this vulnerability include:

  • Proper network segmentation and security controls such as minimizing exposure of control systems to the network or the internet.
  • Control systems should be behind firewalls and isolated from other networks whenever feasible.
  • Secure remote access is also suggested; at a minimum, using a VPN to connect to a device.

The ICS-CERT advisory includes all Rockwell mitigation advice, including a number of recommendations for each product family and version. It also recommends a number of detection methods if users suspect configurations have been modified, including:

  • Monitor controller change log for any unexpected modifications or anomalous activity.
  • If using v17 or later, utilize the Controller Log feature.
  • If using v20 or later, utilize Change Detection in the Logix Designer Application.

If available, use the functionality in FactoryTalk AssetCentre to detect changes.