Cisco uncovers security threat in industrial control system
16 August 2016 | 0
Cisco’s security intelligence and research group Talos, said that it had reported a serious vulnerability in Rockwell Automation’s industrial control system – the MicroLogix 1400 programmable logic controller (PLC).
The Simple Network Management Protocol (SNMP) exploit could let an attacker take complete remote control of the MicroLogix system and modify the device firmware, letting an invader run his own malicious code on the device.
MicroLogix 1400 PLCs are use in a variety of applications from general industrial machinery and heating/air-conditioning units to SCADA (Oil and Gas, Water/Wastewater, and Electrical Power), to vending and industrial washers and dryers.
“This vulnerability,” Cisco’s Talos wrote, “is due to the presence of an undocumented SNMP community string that could be leveraged by an attacker to gain full control of affected devices and grants the ability to manipulate configuration settings, replace the firmware running on the device with attacker-controlled code, or otherwise disrupt device operations. Depending on the role of the affected PLC within an industrial control process, this could result in significant damages.
“At the most basic level, knowledge of the undocumented community string allows an attacker to read all values accessible via SNMP. In addition to read permissions, the ‘wheel’ community has the same write privileges as the ‘private’ community and can modify all writable SNMP OIDs. While it is possible for operators to change the default SNMP community strings on affected devices, the fact that this SNMP string is not documented by the vendor drastically decreases the likelihood of this value being changed prior to production deployment of the PLCs, as most operators are not likely to even be aware of its existence.
“Given the severity of this issue, and the fact that this functionality has not been removed from affected devices, it is recommended that mitigations be put in place to prevent the successful exploitation of this vulnerability in production environments.”
According to an Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) post on the security problem, Rockwell Automation recommends that users using affected versions of the MicroLogix 1400 evaluate and deploy the risk mitigation strategies listed below. When possible, multiple strategies should be employed simultaneously, the post stated.
Utilise the product’s “RUN” keyswitch setting to prevent unauthorised and undesired firmware update operations and other disruptive configuration changes.
- Utilise proper network infrastructure controls, such as firewalls, to help ensure that SNMP requests from unauthorised sources are blocked. See KB496391d for more information on blocking access to SNMP services.
- Disable the SNMP service on this product. The SNMP service is enabled by default. See Page 128 in the MicroLogix 1400 product manual for detailed instructions on enabling and disabling SNMP.
◦Note: It will be necessary to re-enable SNMP to update firmware on this product. After the upgrade is complete, disable the SNMP service once again.
◦Note: Changing the SNMP community strings is not an effective mitigation.
- Minimise network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet.
- Locate control system networks and devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as virtual private networks (VPNs), recognising that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognise that a VPN is only as secure as the connected devices.
IDG News Service