The Double-Edged Sword of Connecting Industrial Systems to the Internet

In the rapidly evolving landscape of industrial automation,the integration of internet connectivity into industrial control systems (ICS)offers remarkable convenience and efficiency. However, this very connectivityalso poses significant cybersecurity risks. Rockwell Automation, a leader inindustrial automation solutions, has recently issued a stark warning to itscustomers, urging them to ensure that their ICS are not connected to theinternet, thereby exposing them to potential cyber threats.

Immediate Actions Urged

Rockwell Automation has emphasized the urgency of thisissue, advising customers to immediately check if any devices not specificallydesigned for public internet connectivity are exposed online. This call toaction is particularly critical in light of the current geopolitical climate,which has heightened the risk of adversarial cyber activities worldwide.

A Shodan search for "Rockwell" reveals over 7,000results, including numerous instances of Allen-Bradley programmable logiccontrollers (PLCs) being accessible on the internet. Such exposure makes thesesystems vulnerable to cyber attacks.

Risks of Internet-Connected Industrial Systems

"Consistent with Rockwell Automation’s guidance for alldevices not specifically designed for public internet connectivity, such ascloud and edge offerings, users should never configure their assets to bedirectly connected to the public-facing internet," the company stated.Disconnecting these systems from the internet as a precautionary measuresignificantly reduces the attack surface and minimizes the risk of unauthorizedand malicious cyber activity.

The advisory from Rockwell Automation includes links tovarious resources, providing guidance and best practices for securing ICS. Thiscomprehensive approach underscores the importance of proactive cybersecuritymeasures in safeguarding critical industrial infrastructure.

Vulnerabilities and Exploits

Rockwell’s advisory also brings to light severalvulnerabilities that have been identified and patched in recent years. Notableamong these are CVE-2021-22681, CVE-2022-1159, CVE-2023-3595, CVE-2023-3596,CVE-2023-46290, CVE-2024-21914, CVE-2024-21915, and CVE-2024-21917. Thesevulnerabilities could allow hackers to perform a range of malicious activities,from Denial of Service (DoS) attacks and privilege escalation to remotemodification of settings and even conducting sophisticated Stuxnet-style attacks.

The identification of exploits targeting CVE-2023-3595 andCVE-2023-3596 indicates that advanced persistent threat (APT) groups areactively focusing on Rockwell’s industrial products. Although there are noconfirmed reports of successful attacks exploiting these vulnerabilities, thepotential threat remains a serious concern.

Broader Implications and Recommendations

The US Cybersecurity and Infrastructure Security Agency(CISA) has echoed Rockwell’s concerns by issuing an alert to draw attention tothe security notice. This collaboration highlights the critical nature of thethreat and the importance of a coordinated response to protect industrialsystems from cyber threats.

In conclusion, while the internet connectivity of industrialsystems offers significant operational advantages, it also opens these systemsup to a myriad of cyber threats. Rockwell Automation’s recent advisory servesas a crucial reminder for organizations to carefully evaluate their ICSconfigurations and adopt stringent cybersecurity measures to protect againstpotential attacks. Disconnecting unnecessary internet connections, stayinginformed about vulnerabilities, and implementing best practices are essentialsteps in safeguarding industrial infrastructure in an increasingly connectedworld.

‍