24 Jul 2024


Cyber-flaw could allow hackers to halt Rockwell drives

The potential cyber-security flaw was detected in Rockwell Automation's PowerFlex 525 variable-speed drive

US cyber-researchers have found a software flaw in some Rockwell Automation variable-speed drives that could be exploited to manipulate the drive’s operation or to stop it remotely. The “denial of service” bug in PowerFlex 525 drives with embedded Ethernet I/P could allow a cyber-attacker to crash the Common Industrial Protocol (CIP) so that it will not accept any new connections. The current connections would, however, remain active, allowing potential attackers to take control of the drive.

The flaw was discovered last July by researchers at Applied Risk. They informed Rockwell which has since issued a firmware patch to tackle the flaw. Applied Risk has now published a report on its findings, and the US Department for Homeland Security has issued an advisory notice via its National Cybersecurity & Communications Integration Center (NCCIC). The advisory warns that successful exploitation of the vulnerability “could result in resource exhaustion, denial of service, and/or memory corruption”. It adds that it would require a “low” skill level to exploit. However, there are no known incidents that have exploited the weakness.

The flaw would allow an unauthenticated user to send a sequence of packets to crash the CIP network stack. This would create an error in the control and configuration software which would disconnect when the connection pool was exhausted. It would then not be possible to initiate a new connection to the device, preventing legitimate users from recovering control. If the attacker keeps their connection open, they could continue to send commands, and the only way for the genuine user to regain access would be to do a power reset.

The firmware update for the drives can be downloaded from Rockwell’s Web site. The company has also issued a security advisory about the vulnerability for registered customers.

Although this is one of the first problems of its type to be discovered in an variable-speed drive, security analysts regularly report potential weaknesses in industrial equipment. So far this year, The US Government’s ICS-CERT (Industrial Control Systems Computer Emergency Response Teams) service has issued more than 50 cyber-security advisories for industrial equipment and software, including items from ABB, Advantech, Aveva, Delta, Emerson, Horner, Johnson Controls, Mitsubishi, Moxa, Omron, OSIsoft, Pepperl+Fuchs, Phoenix Contact, Pilz, Schneider, Siemens and Yokogawa.