23 Jul 2024


Rockwell warns users to check ICS Internet links ‘immediately’

Rockwell Automation is warning users of factory automation devices such as its Logix controllers to remove any Internet connections immediately if they are not designed for such connections

Rockwell Automation has issued a security notice urging all of its customers to take “IMMEDIATE” action to assess whether they have industrial control devices facing the public Internet and, if so, to remove that connectivity “urgently” for devices not specifically designed for public Internet connectivity. It says it is issuing the advice “due to heightened geopolitical tensions and adversarial cyberactivity globally”.

The advice does not refer to any specific cyberthreats or vulnerabilities.

Rockwell says that users should never configure their ICS (industrial control system) assets to be directly connected to the public-facing Internet. “Removing that connectivity as a proactive step reduces attack surface and can immediately reduce exposure to unauthorised and malicious cyberactivity from external threat actors,” it explains. This advice applies to all devices not specifically designed for public Internet connectivity, such as cloud and edge offerings.

In addition to disconnecting assets from the public Internet – or if disconnection is not feasible – Rockwell also urges its customers to follow the measures outlined in its Security Best Practices document (log-in required).

The Rockwell security notice has been backed by an alert from the US cyber-defence agency, Cisa.

Rockwell says that its customers should be aware of a series of CVE (Common Vulnerabilities and Exposures) notices issued by Cisa and ensure that mitigations are in place, where possible. These notice cover both hardware products, such as Logix controllers and communications modules, and industrial automation software:
CISA | Rockwell Automation Logix Controllers (Update A)
CISA | Rockwell Automation Studio 5000 Logix Designer
CISA | Rockwell Automation Select Communication Modules
CISA | Rockwell Automation FactoryTalk Services Platform
CISA | Rockwell Automation FactoryTalk View ME
CISA | Rockwell Automation FactoryTalk Service Platform
CISA | Rockwell Automation FactoryTalk Service Platform

Rockwell also points users to other sources of information from Cisa and itself on attacks on public-Internet-exposed assets, including information on how to identify exposed assets and disconnect them from the public Internet:
Rockwell Automation | Advisory on web search tools that identify ICS devices and systems connected to the Internet [login required]
CISA | NSA and CISA Recommend Immediate Actions to Reduce Exposure Across Operational Technologies and Control Systems
CISA | How-to Guide: Stuff Off Shodan

Rockwell Automation:  Twitter  LinkedIn  Facebook