Rockwell Automation is urging its customers to disconnect all industrial control systems (ICSs) not meant to be connected to the public-facing internet to mitigate unauthorized or malicious cyber activity.
The company said it’s issuing the advisory due to “heightened geopolitical tensions and adversarial cyber activity globally.”
To that end, customers are required to take immediate action to determine whether they have devices that are accessible over the internet and, if so, cut off connectivity for those that are not meant to be left exposed.
“Users should never configure their assets to be directly connected to the public-facing internet,” Rockwell Automation further added.
“Removing that connectivity as a proactive step reduces attack surface and can immediately reduce exposure to unauthorized and malicious cyber activity from external threat actors.”
On top of that, organizations are required to ensure that they have adopted the necessary mitigations and patches to secure against the following flaws impacting their products –
The alert has also been shared by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which is also recommending that users and administrators follow appropriate measures outlined in the guidance to reduce exposure.
This includes a 2020 advisory jointly released by CISA and the National Security Agency (NSA) warning of malicious actors exploiting internet-accessible operational technology (OT) assets to conduct cyber activity that could pose severe threats to critical infrastructure.
“Cyber actors, including advanced persistent threat (APT) groups, have targeted OT/ICS systems in recent years to achieve political gains, economic advantages, and possibly to execute destructive effects,” the NSA noted in September 2022.
Adversaries have also been observed connecting to publicly-exposed programmable logic controllers (PLCs) and modifying the control logic to trigger undesirable behavior.
In fact, recent research presented by a group of academics from the Georgia Institute of Technology at the NDSS Symposium in March 2024 has found that it’s possible to perform a Stuxnet-style attack by compromising the web application (or human-machine interfaces) hosted by the embedded web servers within the PLCs.
This entails exploiting the PLC’s web-based interface used for remote monitoring, programming, and configuration in order to gain initial access and then take advantage of the legitimate application programming interfaces (APIs) to sabotage the underlying real-world machinery.
“Such attacks include falsifying sensor readings, disabling safety alarms, and manipulating physical actuators,” the researchers said. “The emergence of web technology in industrial control environments has introduced new security concerns that are not present in the IT domain or consumer IoT devices.”
The novel web-based PLC Malware has significant advantages over existing PLC malware techniques such as platform independence, ease-of-deployment, and higher levels of persistence, allowing an attacker to covertly perform malicious actions without having to deploy control logic malware.
To secure OT and ICS networks, it’s advised to limit exposure of system information, audit and secure remote access points, restrict access to network and control system application tools and scripts to legitimate users, conduct periodic security reviews, and implement a dynamic network environment.
