(Eduard Kovacs – SecurityWeek) – In April, at SecurityWeek’s ICS Cyber Security Conference in Singapore, industrial cybersecurity firm Applied Risk disclosed the details of a serious denial-of-service (DoS) vulnerability affecting safety controllers from several major vendors. Rockwell Automation is one of those vendors and the company has now released patches for its products.
In an advisory published last week, Rockwell Automation informed customers that the flaw impacts Allen-Bradley CompactLogix 5370 and Compact GuardLogix 5370 programmable automation controllers, which are used to control processes in the critical infrastructure, water systems, entertainment, automotive, food and beverage, and other sectors.
The vulnerability is tracked by Rockwell as CVE-2017-9312 and it has been classified as “high severity” with a CVSS score of 8.6. CompactLogix 5370 L1, L2 and L3, and Armor CompactLogix 5370 L3 small controllers, and Compact GuardLogix 5370 and Armor Compact GuardLogix 5370 L3 safety controllers running firmware version 30.012 and prior are affected. The security hole has been patched with the release of version 31.011.
A remote attacker can exploit the vulnerability to cause affected devices to enter Major Non-Recoverable Fault (MNRF) mode, which results in a DoS condition that requires the user to re-download the application program in order to restore the system.
“An MNRF is a controlled action taken by the controller when it is determined that the controller could no longer continue safe operation. When a Logix controller determines that an MNRF is the right course of action, the controller is designed to fault, taking it out of run mode, logging diagnostic data, and then invalidating and deleting the controller’s memory. This action requires an application program reload to guarantee the controller has a valid program to continue safe operation,” Rockwell Automation said in an advisory (customer account required).
Register for SecurityWeek’s 2018 ICS Cyber Security Conference
According to Applied Risk’s own advisory, the vulnerability exists due to “incorrect processing of TCP ACK packet additional options by the listener at Ethernet/IP TCP port (default 44818).”
“An incorrect order on the NOP option leads to an immediate device reboot and enters a ‘Major Fault’ mode which must be resolved manually. To trigger the vulnerability, the NOP option must be put first and the number of options must be more than one,” Applied Risk explained.
In addition to applying firmware updates, Rockwell has advised customers to block all traffic to Ethernet/IP and other CIP protocol-based devices from outside the manufacturing zone, minimize network exposure for control systems, and use VPNs where remote access is required.
Since the underlying issue that causes the vulnerability is related to Ethernet/IP, one of the most widely used industrial network protocols, researchers believe products from other vendors are likely affected as well. No other companies have been singled out, but Applied Risk did reveal at the ICS Cyber Security Conference that its researchers tested safety controllers from several major vendors, including Siemens, ABB, Pilz, and Phoenix Contact.
Given the significant role of safety controllers in industrial environments, causing a device to enter a DoS condition could have serious consequences, including physical damage to equipment and physical harm to people, experts warned.
“The impact of such an attack would be highly dependent on the nature of the attack, the design of the control system and other controls a user may have in place,” Rockwell said.
Related: Rockwell Automation Switches Exposed to Attacks by Cisco IOS Flaws
Related: Rockwell Automation Addresses Flaws in Programmable Controllers
Rockwell Patches Vulnerability Impacting Safety Controllers From Several Vendors
(Eduard Kovacs - SecurityWeek) - In April, at SecurityWeek’s ICS Cyber Security Conference in Singapore, industrial cybersecurity firm Applied Risk disclosed the details of a serious denial-of-service (DoS) vulnerability affecting safety controllers from several major vendors. Rockwell Automation is one of those vendors and the company has now released patches for its products. In an advisory published last week, Rockwell Automation informed customers that the flaw impacts Allen-Bradley CompactLogix 5370 and Compact GuardLogix 5370 programmable automation controllers, which are used to control processes
Triton ICS Malware Developers Likely Copied Code From Legitimate Libraries
(Eduard Kovacs - SecurityWeek) - The developers of Triton, a recently discovered piece of malware designed to target industrial control systems (ICS), reverse engineered a legitimate file in an effort to understand how the targeted devices work. Triton, also known as Trisis and HatMan, was discovered in August 2017 after a threat group linked by some to Iran used it against a critical infrastructure organization in the Middle East. The malware targets Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers, which
‘Chrysene’ Group Targets ICS Networks in Middle East, United Kingdom
(SecurityWeek - Eduard Kovacs) - A threat actor with ties to hacker groups believed to be operating out of Iran has been targeting the industrial networks of organizations in the Middle East and the United Kingdom. Tracked by industrial cybersecurity firm Dragos as “Chrysene,” the actor has been linked to OilRig and Greenbug, groups that have mainly focused on the Arabian Gulf region and which are believed to have been involved in the Shamoon and Shamoon 2 attacks. According to Dragos, Chrysene
Industrial Internet Consortium (IIC) Unveils New IoT Security Maturity Model
(Kevin Townsend / SecurityWeek) - The Industrial Internet Consortium (IIC) has developed a new IoT Security Maturity Model (SMM), building on its own security framework and reference architecture. This week it has published the first of two papers: IoT Security Maturity Model: Description and Intended Use. This is primarily a high-level overview aimed at the less technical of IoT stakeholders. "This is for the businessmen," Ron Zahavi, chief strategist for IoT standards at Microsoft, told SecurityWeek, "to help them understand what is needed
Multiple U.S. Gas Pipeline Firms Affected by Cyberattack
(Eduard Kovacs - SecurityWeek) Several natural gas pipeline operators in the United States have been affected by a cyberattack that hit a third-party communications system, but the incident does not appear to have impacted operational technology. Energy Transfer Partners was the first pipeline company to report problems with its Electronic Data Interchange (EDI) system due to a cyberattack that targeted Energy Services Group, specifically the company’s Latitude Technologies unit. EDI is a platform used by businesses to exchange documents such as purchase
Critical Vulnerabilities Found in Siemens Building Automation, Telecontrol Products
(Eduard Kovacs / SecurityWeek) - Industrial giant Siemens this week warned that critical vulnerabilities have been found in some of its telecontrol and building automation products, and revealed that some SIMATIC systems are affected by a high severity flaw. One advisory published by the company describes several critical and high severity flaws affecting Siveillance and Desigo building automation products. The security holes exist due to the use of a vulnerable version of a Gemalto license management system (LMS). The bugs affect Gemalto
Bayshore Networks Names Kevin Senator as CEO
Industrial cyber protection firm Bayshore Networks has named Kevin Senator as the company's new Chief Executive Officer and President. Senator served as VP of Worldwide Sales & Channels at Bayshore since joining the company in April 2017, and takes over for Mike Dager, who served as Bayshore’s Chief Executive Officer for just over two years. "I would like to welcome Kevin Senator as the new CEO of Bayshore Networks. During his time as Bayshore’s VP of Worldwide Sales, Kevin provided invaluable leadership and
Palo Alto Networks Releases Rugged Firewall for Industrial and Other Harsh Environments
(SecurityWeek - Eduard Kovacs) - Palo Alto Networks on Tuesday announced that it has updated its PAN-OS operating system and released a new next-generation firewall designed for use in industrial and other harsh environments. The new PA-220R is a ruggedized NGFW that can be used by various types of organizations, including power plants, utility substations, oil and gas facilities, manufacturing plants, and healthcare organizations. During beta testing, the product was also used for railway systems, defense infrastructure, and even amusement parks. The PA-220R is
The Need for ICS Security Operations Centers (Video)
[Presented at SecurityWeek's 2017 Singapore ICS Cyber Security Conference] Register for the 2018 Event Session Description: Presented by Joss Menting, Chief Technologist, Lab Manager Cybersecurity, ENGIE Lab LABORELEC Cybersecurity for Industrial Control Systems (ICS) is gaining importance fast and cannot be covered by one single action. To accept is easy, to continue is difficult; It takes a lot of efforts for ICS assets to reach an acceptable level of security. However, it takes much more to maintain that level over a sustainable
Railway Cybersecurity Firm Cylus Emerges From Stealth With $4.7 Million in Funding
Cylus Raises $4.7M to Help Protect Rail Industry Against Cyberattacks (SecurityWeek) - Cylus, an Israel-based startup that specializes in cybersecurity solutions for the rail industry, emerged from stealth mode on Thursday with $4.7 million in seed funding. Researchers have warned on several occasions in the past years that modern railway systems are vulnerable to cyberattacks, and the rail industry has been targeted by both cybercriminals and state-sponsored cyberspies. Cylus aims to address the challenges of securing railway systems by developing a solution that