Rockwell's ICS Directive Comes as Critical Infrastructure Risk Peaks

Source: Tithi Luadthong via Alamy Stock Photo

Citing “heightened geopolitical tensions and adversarial cyber activity globally,” industrial control systems (ICS) giant Rockwell Automation last month took the unusual step of telling its customers to disconnect their gear from the Internet. The move showcases not just growing cyber risk to critical infrastructure, but the unique challenges that security teams face in the sector, experts say.

By way of background, the US Cybersecurity and Infrastructure Security Agency (CISA) has been sounding the alarm for months on increased threats to water supply organizations, power plants, manufacturing, telecom carriers, military footprints, and more — attacks that are largely being spearheaded by advanced persistent threats (APTs) backed by China, Russia, and Iran. Especially now, facilities teams should be ramping up their vigilance, thanks to it being a high-volatility year of elections and war, CISA has warned.

“These nation-states are targeting critical infrastructure for political or economic gain,” says Gary Southwell, general manager at ARIA Cybersecurity. "Russian-backed attackers are targeting allies of Ukraine. They also host many cybercriminals who target high value infrastructure because of the money they can extort. China is playing the long game: get embedded in as much of our critical infrastructure as possible so they can exercise political leverage against us. In the past it was mostly to steal IP but that is now secondary.

“In both cases, these attackers are finding ways in and trying to leave behind code that they can use to control systems and potentially wreak havoc,” he warns.

Adding yet further to the security concerns are the rafts of security vulnerabilities that make online-exposed ICS gear that much more at risk for compromise. These are difficult to patch without purpose-trained expertise and often require downtime to fix, making remediation a no-go for many organizations. Rockwell’s advisory links to several concerning bugs, including CVE-2021-22681, CVE-2022-1159, CVE-2023-3595 and CVE-2023-3596, CVE-2023-46290, CVE-2024-21914, CVE-2024-21915, and CVE-2024-21917.

These can lead to attacks like denial-of-service (DoS) efforts that take down electrical grids; privilege escalation and lateral movement to burrow deeper into the operational technology (OT) environment in order to control it; modifying settings to, say, change safety thresholds for power generators; remotely compromising programmable logic controllers (PLCs) to halt water sector operations; or even conducting destructive Stuxnet-style attacks that can obliterate a site’s ability to function permanently.

In response, “removing connectivity [from ICS] as a proactive step reduces attack surface and can immediately reduce exposure to unauthorized and malicious cyber activity from external threat actors,” Rockwell noted in its advisory, adding that this should be done “immediately” (which it wrote in all caps, in case the urgency of the matter failed to resonate).

Most ICS Gear Has No Business Being Online

While the advisory pertains to “devices not specifically designed for public Internet connectivity,” that unfortunately represents the majority of ICS gear found online. Most installations still run legacy assets that have been in use for many years, and were never designed to be part of connected, “smart” installations.

It’s not a small problem, either: A Shodan search for “Rockwell” returned more than 7,000 results, including thousands of legacy PLCs, which control the physical and operational processes within ICS environments and are not meant to be exposed.

And therein lies the crux of the issue: If the machines are not meant to be reachable online, how did they end up that way in the first place?

“All too often in a world of ‘hello, it works,’ organizations find themselves in a situation where [things are working operationally, but] hardware and software are installed and configured in ways that are not recommended, leaving them vulnerable to attack,” explains Ken Dunham, cyber threat director at Qualys Threat Research Unit. “Organizations are doing the best that they can, with the limited resources they have, in compressed time frames, often without appropriate training, experience, and checks and balances in place to ensure secure, effective outcomes.”

Beyond resource constraints, there’s also a significant disconnect between the IT security staff, and those actually managing the ICS assets. For example, John Gallagher, vice president of Viakoo Labs at Viakoo, notes that in many manufacturing environments, it’s the manufacturing team and not IT that sets up OT devices, which introduces unwanted Internet-facing connections.

“Manufacturing plants tend to have Internet-facing devices for a variety of functions, ranging from office equipment to cloud-connected manufacturing systems,” he explains. He adds that all too often, there’s not enough security expertise amongst those configuring ICS to properly set up and maintain network segmentation from those other aspects. Thus, the ICS gear — many times inadvertently — ends up operating on internal networks that are directly or indirectly reachable from the outside.

This “make it work” approach using limited resources also means that such exposed devices often lack other basic security controls when it comes to authentication, according to Jim Routh, chief trust officer at Saviynt.

“Unfortunately, it is relatively common to have industrial control devices configured with access controls outside of the IT and identity and access management teams and infrastructure, resulting in weak passwords in use," he explains. “In this case, enterprise customers using the Rockwell ICS devices may have been connected to the Internet with limited access controls that need hardening and management.”

Establishing More Mature ICS Security Practices

To recap: critical infrastructure is facing increasing disruptive threats to physical processes; thousands of devices are exposed online with weak authentication and riddled with exploitable bugs; and there’s an endemic lack of security team participation in site design and asset/infrastructure management. All in all, it’s not an ideal situation.

Disconnecting these devices from the Internet is the safest way to address the concerns — even though taking devices offline and reconfiguring them to work in a different topology may seem daunting.

“In cases like the situation with Rockwell, where Internet connections are improperly enabled, it will require scheduled maintenance downtime in order to reconfigure them,” Viakoo’s Gallagher says.

Southwell calls it a drastic measure — but stresses that the risk really is high enough to warrant it. Nonetheless, for those organizations who decline to disconnect ICS gear from the Internet, limiting online exposure is one way to go, he says.

“For instance, only have the ICS open for short periods, and only to specific devices from known vendors using specific protocols and ports for access,” he advises.

Bringing an IT approach to asset management for ICS gear is another way to harden the environment, Routh explains, including where connected ICS devices are located, what they do, whether they’re using a default password or a customized password, and whether they’re patched.

“The identification and categorization of assets, the configuration standards required for those assets, and then the vulnerability management and ongoing responsibility for those assets — this has never really been applied to devices that weren’t considered IT assets, including ICS,” he says. “That needs to change.”

Even if gear is taken offline as directed, Gallagher warns that “configuration drift,” where over time holes emerge as new assets are added to the environment, is a problem. He advocates using discovery solutions designed for IoT/OT and ICS — ones that are agentless and aware of application-device relationships.

“This is critically important to ensure that all communication paths remain inside the network segment (or perhaps have an outbound-only connection), and they should be periodically checked to make sure that configurations have not changed. Configuration drift management is a difficult task for IoT/OT/ICS systems and requires using solutions like application-based discovery to baseline and monitor changes.”

Despite all the alarm bells and publishing of specific guidance and alerts on the risk that critical infrastructure faces at the moment, movement appears to be slow on the part of utilities and others when it comes to hardening their environments, he adds.

“It’s really a slow-motion train wreck,” Gallagher warns. “Until more comprehensive threat discovery, assessment, and remediation practices specific to IoT/OT/ICS are being widely used, there will be the threat of a massive wakeup call in the form of a disruptive cyberattack.”

Don’t miss “Anatomy of a Data Breach: What to Do if It Happens to You,” a free Dark Reading virtual event scheduled for June 20! Speakers include Verizon’s Alex Pinto, plus execs from Snowflake, pharma giant GSK, Salesforce, and more — register today!

About the Author(s)

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.