NERC issued an advisory on Rockwell Automation PLC/PAC vulnerabilities. It is odd in many ways.
1. There is no new information. This is all old news.
2. So many field devices used in this electric sector have these same or equally important security deficiencies. Are we going to see NERC Advisories on every brand and model? If not, why the pick on RA?
3. It is far from complete. For example, they don’t mention that an attacker can load rogue firmware on the Ethernet card because upload is not authenticated. This is similar to the Boreas vulnerability, covered in an S4 paper by Daniel Peck, and proven in our lab loading both innocuous and nasty firmware on Rockwell and Koyo/DL products. This was not hard, but many without the technical background didn’t believe it until they saw it. The preponderance of field devices have this problem.
4. And perhaps the worse, some of the mitigation recommendations are just wrong. They suggest using FactoryTalk, but this means no password is used on the PLC/PAC so an attacker does not even need to intercept the password. See our SCADApedia note on this. Other mitigation is simply restrict access – – don’t let the bad guys get to it.
This seems very unfair to Rockwell Automation. Perhaps a more generic advisory about typical vulnerabilities in field devices would have been better. RA has some talent on their security team, and I believe the message is starting to get to the exec’s there and elsewhere. Things don’t move as fast as we would like to see, but there should be some good options for security in field devices in the next year or two.