ICS-CERT issued an Advisory on Friday titled Rockwell Allen-Bradley MicroLogix, SLC-500, and PLC-5 Fault Generation Vulnerability. This is just a distraction from the PLC insecure by design issue.
The impact of this vulnerability is denial of service. You don’t need to exploit a vulnerability to take a PLC running EtherNet/IP out of service; the pro’s will use the features in these PLC’s. Just send it a EtherNet/IP Stop CPU command. If you want to do something more permanent upload bad logic or firmware.
A few comments on the players in this Advisory:
Thanks for nothing; truly pathetic effort. Is this an important vulnerability? Does it increase risk to owner/operators who own these products (not really). Are they living with insecure by design features that make attacks on integrity and availability trivial to an attacker with manuals, protocol standards and a PLC to test on? (Yes) Should they have a plan to upgrade or replace these insecure by design PLC’s if availability and integrity is a requirement? (Yes)
And ICS-CERT left out the most important part of the disclosure. From the Rockwell Automation Bulletin (free login required):
The MicroLogix controller is susceptible to a remotely exploitable Denial of Service (DoS) attack should it receive certain messages that change specific status bits in the controller’s Status file. Under these specific conditions, an attack will be successful regardless of controller’s mode switch setting. A successful attack will cause the controller to cease its logic execution and enter a fault state. Recovery from this fault state requires the controller’s operating mode selector to be switched via direct physical interaction. (emphasis added)
This requirement for physical interaction is a bigger recovery effort than recovering from a Stop CPU command but less than using the insecure by design features to brick the device.
And the ICS-CERT advisory actually includes an advertisement for Rockwell Automation Consulting, “Enlist additional security expertise by engaging Rockwell Automation’s Network & Security Services team for specialized, consultative services. For more detail visit http://www.rockwellautomation.com/services/security/”
Nice job on the vulnerability handling. The researcher, Matthew Luallen of CYBATI, found the vulnerability in a MicroLogix 1400. RA took the initiative to determine and disclose what other products were affected. They have good technical detail in the RA bulletin, and RA doesn’t try to downplay the issue. The only fault I have with the bulletin is they don’t name the researcher who found the vulns.
RA and other vendors shouldn’t be spending time trying to secure legacy field devices like the SLC-500 and may choose to not have a secure upgrade path for older devices like the PLC-5. They were designed for a different time and a naive security threat environment.
I’d also argue that RA should not be focused on fixing these vulns in the MicroLogix because they will not affect the risk these insecure by design devices contribute to the SCADA or DCS risk. RA should be focusing on two things:
- Adding security to the EtherNet/IP protocol. I have heard, but not confirmed, there is now a Special Interest Group (SIG) in ODVA to add security to the CIP family of protocols that includes EtherNet/IP. Accelerate this as much as possible and get the result implemented in the RA PLCs, beginning with the PLCs being purchased for new deployments.
- Focus on improving the Security Development Lifecycle so vulnerabilities like this will not be introduced in new code, or at least significantly reduced. This code was almost certainly developed before RA had an SDL. RA will need to start going through older code that will live on in new products or a steady stream of vulns will continue.
Matthew Luallen of CYBATI
Nice work. The comments on the insignificance of the vulnerabilities to changing known and accepted risk are not a reflection on the research. Hopefully it is another data point that leads owner/operators to realize they need to upgrade or replace their PLC’s in the next 1-3 years. CYBATI offers ICS security training, and my guess is he uses this as one of his examples or labs.
Image by underminingme