Rockwell Automation has issued a strong recommendation to its customers to disconnect any industrial control systems (ICS) that are not intended for internet connectivity due to an increase in cyber threats linked to global geopolitical tensions. This measure is essential to protect these systems from unauthorized or malicious cyber activities.

You might be interested: U.S. government issues critical infrastructure AI security recommendations.

Customers must promptly assess whether their ICS devices are accessible over the internet and immediately disconnect those that should not be publicly exposed. Rockwell Automation stresses that ICS assets should never be configured for direct internet access, as disconnecting them reduces the attack surface and mitigates the risk of cyber threats.

In addition to this advisory, Rockwell highlights the importance of addressing specific vulnerabilities in their products by implementing necessary patches and security measures:

• CVE-2021-22681 (CVSS score: 10.0)
• CVE-2022-1159 (CVSS score: 7.7)
• CVE-2023-3595 (CVSS score: 9.8)
• CVE-2023-46290 (CVSS score: 8.1)
• CVE-2024-21914 (CVSS score: 5.3/6.9)
• CVE-2024-21915 (CVSS score: 9.0)
• CVE-2024-21917 (CVSS score: 9.8)

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has echoed this alert, advising users and administrators to follow the recommended precautions to minimize exposure.

This advisory follows a pattern of warnings, including a joint 2020 advisory from CISA and the NSA, which alerted the public to the dangers posed by internet-accessible operational technology (OT) assets. Malicious actors, including advanced persistent threat (APT) groups, have increasingly targeted OT/ICS systems to achieve political and economic goals or to inflict damage.

Moreover, recent findings from the Georgia Institute of Technology, presented at the NDSS Symposium in March 2024, revealed that Stuxnet-style attacks are possible by exploiting web applications hosted by programmable logic controllers (PLCs). Attackers can gain initial access through the PLCs’ web-based interfaces, designed for remote monitoring and configuration, and use legitimate APIs to disrupt real-world machinery.

Such attacks can result in falsified sensor readings, disabled safety alarms, and manipulated physical actuators. The integration of web technology in industrial control environments has introduced new security challenges not seen in traditional IT or consumer IoT devices. The new type of PLC malware offers significant advantages, including platform independence, ease of deployment, and higher persistence, enabling covert malicious activities without deploying control logic malware.

To secure OT and ICS networks, it is recommended to limit exposure of system information, secure remote access points, restrict access to network and control system tools to legitimate users, conduct regular security reviews, and create a dynamic network environment.

REFERENCE