- CVE-2022-1161 – this vulnerability affects several versions of Rockwell’s Logix Controllers and has a CVSS score of 10. It is a remote code execution vulnerability which lies within affected PLC firmware running on ControlLogix, CompactLogix, and GuardLogix control systems. It allows attackers to write user-readable program code to a separate memory location from the executed compiled code, allowing the attacker to modify one and not the other without the user’s knowledge.
- CVE-2022-1159 – this vulnerability affects several versions of its Studio 5000 Logix Designer application and allows an attacker to alter code as it is being compiled without the user’s knowledge. This vulnerability has a CVSS score of 7.7. To successfully exploit this vulnerability, an attacker must first gain administrator access to the affected application, and then intercept the compilation process and inject code into the user program. The user may be unaware that this modification has taken place.
SCADAfence Detects These Vulnerabilities
The SCADAfence Platform detects new connections, connections from external devices and from the Internet, and unauthorized connections to OT assets. Furthermore, the platform detects start, restart, and stop commands sent to PLCs in the network, as well as remote mode change commands which are needed steps to alter programs in Rockwell’s Logix Controllers. The disclosed CVEs are currently under NIST-NVD analysis – when the analysis is done they will be added to the SCADAfence CVE database to help detect devices that are potentially vulnerable.Recommendations
Vendor Recommendations Rockwell developed a Compare tool that can detect hidden code running on a PLC:- Logix Designer application Compare Tool V9 or later, installed with Studio 5000 Logix Designer
- FactoryTalk AssetCentre V12 or later (available fall 2022)
- Implement CIP Security to help prevent unauthorized connections.
- Use the Controller Log feature to track interactions that occurred in the controller.
- Use Change Detection in the Logix Designer application to monitor events for changes.
SCADAfence recommends
SCADAfence recommends taking the following measures to minimize the risk of exploitation:- Limit Network Exposure – minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
- Monitor Network Traffic – monitor access to the production segments. In the SCADAfence Platform, create logical groups of the affected devices and define traffic rules to alert on suspicious access to them.
- Monitor User Activity – in the SCADAfence Platform, monitor access to the affected devices and track user activity using the User Activity View.
- Connect to SCADAfence Cloud – connect the SCADAfence Platform to the SCADAfence Cloud to get the latest signature and CVE updates.
- Increase Severity of Alerts – in the SCADAfence Platform, increase severity of alerts per the below recommendations.
- 1768 CompactLogix™ controllers
- 1769 CompactLogix controllers
- CompactLogix 5370 controllers
- CompactLogix 5380 controllers
- CompactLogix 5480 controllers
- Compact GuardLogix® 5370 controllers
- Compact GuardLogix 5380 controllers
- ControlLogix® 5550 controllers
- ControlLogix 5560 controllers
- ControlLogix 5570 controllers
- ControlLogix 5580 controllers
- GuardLogix 5560 controllers
- GuardLogix 5570 controllers
- GuardLogix 5580 controllers
- FlexLogix™ 1794-L34 controllers
- DriveLogix™5730 controllers
- SoftLogix™ 5800 controllers
- Studio 5000 Logix Designer application v28 and later
- ControlLogix® 5580 controllers
- GuardLogix® 5580 controllers
- CompactLogix™ 5380 controllers
- CompactLogix 5480 controllers
- Compact GuardLogix 5380 controllers
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About SCADAfence
SCADAfence helps companies with large-scale operational technology (OT) networks embrace the benefits of industrial IoT by reducing cyber risks and mitigating operational threats. Our non-intrusive platform provides full coverage of large-scale networks, offering best-in-class detection accuracy, asset discovery and user experience. The platform seamlessly integrates OT security within existing security operations, bridging the IT/OT convergence gap. SCADAfence secures OT networks in manufacturing, building management and critical infrastructure industries. We deliver security and visibility for some of world’s most complex OT networks, including Europe’s largest manufacturing facility. With SCADAfence, companies can operate securely, reliably and efficiently as they go through the digital transformation journey.