Executive Summary

Executive Summary

Affected Products

• FactoryTalk® Linx Gateway
  • Editions include embedded, basic, standard, extended distributed, professional
  • Versions include 6.10, 6.11, 6.20, 6.21 and 6.30

Risk Mitigation & User Action

• Disable anonymous authentication and configure the use of FactoryTalk Security using the following guidance. FactoryTalk Linx Gateway Getting Result Guide FTLG-GR001E
  • Chapter 4 - UA Server Endpoints - Endpoint Properties
  • Appendix D - Secure FactoryTalk Linx Gateway using FactoryTalk Security
• Enforce a lockout threshold for failed authentication attempts and configure audit logs using the following guidance to detect signs of an attack. FactoryTalk Security System Configuration Guide Publication FTSEC-QS001R - Chapter 9
  • Set system policies - Account Policy Settings
  • Set audit policies - Monitor security-related events

General Security Guidelines

Additional Links

• PN1354 – Industrial Security Advisory Index
• Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
• https://www.cisa.gov/uscert/ncas/alerts/aa22-103a

Executive Summary

Affected Products

Vulnerability Details

Risk Mitigation & User Action

• Apply security recommendations found in the FactoryTalk® ProductionCentre Knowledgebase Article IN39626 - Security Recommendations for FactoryTalk ProductionCentre to help minimize the risk of these third-party vulnerabilities.
• Deploy network segmentation, when possible, per our standard deployment recommendations.

General Security Guidelines

• Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted websites and attachments.
• Minimize network exposure for all control system devices and/or systems and confirm that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, see Knowledgebase Article PN715 - Advisory on web search tools that identify ICS devices and systems connected to the Internet
• Locate control system networks and devices behind firewalls and isolate them from the business network.
• When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also, recognize that a VPN is only as secure as the connected devices.

Additional Links

• PN1354 - Industrial Security Advisory Index
• Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
• Hardening Guidance (CIS Benchmarks)

Executive Summary

Affected Products

• All Cisco IOS releases (with the exception of those which incorporate the new HTTP session management feature added through Cisco BugID CSCvo20762) lack HTTP and HTTPS session management capabilities.

Details

On the Stratix 5700 Industrial Managed Ethernet switch running Cisco IOS , because no session management is performed for HTTP or HTTP sessions, the only way to close and terminate an active HTTP or HTTPS management session is to close the web browser used for this session after the user is done. Closing the active tab or active window is not enough - the browser instance must be terminated.

If the browser instance has not been terminated, an actor with local access to the machine from which the session was established may be able to restart the management session without being prompted for any credentials, which would result in this actor having the same kind of access to the device as the user on the previous session.

Risk Mitigation & User Action

• Terminate the browser when finished – closing the tab or window is NOT enough

General Security Guidelines

• Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
• Use of Microsoft AppLocker or other similar Whitelisting application can help mitigate risk.  Information on using AppLocker with Rockwell Automation products is available at Knowledgebase Article ID QA17329.
• Ensure that the least-privilege user principle is followed, and user/service account access to shared resources (such as a database) is only granted with a minimum amount of rights as needed.

• Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID PN715.
• Locate control system networks and devices behind firewalls, and isolate them from the business network.

• Industrial Firewalls within a CPwE Architecture
• Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide

Introduction

Description

begin ignore

Version 2.0 - July 8th 2016

Rockwell Automation has learned about the existence of a malicious file called "Allenbradleyupload.zip" that is being distributed on the internet. This file is NOT an official update from Rockwell Automation, and we have been informed that this file contains a type of ransomware malware that, if successfully installed and launched, may compromise the victim’s computer. This advisory is intended to raise awareness to control system owners and operators of reports of the file’s existence as a result of reports Rockwell Automation received from the Electricity Information Sharing and Analysis Center ("E-ISAC").

Update 08-JUL-2016: Our investigation has confirmed the existence of the reported malware through VirusTotal.com. According to VirusTotal, it "is a free service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware." According to information on VirusTotal.com, the file "Allenbradleyupload.zip" contains a single file called "Allenbradleyupload.exe", which may be malicious. File hashes and links to VirusTotal.com are in the table that follows below. These file hash values can be used with Application Whitelisting technologies to reduce the ability of this malware to execute on a system. According to VirusTotal, most of the antivirus/anti-malware vendors have updated their databases to detect this malware. However, we strongly recommend ensuring that your antivirus programs and virus definitions are up to date.

File Name	Hash Type	Hash Value
Allenbradleyupload.zip	MD5	b552a95bd3eceb1770db622a08105f52
	SHA-1	4dbba01786068426c032a7524e31668f2435d181
	SHA-256	e7b4a2c05e978b86a231fa276db29bb8362bd25160bdeb4c2239cb614d7f44df
Allenbradleyupload.exe	MD5	49067f7b3995e357c65e92d0c7d47c85
	SHA-1	5f8c4246fc24d400dffef63f25a44b61932b13af
	SHA-256	97ec86160dea82a17521a68076fe0d5537f60577b79338e67a15528115e94b88

Rockwell Automation confirms that this malware is NOT an official product update and it is not connected with any Rockwell automation product, software update, or website.

Rockwell Automation decided to provide this advisory since the attackers have used the Rockwell Automation brand name on the file, possibly as a means to increase the likelihood of an ICS-knowledgeable user to download and execute the malware as part of their strategy. We are continuing to monitor this situation, and we will update this advisory as we learn more.

BACKGROUND

Ransomware is a class of malware that aims to extort money from the victim by restricting access to resources on the computer, and then demands a monetary ransom in order to remove the restrictions. The most common type is ransomware that will encrypt important files on an infected computer, rendering the files unusable without paying a ransom. Other types may restrict access to operating system functions or specific applications. Typically the user is required to pay the ransom in some form of untraceable currency, and must do so before the deadline expires and the decryption key is destroyed.

According to the September/October 2015 issue of the ICS-CERT Monitor, "Ransomware, such as Cryptolocker or TeslaCrypt, is currently one of the most prolific categories of malware growth, rising 165 percent in varieties seen between the fourth quarter of 2014 and the first quarter of 2015".

CUSTOMER RISK MITIGATIONS

Where feasible, precautions and risk mitigation strategies to this type of attack, like those listed below are recommended. When possible, multiple strategies should be employed simultaneously.

• Obtain product software and firmware from Rockwell Automation’s official download portal, available at http://www.rockwellautomation.com/global/support/drivers-software-downloads.page.
• Follow industry best-practices to harden your PCs and Servers, including anti-virus/anti-malware and application whitelisting solutions. These recommendations are published in KB546987.
• • Consult VirusTotal.com’s analysis of the malware (using the links above), to determine if your deployed antivirus solution is able to detect this malware. (UPDATED 08-JUL-2016)
• Analyze outbound network traffic against the known indicators of compromise (IoC), available from the US-CERT portal, to identify and assess the risk of any unusual network activity.
• Develop, and then deploy, backup and disaster recovery policies and procedures. Test backups on a regular schedule.
• Implement a change management system to archive network, controller and computer assets (e.g., clients, servers and applications).
• Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack, which can also serve as a vehicle for malware infection.
• Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet
• Locate control system networks and devices behind firewalls, and isolate them from the business network.

Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures.page? for comprehensive information about implementing validated architectures designed to deliver these measures.

We also recommend concerned customers continue to monitor this advisory, Rockwell Automation’s Security Advisory Index at https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html, and the company public security webpage at http://www.rockwellautomation.com/security for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.

end ignore

KCS Status

Introduction

Description

Rockwell Automation recognizes the importance of information and control system security to our customers. We are committed to working with government agencies and standards development organizations to develop solutions targeted to help our customers improve their overall system security strategy.

As part of this effort, the Idaho National Laboratory (INL) Control Systems Security Program, under contract to the Department of Homeland Security (DHS), identified a potential security concern within the firmware upgrade process used in control systems deployed in Critical Infrastructure and Key Resources (CIKR). DHS has confirmed that the firmware upgrade process can be intentionally manipulated in a manner that has potential to render the device inoperable and cause a disruption to the process and/or system operation.

Rockwell Automation has been working in partnership with DHS to identify potential short-term and long-term mitigation strategies.

As a result, Rockwell Automation is implementing a policy to digitally sign most firmware images and require contemporary devices to validate this signature before applying a firmware upgrade. Over time, many contemporary Rockwell Automation products will include this signature validation mechanism to help ensure firmware integrity and authenticity.

The following Rockwell Automation products currently authenticate firmware using digital signatures:

• ControlLogix 1756-L72, L73, L74, L75 Programmable Automation Controllers
• Virtual firmware of the 1789 SoftLogix PC based controllers

For other devices, to help reduce the likelihood of the upgrade process being exploited and help reduce associated security risk, Rockwell Automation and DHS recommend the following short-term mitigation strategies (Note: multiple strategies can be employed simultaneously):

1. Disable where possible the capability to perform remote firmware upgrades over a network to a controller by placing the controller key switch into RUN mode. This prevents the Allen-Bradley brand controllers from accepting firmware upgrades.
   
2. Restrict physical and electronic access to automation networks and systems to only those individuals authorized to be in contact with control system equipment and perform product firmware upgrades to that equipment.
   
3. Restrict firmware upgrades to the local ControlNetwork or direct (point-to-point) physical methods only by physically or electronically isolating target devices from any larger system while performing a firmware upgrade.
   
4. Temporarily remove unnecessary network connections to the device before administering a firmware upgrade. Reactivate device-specific security measures and replace network connections only after a successful firmware upgrade.
   
5. Block all traffic to the EtherNet/IP or other CIP protocol based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Port# 2222 and Port# 44818 using appropriate security technology (e.g. a firewall, UTM devices, or other security appliance).
   
6. Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks.

Rockwell Automation is currently investigating additional long-term mitigation strategies that include, but are not limited to:

1. Additional techniques to verify the authenticity of firmware updates to help reduce the likelihood of file tampering.
   
2. Enhancements to the joint Rockwell Automation / Cisco Plantwide Reference Architecture that detail methods and recommendations which can further strengthen control system security.

For more information and for assistance with assessing the state of security of your existing controls system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.

Reference http://www.ab.com/networks/architectures.html for comprehensive information about improving your control system to implement validated architectures designed to deliver layered-security and defense-in-depth.

KCS Status

Introduction

Description

Potential Security Vulnerabilities

Rockwell Automation has identified three potential security vulnerabilities related to the web interface of the 1756-ENBT/A EtherNet/IP Bridge Module (the "Product"). Specifically, the risks include the following:

• The potential for cross-site scripting, which could allow the Product to be used in a social engineering attack.
  
  
• An attacker could potentially craft a URL that looked as if it would take a user to the Product, but would instead execute script from a different location. A successful attack would require the attacker to transmit the crafted URL to a user with access to the web interface of the Product and to convince that user to open the URL.
  
  
• The potential for web redirection, which could allow the Product to be used in a social engineering attack.
  
  
• An attacker could potentially craft a URL that looked as if it would take a user to the Product, but would actually direct the browser to a different location. A successful attack would require the attacker to transmit the crafted URL to a user with access to the web interface of the Product and to convince that user to open the URL.
  
  
• The potential for exposure of some of the Product’s internal web page information. While this does not directly present a functional vulnerability, it does expose some internal information about the module.
  

Risk Mitigation

None of these issues results in the Product’s web pages or other Product functions being compromised or otherwise affected.

These potential security vulnerabilities are corrected in:

• 1756-ENBT Version 4.008
  
  
• 1756-EWEB Version 4.009

The best way to mitigate the risk associated with these issues is to employ the following in the design of network architecture:

• Layered security.
  
  
• Defense-in-depth methods.

Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.

Additionally, to help mitigate the risk associated with the cross-site scripting potential vulnerability, certain web browsers and/or browser add-ons can be used. Internet Explorer Version 8 (which is currently in beta release) has cross-site scripting protection built-in. Additionally, the NoScript add-on for the FireFox browser can help prevent cross-site scripting attacks.

For more information and for assistance with assessing the state of security of your existing controls system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security/.

REFERENCES

http://www.kb.cert.org/vuls/id/124059

http://www.kb.cert.org/vuls/id/619499

http://www.kb.cert.org/vuls/id/882619

Industry Advisory - CIP: Rockwell Automation ControlLogix 1756-ENBT/A WebServer Vulnerabilities

KCS Status

Introduction

Description

Publicly disclosed September 13, 2011 as RSLogix 5000 Denial of Service Vulnerability

Updated October 5, 2011

This advisory is a replacement and update to AID#: 456065

On September 13, 2011, Rockwell Automation was made aware of a potential vulnerability in RSLogix™ 5000 software that if successfully exploited, may result in a Denial of Service condition. Since the release of this information, we have been evaluating the specific vulnerability and associated risk.

We have confirmed the existence of this vulnerability in a particular software service employed by RSLogix 5000 and FactoryTalk®-branded Rockwell Automation software products.

Affected Products:

Vulnerability Details and Impacts:

The particular vulnerability affects a software service in Rockwell Automation’s FactoryTalk Services Platform (FTSP). Although the installation of FTSP is optional, the specific service is also employed separately with a variety of Rockwell Automation software applications.

The Rockwell Automation Security Taskforce has determined that exploitation of this vulnerability can result in a potential Denial of Service (DoS) in RSLogix 5000 software. Specifically, it can result in RSLogix 5000 being unable to publish information to FactoryTalk Diagnostics and FactoryTalk AssetCentre. Additionally, exploitation can lead to a potential for a DoS and Denial of View (DoV) condition to other affected FactoryTalk-branded software. Such DoS and DoV conditions can prevent affected software from establishing communication or maintaining information exchange with servers and other control system devices.

There is no known possibility of malicious code injection and no known escalation of privilege on the target machine that results from successful exploitation of the vulnerability. Furthermore, there is no indication that exploitation will disrupt operation of a Rockwell Automation programmable controller or communications between RSLogix 5000 software and a Rockwell Automation programmable controller.

Vulnerability Mitigation:

A software patch for affected FactoryTalk Services Platform and RSLogix 5000 software has been released. Rockwell Automation recommends concerned customers apply this patch roll-up at their earliest convenience:

NOTE: FactoryTalk Services Platform CPR7 and earlier and RSLogix 5000 V16 and earlier are not affected by this vulnerability.

Other Mitigation Techniques:

We recognize the concerns our customers have relating to this matter. We continue to recommend that concerned customers remain vigilant and follow good security practices and system design.

Rockwell Automation, in collaboration with NitroSecurity, has released a specific SNORT® signature suitable for many popular Intrusion Detection Systems (IDS). Use of this signature can help further reduce risk of successful remote exploitation of this vulnerability. This signature has been supplied to the QuickDraw SCADA IDS project, originally funded by US Department of Energy, for inclusion in the QuickDraw signature database. http://www.digitalbond.com/tools/quickdraw/

Rockwell Automation has evaluated Symantec Endpoint Protection (SEP) and validated a rule that blocks the known exploitation for SEP. We recommend that SEP definitions be kept up to date. For more information, refer to: http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=24527

In addition, the following security strategies are some techniques that will help reduce risk and enhance overall control system security:

1. Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.

2. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment and perform product firmware upgrades to that equipment.

3. Configure firewall ingress/egress rules to block the following TCP ports to prevent traversal of RNA messages into/out of the ICS system:

1330

1331

1332

4241

4242

4445

4446

5241

6543

9111

60093

49281

4. Evaluate firewall configurations to ensure other appropriate traffic is blocked.

5. Use antivirus/antimalware and endpoint security solutions and verify security definitions for are kept up to date.

For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security

KCS Status

Introduction

Description

Rockwell Automation recommended mitigations for Zero day vulnerability (W32.Stuxnet) to Microsoft® Windows™

Released: 21 July 2010 Updated: 10 August 2010

Multiple credible sources disclosed that in the days and months prior to 14 July 2010 a series of cyber events occurred that took advantage of a previously unknown Windows™ vulnerability and delivered a specially crafted payload of malware that targeted industrial control systems, SCADA/critical infrastructure processes specifically. Technical details and a patch for the Windows vulnerability used during these events have been released by Microsoft in the recently updated Microsoft Security Advisory (2286198) v2.0 dated 2 August 2010. The specific malware, commonly known as W32.Stuxnet, has been analyzed by numerous antivirus vendors and is a known threat Windows®-based systems.

Rockwell Automation recommends that all industrial control system users, regardless of the make or brand of components employed within the system, take necessary steps to safeguard against potential future attacks of this type by implementing good cyber security measures as outlined below.

Background

A Windows™ operating system vulnerability known as the Shortcut Icon Loading Vulnerability (CVE-2010-2568) was confirmed as a means to allow malware commonly known as W32.Stuxnet to load and execute on PCs. The malware has also been confirmed to specifically target Siemens WinCC and PCS-7 SCADA software products. These products are typically used to control critical infrastructure processes that include power generation, power distribution, water/wastewater and other similar applications.

Rockwell Automation continues to closely monitor every aspect of this situation for new information and developments in order to provide our customers with timely and appropriate advice on this matter. Furthermore, we are continuing to work closely with appropriate authorities to review our proactive plans.

Given that industrial applications are known to heavily rely on mission-critical products built on the Windows operating system, Rockwell Automation is issuing guidance for all industrial control system customers. The following measures are intended as additions to a company’s own security policies and can help to reduce associated risk and enhance control system security.

Vulnerability Description

The Shortcut Icon Loading Vulnerability currently uses USB drives as a means of transport to infect a PC, and does not rely on user interaction or the optional AutoPlay feature employed by the Windows operating system for devices that connect to USB ports.

The Microsoft Security Bulletin MS10-046 v1.1, dated 2 August 2010 details the threat and risk as follows:

What causes the vulnerability?

When attempting to load the icon of a shortcut, the Windows Shell does not correctly validate specific parameters of the shortcut.

What might an attacker use the vulnerability to do?

An attacker who successfully exploited this vulnerability could run arbitrary code as the logged-on user. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

How could an attacker exploit the vulnerability?

An attacker could present a removable drive to the user with a malicious shortcut file, and an associated malicious binary. When the user opens this drive in Windows Explorer, or any other application that parses the icon of the shortcut, the malicious binary will execute code of the attacker’s choice on the target system.

An attacker could also setup a malicious Web site or a remote network share and place the malicious components on this remote location. When the user browses the Web site using a Web browser such as Internet Explorer or a file manager such as Windows Explorer, Windows attempts to load the icon of the shortcut file, invoking the malicious binary. In addition, an attacker could embed an exploit in a document that supports embedded shortcuts or a hosted browser control (such as but not limited to Microsoft Office documents).

Rockwell Automation has compiled the following immediate recommendations that include advice from Microsoft, Department of Homeland Security (DHS)/ICS-CERT plus added specific Rockwell Automation recommendations that can help mitigate the threat and simultaneously enhance the security of control systems:

MICROSOFT recommends immediate application of a Windows software patch as referenced in Microsoft Security Advisory (2286198) and further detailed in Microsoft Security Bulletin MS10-046 v1.1, dated 2 August 2010.

NOTE: Rockwell Automation’s Patch Qualification team has completed an initial and partial qualification of the Microsoft Patch 2286198. See Rockwell Automation’s Immediate Recommendations below for additional information.

DHS/ICS-CERT recommends concerned users immediately implement the following measures:

Mitigations

• Establish strict policies for the use of USB thumb drives on all enterprise and control system networks.
• Caution users of this attack vector and remind them that unknown USB’s should never be plugged into a business or personal computer.

Specific to this Shortcut Icon Loading Vulnerability and the specific W32.Stuxnet virus, malware samples were provided to the antivirus vendor community. Most major antivirus suppliers have already released updated virus definitions to contain and remove the malware.

• ICS-CERT recommends consulting antivirus vendors and to consider scanning systems with current antivirus software.

NOTE: Rockwell Automation software is proactively tested for compatibility with Symantec’s Norton Antivirus software.

DHS/ICS-CERT reminds users to exercise caution when using USB drives. For more information on best practices and removable media, see the ICS-CERT Control Systems Analysis Report "USB Drives Commonly Used As An Attack Vector Against Critical Infrastructure."

www.us-cert.gov/control_systems/pdf/ICS-CERT%20CSAR-USB%20USAGE.pdf

Additional DHS/US-CERT Security Tips for use of caution with USB drives can be found here:

www.us-cert.gov/cas/tips/ST08-001.html

ROCKWELL AUTOMATION recommends concerned customers take the following additional precautions to enhance protection to industrial control systems:

Mitigations

1. Apply the Microsoft Windows software patch as referenced in Microsoft Security Advisory (2286198) and further detailed in Microsoft Security Bulletin MS10-046.
   
   NOTE: The Rockwell Automation Patch Qualification Team Partially Qualified KB2286198 on 9 August 2010, with Full Qualification on 19 August 2010.
   
   Go to RAid:35530 for more specific information regarding the qualification of this patch.
   
2. Restrict control system access to only those authorized to work with these systems.
3. Make sure that all control system PCs are running end-point protection software (e.g. Antivirus, Anti-malware) and that all signatures are up to date.
4. Make sure that all control system PCs follow a regimented, timely patch management process. Before applying any patch, Rockwell Automation’s recommends customers confirm that the patch has been qualified by the Rockwell Automation Patch Qualification service (www.rockwellautomation.com/security).
5. Where practical, disable all unused USB ports on control system PCs.
6. Consider alternatives to USB drives (e.g. network file transfer) for transferring data files to the control system
7. Discontinue use of any USB drive or similar device if the validity, authenticity, and security of the hardware should come in question.
8. Purchase USB drives from trusted sources.
9. Only use USB drives manufactured by a trusted vendor
10. Format USB drives on a non-mission critical computer that is running up to date end-point protection software (e.g. Antivirus, Anti-malware) prior to connecting the USB drive to any critical industrial control system equipment.
11. Maintain physical security for USB drives, dongles and keys to ensure only authorized users have access and usage rights.
12. Should a failure in physical security policy regarding USB drives be identified, perform step 9 (format USB drive on non-mission critical computer) prior to subsequent connecting to any control system equipment. Seek instructions from supplier of USB dongles and keys prior to any further use on control system equipment.

NOTE: Similar caution with optical media should be employed as with USB drives. Software delivered on CD+/-R, DVD+/-R etc. non-production optical media (e.g. user-generated, "burned" not "pressed" media) is presumed higher risk than production-grade media.

As more information becomes known, Rockwell Automation expects these recommendations will be refined to help further protect control systems from the resulting risk.

For more information and for assistance with assessing the state of security of your existing controls system, including improving your system-level security through the use of layered security and defense in depth practices when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at www.rockwellautomation.com/security.

KCS Status

Introduction

Description

Version 1.0 – January 11th 2016

In January 2016, SCADA Strange Love, an independent group of information security researchers, included several Rockwell Automation products in a project they published called SCADAPass.

SCADAPass contains a list of default passwords in popular industrial control systems ("ICS") and supervisory control and data acquisition ("SCADA") products, including programmable logic controllers ("PLCs") and human-machine interfaces ("HMIs"). Default credentials may be used by an attacker to gain privileged access to remotely accessible assets if a user does not take explicit action to change the default user credentials.

As part of this process, Rockwell Automation evaluated the included products in SCADAPass, and determined that all of the products’ default passwords are changeable by the user. Directions on how to change these passwords are found in the respective product manuals, which can be found in the table below.

INCLUDED PRODUCTS

• 1756-EN2TSC
• 1756-EWEB
• 1734-AENT
• MicroLogix 1400
• MicroLogix 1100
• PanelView Plus 6

RISK MITIGATIONS

1. Rockwell Automation strongly recommends that asset owners evaluate the passwords used in their production assets, and apply the following suggested mitigations which are applicable:

   Product	Product Manual
   1756-EN2TSC	http://literature.rockwellautomation.com/idc/groups/literature/documents/um/enet-um003_-en-p.pdf
   1756-EWEB	http://literature.rockwellautomation.com/idc/groups/literature/documents/um/enet-um527_-en-p.pdf
   1734-AENT	http://literature.rockwellautomation.com/idc/groups/literature/documents/um/1734-um011_-en-p.pdf
   MicroLogix 1100	http://literature.rockwellautomation.com/idc/groups/literature/documents/um/1763-um002_-en-p.pdf
   MicroLogix 1400	http://literature.rockwellautomation.com/idc/groups/literature/documents/um/1766-um002_-en-p.pdf
   PanelView Plus 6	http://www.manualsdir.com/manuals/580848/rockwell-automation-2711p-xxxx-panelview-plus-6-terminals-user-manual.html?page=54

2. Establish and enforce password policies for maximum age of passwords, minimum password length, minimum password complexity, and password re-use.
3. Use trusted software, software patches, anti-virus / anti-malware programs and interact only with trusted web sites and attachments.
4. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
5. Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
6. Locate control system networks and devices behind firewalls, and isolate them from the business network.
7. When remote access is required, use secure methods, such as Virtual Private Networks ("VPNs"), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
8. Subscribe to our Security Advisory Index, Knowledgebase article KB:54102 (https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html), so you have access to our most up-to-date information about security matters that affect Rockwell Automation products.

LINKS

• Security Advisory Index, Knowledgebase article KB:54102

KCS Status

Introduction

Description

PowerFlex 7000 Writeable Parameters

Version 1.0 - June 6th, 2016

This advisory is intended to raise awareness to control system owners and operators of PowerFlex 7000 medium voltage drives. A January 2016 presentation at the S4 ICS Security Conference highlighted a potential weakness in Variable Frequency Drives that allows unauthorized users to change configuration parameters in these devices. The presentation highlighted products from four vendors including Rockwell Automation. This presentation spawned several news articles, including one entitled "An Easy Way for Hackers to Remotely Burn Industrial Motors" from WIRED Magazine. This article reminds us that cybersecurity threats are present and not always easy to anticipate. Unfortunately, neither the article’s author, Kim Zetter, nor her source, Reid Wightman, have contacted Rockwell Automation at the time of writing with any specific information -- so we can only try to guess how their statements apply to our drives.

This article implies that all the drives they reference can be easily accessed and provide an easy means to change parameters, that could result in motor damage. It overlooks many self-monitoring features that are built into modern drives to prevent changes to parameters while the drive is running, detecting improper operation and monitoring external sensors for equipment, such as motors that are exceeding design parameters.

Variable frequency drives, by their nature, are designed to support a wide variety of applications and it is possible that the improper setting of a parameter or parameters can create application issues. Rockwell Automation is aware of this and constantly looks for ways to eliminate these situations or, where the possibility is created by a customer need, alert the user to the problem with a fault or error message before it causes potential damage.

RISK MITIGATIONS

Below are recommended mitigations and resources to help protect your deployed Rockwell Automation products, including variable frequency drives. We strongly recommend that you evaluate your current products and environment, and apply the following mitigations where applicable.

1. Review and employ the recommendations in the Converged Plantwide Ethernet Design and Installation Guide (DIG). It contains important information relating to proper network design practices, including aspects of security capabilities available through the network infrastructure.
2. Consider using Rockwell Automation’s FactoryTalk AssetCentre. Version 6.0 offers compatibility with drives. AssetCentre can be configured to automatically backup your configuration, and compare it to a known good version, and log any changes into FactoryTalk Audit.
3. Use trusted software, software patches, and anti-virus / anti-malware programs and interact only with trusted web sites and attachments.
4. Employ training and awareness programs to educate users of the warning signs of a phishing or social engineering attack.
5. Minimize network exposure for all control system devices and/or systems, and ensure that Internet access is carefully evaluated, protected, and controlled.
6. Locate control system networks and devices behind firewalls, and use proper techniques to isolate them from the business network.
7. When remote access is required, use secure methods, such as Virtual Private Networks ("VPNs"), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
8. Subscribe to Rockwell Automation’s Security Advisory Index, Knowledgebase article KB:54102 (https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html), so you have access to the most up-to-date information about security matters that affect Rockwell Automation products.
   

We also recommend concerned customers continue to monitor this advisory, Rockwell Automation’s Security Advisory Index at https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html, and the company public security webpage at http://www.rockwellautomation.com/security for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.

KCS Status

Introduction

Description

Version 1.8 - October 1, 2018
Version 1.7 - February 14, 2018
Version 1.6 - February 6, 2018
Version 1.5 - February 2, 2018
Version 1.4 - January 26, 2018
Version 1.3 - January 23, 2018
Version 1.2 - January 18, 2018
Version 1.1 - January 10, 2018
Version 1.0 - January 8, 2018

On January 3, 2018, a set of new hardware kernel level vulnerabilities, named "Meltdown" and "Spectre", were announced by researchers. Both Spectre and Meltdown are vulnerabilities that affect modern microprocessors allowing malicious processes to access the contents of restricted memory and therefore affect multiple generations of Central Processing Units (CPUs).

Rockwell Automation is aware of these vulnerabilities and of how they could, if exploited, potentially impact our customers’ environments. Rockwell Automation is diligently working through the process of evaluating how the mitigation techniques will impact the functionality and performance of the Rockwell Automation hardware, software, and pre-engineered products and solutions that incorporate third party microprocessors. Rockwell Automation will continue to provide updated information as soon as reliable performance tests are completed.

AFFECTED PRODUCTS

Rockwell Automation Products
Rockwell Automation is currently investigating its product portfolio in order to identify which of its products may be directly affected by the "Meltdown" and "Spectre" vulnerabilities. Rockwell Automation will continue to monitor this situation, and will update this advisory if necessary.

UPDATE: Oct 01, 2018

Rockwell Automation has released new BIOS for certain Industrial Environment Computers that address the Meltdown and Spectre vulnerabilities. See below for details.

UPDATE: Feb 06, 2018

As of this writing, Rockwell Automation has evaluated many of our product families. Depending on the products’ architectures, effects of the Meltdown and Spectre vulnerabilities may significantly vary. Below is more information on Rockwell Automation’s evaluation.

NOTE: Rockwell Automation may continue to evaluate additional products that we suspect to be affected and will update this advisory accordingly.

I. Rockwell Automation has concluded that the following Active or Active Mature products contain a microprocessor that is affected by the Meltdown and Spectre vulnerabilities. Please see Knowledgebase Article ID 1071234 for detailed information about which Rockwell Automation-qualified Microsoft patches to apply to your products based on the Windows Operating System in use. As BIOS updates become available, Rockwell Automation will continue to update this advisory. The products are as follows:

In addition, Rockwell Automation has also determined the following discontinued products are similarly affected. Customers with discontinued products are encouraged to contact their local distributor or Sales Office to discuss a migration path to Active product lines.

Please see the Microsoft Patch Qualification section below for additional mitigation strategies.

II. The following products are Active or Active Mature and contain a microprocessor that is affected by the Meltdown and Spectre vulnerabilities. However, as a result of the product architecture, Rockwell Automation has concluded that the Meltdown and Spectre vulnerabilities do not pose a significant risk to these products:

III. Lastly, Rockwell Automation has concluded that the following products do not to contain a microprocessor that is affected by the Meltdown and Spectre vulnerabilities. Therefore these products are not affected by the reported vulnerabilities.

UPDATE: Oct 01, 2018

A new BIOS was released to address the Meltdown and Spectre vulnerabilities that affect these specific series for the following products:

The new BIOS is available for download in the Product Compatibility and Download Center (PCDC). To find the new BIOS, search for each individual catalog number and go to the download page for the corresponding series listed above. Note that there is only one BIOS version available on PCDC under each of these products; this BIOS version that is available is the updated version that addresses the Meltdown and Spectre vulnerabilities.

UPDATE: Jan 10, 2018

Industrial Data Center (IDC)
Rockwell Automation is currently working with its software and hardware partners that make up the E1000, E2000 and E3000 Industrial Data Center (IDC) solution to obtain appropriate patches and updates to address the "Meltdown" and "Spectre" vulnerabilities. Rockwell Automation will continue to monitor this situation and provide updates in Knowledgebase Article ID 1071279. For IDC customers with a monitoring and administration contract, please contact Tech Support for assistance with this issue.

Microsoft Patch Qualification
Microsoft has released guidance for Windows Client and Windows Server Operating Systems. As of this writing, the Rockwell Automation MS Patch Qualification team is currently executing their validation processes on security updates related to the "Meltdown" and "Spectre" vulnerabilities. When these tests have been successfully completed, the test results will be made available through the Rockwell Automation MS Patch Qualification site: https://www.rockwellautomation.com/ms-patch-qualification/start.htm.

UPDATE: Feb 14, 2018

Rockwell Automation evaluated the performance of FactoryTalk® View Site Edition and FactoryTalk® View Point actions on Windows systems updated with the Microsoft Meltdown and Spectre updates. Many factors are involved in affecting the performance of systems with these mitigations; these can include but are not limited to the CPU version, the age of the operating system, and the burden of the workload on the system. In addition to the performance data provided below, customers may also find the Microsoft blog post Understanding the performance impact of Spectre and Meltdown mitigations on Windows Systems helpful, as it provides rough estimates on the performance impact as it relates to the class of CPU and the Windows operating system.

FactoryTalk View SE

Test Environment

Test Results

FactoryTalk ViewPoint

Test Environment

Test Results

UPDATE: Feb 2, 2018

Knowledgebase Article ID 1071234 has been updated to include new patches for Windows 10 that have been qualified by the Rockwell Automation MS Patch Qualification team.

UPDATE: Jan 26, 2018

As of January 26, 2018, the Rockwell Automation MS Patch Qualification team has successfully qualified several Microsoft patches related to the "Meltdown" and "Spectre" vulnerabilities. For detailed and useful information about which qualified Microsoft patches to apply based on your Windows Operating System, please see Knowledgebase Article ID 1071234 under "Solution". Rockwell Automation will continue to test Microsoft patches related to "Meltdown" and "Spectre" and will update Knowledgebase Article ID 1071234 accordingly.

Note: Applying certain Microsoft patches released in early January have been found to cause anomalous behavior in several Rockwell software products, including Studio 5000, FactoryTalk View SE, and RSLinx Classic. If you have been experiencing software issues after installing a Microsoft update to patch "Meltdown" and "Spectre", and/or you would like to see a list of patches known to cause this irregular behavior, please see Knowledgebase Article ID 1071234.

Additionally, Rockwell Automation recommends:

• Contact your PC/Server vendor for any associated firmware updates that may also be required to further reduce risk.
• Before implementing any Microsoft updates, the updates should be verified on a non-production system, or when the facility is non-active, to help ensure that there are no unexpected results or side effects.

Lastly, we recommend customers continue to monitor the situation by monitoring this advisory, Knowledgebase Article ID 35530 for updates to Microsoft Patch Qualifications Reports, and by monitoring additional updates from both Microsoft and your PC/Server vendor(s).

GENERAL SECURITY GUIDELINES

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Industrial Security Services website for information on security services from Rockwell Automation to assess, protect, detect, respond and recover from incidents. These services include assessments, designs, implementations, industrial anomaly detection, patch management, and remote infrastructure monitoring and administration.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at Knowledgebase Article ID 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

ADDITIONAL LINKS

• Microsoft: ADV180002 Guidance to mitigate speculative execution side-channel vulnerabilities
• Microsoft: Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities
• Microsoft: Windows Server guidance to protect against speculative execution side-channel vulnerabilities
• Security Advisory Index, Knowledgebase Article ID 54102
• Microsoft: KB4056897 2018-01 Security-only Update for Windows Server 2008 R2 SP1 and Windows 7 SP1
• Microsoft: KB4056894 2018-01 Monthly Rollup for Windows Server 2008 R2 SP1 and Windows 7 SP1
• Microsoft: KB4057401 2018-01 Preview of Monthly Rollup for Windows 8.1, Windows Server 2012 R2 Standard
• Microsoft: KB4057142 2018-01 Cumulative Update for Windows Server 2016
  

REVISION HISTORY

KCS Status

Introduction

Description

Version 1.1 - September 20, 2018

SUMMARY

This Industrial Security Advisory is intended to raise the awareness to control system owners and operators of increased risks that stem from publicly-available web search tools that identify Internet-connected devices. These types of tools and search utilities can be used for legitimate research purposes; however, they also bear a potential for misuse by threat actors seeking to gather added intelligence about prospective cyber targets.

Rockwell Automation recognizes the potential risk to any device connected in a network that is accessible by unauthorized people, whether the device is isolated within a protected facility or if it is accessible through a remote connection, including the Internet. We are aware that such Internet search tools have the ability to identify Rockwell Automation branded products that are connected, either intentionally or unintentionally by the device owners to the Internet. For this reason, recommendations to mitigate associated risks are provided herein.

BACKGROUND

Web-based tools, including SHODAN and the Every Routable IP Project (ERIPP) provide a means for users to discover information about networked devices that are either knowingly or unknowingly connected to the Internet. Such connected products include, but are not limited to: web servers, routers, webcams, smart phones, VoIP phones, printers and in some cases industrial control products.

The information collected by these search tools about these Internet-facing devices includes device IP addresses and can also include geographic location (i.e. country, city and approximate latitude/longitude), specific product identity information or user-added descriptors that can be learned through device fingerprinting techniques. Some of these tools also provide a means to both search and filter databases for devices that match specific user-defined search criteria.

POTENTIAL RISK to INDUSTRIAL CONTROL DEVICES and SYSTEMS

Many devices cataloged by these search tools have been designed and installed with the full knowledge they are directly connected to the Internet; however, other devices identified by these tools were not intended by the manufacturer, or potentially the device installer to ever carry a direct connection.

As with all networked device and systems, industrial control systems are at risk of both accidental and potentially malicious attacks. The availability of search tools that simplify the process of locating and identifying devices unintentionally connected to the Internet raises associated risk to these devices and systems. It is evident based on the device information that some of these devices and accompanying systems lack recommended security protections facilitated by good security design and infrastructure-level appliances (e.g. firewalls, SIEMs, and intrusion detection systems).

As a consequence, these types of devices and systems may not operate with obscurity and may become exposed to additional unintended risks. Information provided through search tools could aid a curious individual or malicious threat actor in device-tampering activities or even a penetration into the product or connected system in order to facilitate a cyberattack.

RISK MITIGATIONS and RECOMMENDED USER ACTIONS

Whether or not Internet-facing industrial control devices are identified by these tools, Rockwell Automation encourages all industrial control system (ICS) owners and operators to follow good security design practices.

https://www.rockwellautomation.com/en_NA/capabilities/industrial-networks/technical-data/overview.page?

These practices must also include careful evaluation and monitoring of all industrial control system connection points to an enterprise system and external remote access connections enabled via modems or direct connections to the Internet.

We recommend concerned customers remain vigilant and continue to follow sound security strategies that help reduce risk and enhance overall control system security. Where possible, we suggest customers apply some of the following recommendations and complement this list with their own best-practices:

1. Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to http://www.rockwellautomation.com/global/products-technologies/network-technology/architectures.page for comprehensive information about implementing validated architectures designed to deliver these measures.
2. If appropriate for the application, isolate the Industrial Control System network from the Enterprise network and other points of potential remote network access.
3. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment.
4. Employ firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked.
5. Use up to date end-point protection software (e.g. antivirus/anti-malware software) on all PC-based assets.
6. Make sure that software and control system device firmware is patched to current releases.
7. Periodically change passwords in control system components and infrastructure devices.
8. Where applicable, set the controller key-switch/mode-switch to RUN mode.
9. Enlist additional security expertise by engaging Rockwell Automation’s Network & Security Services team for specialized, consultative services. For more detail visit http://www.rockwellautomation.com/services/security/.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

ADDITIONAL LINKS

• 54102 - Industrial Security Advisory Index
• https://ics-cert.us-cert.gov/alerts/ICS-ALERT-10-301-01
• https://ics-cert.us-cert.gov/alerts/ICS-ALERT-11-343-01A

REVISION HISTORY

KCS Status

Introduction

On June 27, 2017, a new malware variant named “Petya” (also known as “NotPetya” or “Nyetya”) began affecting Microsoft Windows personal computers (PCs) around the world. NotPetya is a Petya-inspired malware variant and behaves in a manner similar to how the “WannaCry” malware that surfaced in May 2017 did, specifically in that it is a self-propagating "worm" that infects any vulnerable host that has not patched the Windows SMBv1 vulnerability. Microsoft patched this vulnerability, named “MS17-010,” in March 2017.

However, it is worth noting that this malware has some key differences from WannaCry, including how it propagates to other machines and how it attacks the victim’s PC.

As of this writing, there is no known direct impact to Rockwell Automation products from this malware, though all files present on a machine (including files used by Rockwell Automation products) may be encrypted in the event of a successful attack. However, customers who use Rockwell Automation software products may be vulnerable to this attack since most of the Rockwell Automation software products run on Microsoft Windows platforms containing the underlying vulnerability which enables this attack.

Rockwell Automation decided to provide this advisory since customers running Rockwell Automation software on Microsoft Windows may be vulnerable to this attack. Information and links to Microsoft-provided resources are provided below, as well as our qualification report for MS17-010. We are continuing to monitor this situation, and we will update this advisory as we learn more.

Affected Products

According to Microsoft’s MS17-010 Security Bulletin, the following operating systems contain the vulnerability:

• Windows XP
• Windows 7
• Windows 8
• Windows 10
• Windows Server 2003
• Windows Server 2008 R1/R2
• Windows Server 2012
• Windows Server 2016

Note: Both 32-bit and 64-bit versions are vulnerable.

Note: At the time of this writing, and according to Microsoft, no versions of Windows CE are affected.

Vulnerability Details

This malware is similar in many ways to the WannaCry malware that surfaced in May 2017, but it also includes different methods for the encryption of files and propagation across the network to infect new machines. Reports suggest that if the Petya malware has administrative privileges, it does not encrypt files individually through a whitelist approach, but instead will encrypt the entire filesystem, rendering the machine completely in-accessible. Industrial control system (“ICS”) specific files, which may not have been specifically included in past whitelists, will now also be encrypted along with any other file on the filesystem.

The initial Petya infection comes from opening an infected file, attached to an email. Once a machine on a victim’s network is infected, Petya utilizes multiple mechanisms to propagate through the victim’s network without any type of user interaction, such as is common with the following social engineering-based attacks:

-     EternalBlue, the same SMB exploit which allowed WannaCry to propagate.
-     Microsoft Windows Management Instrumentation (WMI), using the user’s credentials.
-     Microsoft PSexec tool, using the user’s credentials.

Risk Mitigation & User Action

The risk from EternalBlue can be mitigated by applying updates from MS17-010. The other two attack vectors can be mitigated through blocking ports utilized by those protocols.

Rockwell Automation strongly recommends that customers review the Microsoft MS17-010 Security Bulletin, evaluate the potential risks, and implement a mitigation plan. Microsoft has provided patches for ALL affected operating systems, including XP and 2003. Rockwell Automation suggests that before implementing any Microsoft updates, the updates should be verified on a non-production system, or when the facility is non-active, to help ensure that there are no unexpected results or side effects.

The Rockwell Automation Microsoft Patch Qualification team has qualified versions of our products on Windows 7 and Windows Server 2008 R2 with MS17-010 installed. For detailed information on versions tested, visit the Rockwell Automation Microsoft Patch Qualification site: https://www.rockwellautomation.com/ms-patch-qualification/start.htm.

1. For any supported operating systems, use the “Windows Update” feature to download and apply updates
2. For unsupported operating systems, download English language security updates directly, these patches could be loaded onto existing Windows Server Update Services (WSUS) servers to ease large-scale deployments:
   o Windows Server 2003 SP2 x64
   o Windows Server 2003 SP2 x86
   o Windows XP SP2 x64
   o Windows XP SP3 x86
   o Windows XP Embedded SP3 x86
   o Windows 8 x86
   o Windows 8 x64
3. For non-English unsupported operating systems, download localized versions for  Windows XP, Windows 8 or Windows Server 2003: http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598
4. Alternatively, Microsoft recommends that you disable the SMB service following these instructions: https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012
   o     Note: This may prevent file shares from working in some instances.
5. If possible, restrict SMB and WMI traffic from untrusted enterprise networks (with internet connectivity) outside the IDMZ.
   o     SMB and WMI utilize ports TCP/135, TCP/139, TCP/445, and TCP/1024-1035.
   o Note: Some FactoryTalk software products require port TCP/135 in order to function properly. Consult Knowledgebase Article 898270 for information on port usage by Rockwell Automation products.
6. Establish and execute a proper backup and disaster recovery plan for your organization's assets.

The Rockwell Automation MS Patch Qualification team has fully qualified MS17-010 on Windows 7 and Windows Server 2008 R2 SP1.

However, the Rockwell Automation Microsoft Patch Qualification team has NOT qualified versions of our products with MS17-010 installed on Microsoft operating systems that are End of Life.  We consider this patch to be a relatively 'low risk' in impacting Rockwell Automation products and should be applied at your discretion.

Lastly, we recommend customers continue to monitor the situation by monitoring this advisory, subscribing to Knowledgebase Article 35530 for updates to Microsoft Patch Qualifications Reports, and by monitoring MS17-010. Be aware that the attack strategies can change as defenses are built up, and further action may be required.

General Security Guidelines

1. Refer to Knowledgebase Article 546987 for Rockwell Automation recommended customer hardening guidelines, including information about compatibility between antivirus software and Rockwell Automation products. For a list of Rockwell Automation tested antivirus software, refer to Knowledgebase Article 35330.
2. Use of Microsoft AppLocker® or other similar Whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at https://rockwellautomation.custhelp.com/app/answers/detail/a_id/546989.
3. Run all software as User, not as Administrator.
4. Use trusted software and software patches that are obtained only from highly reputable sources.
5. Employ training and awareness programs to educate users on the warning signs of
   a phishing or social engineering attack.
6. Locate control system networks and devices behind firewalls, and isolate them from the business network, helping to make sure that messages with mismatched IP and interface origination do not reach the target system.
7. Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.
8. When remote access is required, use secure methods, such as Virtual Private Networks (“VPNs”), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to deliver these measures.

Refer to the Industrial Security Services website for information on security services from Rockwell Automation to assess, protect, detect, respond and recover from incidents. These services include assessments, designs, implementations, industrial anomaly detection, patch management, and remote infrastructure monitoring and administration.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at 54102 - Industrial Security Advisory Index. Customers may also reference the public Security page for Rockwell Automation for new and relevant information relating to this matter.

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

Introduction

On May 10, 2017, a new ransomware attack called "WannaCry" (also known as "WannaCrypt"), began affecting Microsoft Windows personal computers ("PCs") around the world. The ransomware is a self-propagating "worm" that infects any vulnerable host that has not patched the SMBv1 Windows vulnerability. This vulnerability was patched in March 2017 by Microsoft and has been named "MS17-010", which is included in the monthly Microsoft roll-ups: "MS17-006".

Unlike previous ransomware variants that require social engineering ("phishing"), WannaCry takes advantage of a publicly known vulnerability in Microsoft Windows, which allows it to spread quickly throughout a network and infect additional hosts with no user interaction.

As of this writing, there is no known direct impact to Rockwell Automation products from this ransomware. However, customers who use Rockwell Automation software products may be vulnerable to this attack since this software runs on Microsoft Windows platforms containing the underlying vulnerability which enables this attack.

Ransomware is a class of malware that aims to extort money from the victim by restricting access to resources on the computer, and then demands a monetary payment in order to remove the restrictions. The most common type is ransomware that will encrypt important files on an infected computer, rendering the files unusable without paying a ransom. Other types may restrict access to operating system functions or specific applications. Typically, the user must pay a ransom (in some form of untraceable currency), and must do so before the deadline expires and the decryption key is destroyed.

Rockwell Automation decided to provide this advisory since customers running Rockwell Automation software on Microsoft Windows are likely vulnerable to this attack. Information and links to Microsoft-provided resources are provided below, as well as our qualification report for MS17-010. We are continuing to monitor this situation, and we will update this advisory as we learn more.

Affected Products

According to Microsoft's MS17-010 Security Bulletin, the following operating systems contain the vulnerability:

• Windows XP
• Windows 7
• Windows 8
• Windows 10
• Windows Server 2003
• Windows Server 2008 R1/R2
• Windows Server 2012
• Windows Server 2016

Note: Both 32-bit and 64-bit versions are vulnerable.

At the time of this writing, and according to Microsoft, no versions of Windows CE are affected by these vulnerabilities."

Vulnerability Details

According to Microsoft's MS17-010 Security Bulletin:

This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.

Risk Mitigation & User Action

Rockwell Automation strongly recommends that customers review the Microsoft MS17-010 Security Bulletin, evaluate the risks, and implement a mitigation plan. Microsoft has provided patches for ALL affected operating systems, including XP and 2003. Rockwell Automation suggests that before implementing any Microsoft updates, the updates should be verified on a non-production system, or when the facility is non-active, to ensure that there are no unexpected results or side effects.

The Rockwell Automation MS Patch Qualification team has fully qualified MS17-010 on Windows 8.1, Windows 7 SP1, and Windows Server 2008 R2 SP1.  For detailed information on versions tested, visit the Rockwell Automation MS Patch Qualification site: https://www.rockwellautomation.com/ms-patch-qualification/start.htm.

1.) For any supported operating systems, utilize the "Windows Update" feature to download and apply updates.

2.) For unsupported operating systems, download English language security updates directly:

Windows Server 2003 SP2 x64

Windows Server 2003 SP2 x86

Windows XP SP2 x64

Windows XP SP3 x86

Windows XP Embedded SP3 x86

Windows 8 x86

Windows 8 x64

3.) For non-English unsupported operating systems, download localized versions for Windows XP, Windows 8 or Windows Server 2003: http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598

4.) Alternatively, Microsoft recommends that you disable the SMB service following these instructions: https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012

Note: This will prevent file shares from working in some instances.

The Rockwell Automation MS Patch Qualification team has fully qualified MS17-010 on Windows 7 and Windows Server 2008 R2 SP1.

The Rockwell Automation MS Patch Qualification team has not qualified versions of our products with MS17-010 installed on Microsoft operating systems that are End-of-Life. We consider this patch to be a relatively 'low risk' in impacting Rockwell Automation products and should be applied at your discretion.

In addition, Cisco Talos has released IPS/IDS Snort rules to detect and defend against WannaCry. See their blogpost for additional information.

Lastly, we recommend customers continue to monitor the situation by monitoring this advisory, subscribing to Knowledgebase Article 35530 for updates to Microsoft Patch Qualifications Reports, and by monitoring MS17-010. Be aware that the attack strategies can change as defenses are built up, and further action may be required.

General Security Guidelines

1.) Refer to Knowledgebase Article 546987 for Rockwell Automation recommended customer hardening guidelines, including information about compatibility between antivirus software and Rockwell Automation products. For a list of Rockwell Automation tested antivirus software, refer to Knowledgebase Article 35330.

2.) Use of Microsoft AppLocker or other similar Whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at https://rockwellautomation.custhelp.com/app/answers/detail/a_id/546989.

3.) Run all software as User, not as Administrator.

4.) Use trusted software and software patches that are obtained only from highly reputable sources.

5.) Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.

6.) Locate control system networks and devices behind firewalls, and isolate them from the business network, helping to make sure that messages with mismatched IP and interface origination do not reach the target system.

7.) Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.

8.) When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to deliver these measures.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at 54102 - Industrial Security Advisory Index. Customers may also reference the public Security page for Rockwell Automation for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

Introduction

Description

Version 1.0 - April 4, 2017

Cisco Systems, Inc. ("Cisco") has reported that several vulnerabilities exist in versions the Stratix® 5900 Services Router software. The Stratix 5900 Services Router is capable of providing bridging, multi-protocol routing, and remote access services in industrial control systems.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below, and apply the applicable mitigations to their deployed products. Additional details relating to the discovered vulnerabilities, including affected products and recommended countermeasures, are provided herein.

AFFECTED PRODUCTS
Stratix 5900, All Versions prior to 15.6.3

VULNERABILITY DETAILS
Rockwell Automation evaluated the vulnerabilities using the Common Vulnerability Scoring System ("CVSS") v3.0.

Security Advisories that Affect this Release

RISK MITIGATIONS and RECOMMENDED USER ACTIONS
Rockwell Automation has provided firmware version v15.6.3 as remediation for these vulnerabilities.

Customers using affected products are encouraged to update to this latest version, which addresses the associated risk and includes added improvements to further harden the software and enhance its resilience against similar malicious attacks.

Customers who are unable to update their software are directed toward risk mitigation strategies provided below.

Where feasible, it is recommended to use the additional precautions and risk mitigation strategies listed below. When possible, multiple strategies should be employed simultaneously. Please click "Subscribe for Updates" in the upper right corner if you would like an email notification when this advisory is updated.

GENERAL SECURITY GUIDELINES

1. Help minimize any unnecessary network exposure by assessing all control system devices and/or systems, and confirm that firmware is kept up to date
2. Use proper network infrastructure controls, such as firewalls. As an extension to this approach, the Allen-Bradley® Stratix 5950 Industrial Network Security Appliance offers an Intrusion Prevention System and an Intrusion Detection (IDS/IPS) System, and Deep Packet Inspection (DPI) technology of the Common Industrial Protocol (CIP). With the introduction of this new product, Rockwell Automation can offer customers an intrusion detection system to provide real-time visibility in the event that a vulnerability is being exploited. The Stratix 5950 Security Appliance uses Cisco FirePOWER™ technology, which allows created rules to be processed by Cisco TALOS for a variety of known security issues. Once configured with rules, the FirePOWER engine inspects the contents of every packet, looking for datapoints that correspond to one or more rules. Packets that have these signatures can be either logged using IDS or blocked using IPS. For further information on Rockwell Automation’s Vulnerability Handling process, please refer to our FAQs document.

For additional information on deploying the Stratix 5950, please see our Deploying Industrial Firewalls within a CPwE Architecture Guide.

Refer to http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures.page for comprehensive information about implementing validated architectures designed to deliver these measures.

Refer to http://www.rockwellautomation.com/global/services/network-services/overview.page for information on Rockwell Automation network and security services to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory with the Rockwell Automation Security Advisory Index at https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html, and the company public security webpage at http://www.rockwellautomation.com/security for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.

ADDITIONAL LINKS

Security Advisory Index, Knowledgebase article KB:54102

Industrial Firewalls within a CPwE Architecture

Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide

·

KCS Status

Introduction

Description

September 17, 2015 - Version 1.0

On August 11, 2015, the Rockwell Automation Security Taskforce was notified by ICS-CERT of a vulnerability discovered by a security researcher in the Allen-Bradley MicroLogix 1400 product family. The researcher previously disclosed this information at the DEFCON 23 conference on August 8, 2015. The researcher publicly disclosed details relating to this vulnerability, including the existence of exploit code. However, at the time of publication, no known exploit code relating to this vulnerability has been released to the public. ICS-CERT published an alert (ICS-ALERT-15-225-02A) to cover this vulnerability.

As part of this process, Rockwell Automation expanded the scope of its evaluation beyond the MicroLogix platform in order to determine if this same threat-vector has the potential to affect other Rockwell Automation product platforms. Rockwell Automation has also reproduced the vulnerability in the MicroLogix 1400, and further discovered and reproduced the vulnerability in the MicroLogix 1100 product family. Due to the breadth of platforms potentially affected, Rockwell Automation has been conducting thorough evaluations to ensure completeness in its risk assessment and mitigation process.

Details relating to this vulnerability, the known affected platforms and recommended countermeasures are contained herein.

AFFECTED PRODUCTS

• 1766-L32BWA, 1766-L32AWA, 1766-L32BXB, 1766-L32BWAA, 1766-L32AWAA, 1766-L32BXBA, Version 15.002 and earlier.
• 1763-L16AWA, 1763-L16BWA, 1763-L16BBB, 1763-L16DWD, Version 14.000 and earlier.

Rockwell Automation will resolve this vulnerability in the next minor revision of product firmware, currently expected to be available in the October 2015 timeframe. This advisory will be updated to provide upgrade information when it is available.

VULNERABILITY DETAILS

The vulnerability in the MicroLogix’s webserver allows an attacker to inject arbitrary web content into an unsuspecting user’s web browser by using a built-in feature to "redirect" outside web content into the product’s web pages. This outside web content could contain malicious content that would target the web browser when the content is rendered. The impact to the user’s automation system would be highly dependent on both the type of web exploits included in this attack and the mitigations that the user may already employ. The target of this type of attack is not the MicroLogix itself. Instead, the MicroLogix is used as a vehicle to deliver an attack to a device running a web browser.

A successful attack would not compromise the integrity of the device or allow access to confidential information contained on it. On rare occasions the availability of the device may be affected if used in a large-scale phishing campaign. Vulnerable devices would effectively be a trusted host, used to unknowingly deliver potentially malicious content because of this vulnerability.

RISK MITIGATIONS

• Use trusted software, software patches, antivirus/antimalware programs and interact only with trusted web sites and attachments.
• Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
• Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet
• Locate control system networks and devices behind firewalls, and isolate them from the business network.
• When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
• Subscribe to our Security Advisory Index, Knowledgebase article KB:54102 (https://www.rockwellautomation.com/en-us/company/about-us/sustainability/trust-security/security-advisories.html), so you have access to our most up-to-date information about security matters that affect Rockwell Automation products.
  

KCS Status

Introduction

Description

Released: October 26, 2012

Updated: August 2, 2013 <Update A>

On September 14, 2012, the Rockwell Automation Security Taskforce was notified by ICS-CERT of a vulnerability discovered by a security researcher in the Allen-Bradley MicroLogix 1400 controller platform. Details relating to this vulnerability, including the existence of exploit code, have been made public by the researcher at various training events. At this time, no known exploit code relating to this vulnerability has been released to the public.

On October 2, 2012 Rockwell Automation independently initiated and maintained direct contact with the researcher to obtain pertinent facts relating to this matter due to lack of sufficient details shared through ICS-CERT. We continue to work with the researcher directly and keep him apprised of the expanded scope of impact from his initial findings.

As a matter of course, Rockwell Automation expanded scope of this evaluation beyond the MicroLogix 1400 platform in order to determine if this same threat-vector has potential to impact other A-B controller platforms. Rockwell Automation has reproduced the vulnerability. Due to the breadth of platforms potentially affected, we have been conducting thorough evaluations to ensure completeness in our risk assessment and mitigation process.

Details relating to this vulnerability, the known affected platforms and recommended countermeasures are contained herein.

AFFECTED PLATFORMS
Rockwell Automation has determined the following A-B products are affected by this vulnerability:

MicroLogix 1100 controller
MicroLogix 1200 controller (all versions prior to 13.000)
MicroLogix 1400 controller
MicroLogix 1500 controller (all versions prior to 13.000)
SLC 500 controller platform
PLC5 controller platform

VULNERABILITY DETAILS

MicroLogix Controller Platform
The vulnerability in the MicroLogix controller platform occurs due to inadequate write protection measures on the controller’s Status file.

The MicroLogix controller is susceptible to a remotely exploitable Denial of Service (DoS) attack should it receive certain messages that change specific status bits in the controller’s Status file. Under these specific conditions, an attack will be successful regardless of controller’s mode switch setting. A successful attack will cause the controller to cease its logic execution and enter a fault state. Recovery from this fault state requires the controller’s operating mode selector to be switched via direct physical interaction.

SLC 500 Controller Platform
The vulnerability in the SLC 500 controller platform occurs when the controller’s Status file property is not set to "Static," thereby allowing changes to the file contents.

When the SLC 500’s Status file is not configured to "Static," the SLC 500 controller is susceptible to a remotely exploitable Denial of Service (DoS) attack when it receives certain messages that change specific bits in its Status file. Under these specific conditions, an attack will be successful regardless of controller’s mode switch setting. A successful attack will cause the controller to cease its logic execution and enter a fault state. Recovery from this fault state requires the controller’s operating mode selector to be switched via direct physical interaction.

PLC5 Controller Platform
The vulnerability in the PLC5 controller platform occurs when the controller’s "Password and Privileges" feature is disabled.

When the Passwords and Privileges feature of the PLC5 controller is not enabled, the PLC5 controller is susceptible to a remotely exploitable Denial of Service (DoS) attack when it receives certain messages that change specific bits in its Status file. Under these specific conditions, an attack will be successful regardless of controller’s mode switch setting. A successful attack will cause the controller to cease its logic execution and enter a fault state. Recovery from this fault state requires the controller’s operating mode selector to be switched via direct physical interaction.

RISK MITIGATIONS

MicroLogix Controller Platform

<Begin Update A>

<End Update A>

In addition to the above product-level mitigations, Rockwell Automation recommends the following mitigation strategies to help reduce the likelihood of compromise and the associated security risk. When possible, multiple strategies should be employed simultaneously:

1. Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.

2. Employ firewalls with ingress/egress filtering, intrusion detection/prevention systems, and validate all configurations. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked.

3. Block all traffic to the EtherNet/IP or other CIP protocol based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Port# 2222 and Port# 44818 using appropriate security technology (e.g. a firewall, UTM devices, or other security appliance).

4. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment.

5. Enlist additional security expertise by engaging Rockwell Automation’s Network & Security Services team for specialized, consultative services. For more detail visit http://www.rockwellautomation.com/services/security/

We will communicate additional mitigation strategies to our concerned customers should more direct product-level mitigations be developed that can further reduce associated risk from this vulnerability.

SLC 500 Controller Platform
Remote attempts to write data to the SLC 500 platform’s Status file are ignored and discarded by setting the controller’s Status file properties to "Static" via RSLogix 500 software.

Rockwell Automation recommends where possible that the Status file "Static" configuration setting be enabled to reduce the likelihood of successful exploitation of the vulnerability. The "Static" file property setting is configured in the Status File Properties page of RSLogix 500 software.

PLC5 Controller Platform
Remote attempts to write data to the PLC5 platform’s Status file are ignored and discarded by using the controller’s "Password and Privileges" feature, configured via RSLogix 5 software.

Rockwell Automation recommends where possible that the Passwords and Privileges feature be enabled to reduce the likelihood of successful exploitation of the vulnerability.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security

KCS Status

Introduction

Description

April 2, 2013 - version 1.0

Rockwell Automation has become aware of a weak password protection implementation affecting Allen-Bradley brand Stratix™ managed Ethernet switch firmware. This weakness affects Stratix 5700, 8000 and 8300 managed switches products that contain particular versions of IOS® firmware that employ a Type 4 (SHA256) cryptographic password hash algorithm.

Due to an implementation issue in affected IOS versions, a user-provided password that has been hashed using the IOS Type 4 algorithm implementation is less resilient to brute-force attacks than a Type 5 hashed password of equivalent complexity. Successful exploitation of this weakness can lead to unauthorized access to the product.

To date, we are not aware of any known cases of successful exploitation of this vulnerability in Stratix 5700, 8000 or 8300 products. Furthermore, we are not aware of publicly available proof of concept exploit code.

AFFECTED PRODUCTS
The following Stratix managed Ethernet switches are affected:

1. Stratix 5700 firmware release 15.0(1)EY1. This firmware ships on all Stratix 5700 catalog items.
   
2. Stratix 8000 firmware release 15.0(2)SEIES. This firmware is known as release 7 and was released in January 2013. This firmware does not, and has never shipped on the Stratix 8000. It would reside on a Stratix 8000 only after the product’s initial shipment and only if intentionally downloaded to the hardware.
   
3. Stratix 8300 firmware release 15.0(2)SEIES. This firmware is known as release 7 and was released in January 2013. This firmware does not, and has never shipped on the Stratix 8300. It would reside on a Stratix 8300 only after the product’s initial shipment and only if intentionally downloaded to the hardware.

To determine if a Stratix 8000 or Stratix 8300 is using the above firmware, you can reference the software field located on the dashboard of Device Manager or the IOS Release field on the switch status tab located in the RSLogix 5000 Stratix Add on Profile.

RISK MITIGATION
For details and recommended action to mitigate this security vulnerability in products that contain the affected IOS, go to the following Cisco web site.

http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20130318-type4

In addition to the above, we recommend concerned customers remain vigilant and continue to follow security strategies that help reduce risk and enhance overall control system security. Where possible, we suggest you apply multiple recommendations and complement this list with your own best-practices:

1. Where feasible, use a unique and complex password for products so as to help reduce the risk that multiple products could be compromised as a result of a single password becoming learned.
   
2. Where feasible, adopt password management practices to periodically change product passwords to help mitigate risk for passwords to remain usable for an extended period of time.
   
3. Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and control networks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.
   
4. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment and perform product firmware upgrades to that equipment.
   
5. Evaluate firewall configurations to ensure other appropriate inbound and outbound traffic is blocked.

We also recommend concerned customers continue to monitor this advisory, Rockwell Automation’s Security Advisory Index (AID:54102) and www.rockwellautomation.com/security for new and relevant information relating to this matter.

For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security

KCS Status

Introduction

Description

November 29, 2012 - version 1.0

On November 25, 2012, Exodus Intelligence, Inc. (Exodus) disclosed a limited amount of information relating to purported vulnerabilities in some Rockwell Automation products. In addition, they identified associated risks relating to third-party software that is included with the Rockwell Automation product installation. As a result of this information disclosure, Rockwell Automation’s Security Taskforce independently reached out to Exodus to request greater details to help us validate these claims and assess risk so we could rapidly establish a responsible risk mitigation strategy for our customers.

On November 28, 2012, Exodus provided greater details of their findings directly to Rockwell Automation. This included specific information about affected products, product versions and also proof-of-concept exploitation code that demonstrates the particular product weaknesses. With our receipt of this information, Rockwell Automation launched a detailed technical evaluation of the claims and we further expanded our preparations to support our customers in risk remediation activities, if such actions should become necessary.

As a result of Rockwell Automation’s technical evaluations, the vulnerability claims made by Exodus have been validated and verified to affect an older version of a component of the Rockwell Automation FactoryTalk services platform. The particular affected component had been previously identified and has since evolved to already remove any risk associated with Exodus’ findings.

Rockwell Automation’s Security Taskforce evaluations specifically determined:

• One vulnerability identified by Exodus was a re-discovery of a previous known anomaly in a component version of a software service. Rockwell Automation addressed this vulnerability via software patch first issued on October 4, 2011. In addition to releasing the patch, specific process improvement steps were put in place to remove risk of re-introducing the anomaly in subsequent product releases.

• A second vulnerability identified by Exodus had already been internally identified and isolated by Rockwell Automation as a result of our ongoing code review processes within our Security Development Lifecycle (SDL). This vulnerability was similarly addressed in the same above product patch issued on October 4, 2011. Similar process improvement steps were put in place at that time to avoid potential to carry the anomaly forward in newer software releases.
  
  For specifics relating to the publicized vulnerabilities and resulting patch, refer to: https://rockwellautomation.custhelp.com/app/answers/detail/a_id/456144

• Exodus’ observation is accurate that Rockwell Automation software installations sometimes include third-party content such as Adobe® Reader. Such software is often included as a convenience for customers who may lack immediate access to the Internet to obtain a PDF viewer necessary to read certain electronic documentation included with our products.
  
  In July 2008, at the time of the particular Rockwell Automation RSLogix 5000 product release evaluated by Exodus, Adobe® Reader Version 8 was a current version of PDF reader software. Since our initial product release, our subsequent software releases and master installation files have undergone numerous incremental and major revisions. These incremental product releases lead to the ongoing creation of newer software master installs which, where possible include more-current third-party content such as Adobe Reader. A customer who acquires today the particular 2008 release of RSLogix 5000 software from Rockwell Automation receives a software installation that includes more contemporary versions of third-party content, e.g. Adobe Reader X (Version 10).
  
  We continue to encourage all customers to be proactive and stay current where possible with software patches and new product releases for all software used in their control systems.

CONTINUOUS IMPROVEMENT AND MATURITY MODEL

Rockwell Automation shares in the same concerns as our customers, product users, security research community and the public at large with regard to the industrial control system security.

• We continue to make significant investment in our product development and testing processes and also provide relevant product and system security features to our customers to help protect assets, information and operational integrity.
• Our internal Security Development Lifecycle (SDL) continues to mature and demonstrate tangible value to help proactively address potential product and system design weaknesses.
• We parallel our product security developments, testing and overall SDL investments with added lessons learned from our formal approach to product security Threat Management and Incident Response.

These combined efforts and others result in a maturity model allowing for continuous improvements in our contemporary solution that successfully enhance product and system security. Where technically feasible, some of these same improvements are also made available for many legacy products and systems too.

ADDED RECOMMENDATIONS FOR RISK MITIGATION

Rockwell Automation advocates that all industrial control system asset owners invest to assess security risks in their automation systems and take appropriate measures to reduce known risks to an acceptable level. A balance of both technical and non-technical measures comprises a successful Security Program, therefore risk-reducing compensating controls should include a combination of careful product selection, network and infrastructure design and installation, maintenance and upgrade planning and consistent personnel training complemented by structured policies and procedures for employees to follow.

In particular, keeping software and hardware products and system components up to date remains a key imperative to help maintain and enhance the security posture of industrial control systems. The following links provide basic foundational information on security best practices proven suitable for all control systems:

• Patch Management & Computer System Security Updates [PDF]
• Industrial Security Best Practices [PDF]

For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security

KCS Status

Introduction

Description

September 13, 2011 - version 1.0

This advisory has been replaced with AID# 456144

On September 13, 2011, Rockwell Automation was made aware of a potential vulnerability in RSLogix 5000 software that if successfully exploited, may result in a Denial of Service condition.

We are in the process of validating the potential vulnerability in order to determine possible risk, scope, impacts, and exposure to our customers if it is confirmed.

Based on the outcome of our ongoing investigation, if the vulnerability is confirmed, we will communicate a recommended mitigation strategy to our concerned customers as soon as possible.

Until a specific mitigation strategy is made available, we recommend concerned customers remain vigilant and continue to apply the following security strategies that help reduce risk and enhance overall control system security:

1. Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.

2. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment and perform product firmware upgrades to that equipment.

For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.

KCS Status

Introduction

Description

June 15, 2011 - Version 1.0

Rockwell Automation has identified a security vulnerability in the firmware upgrade process employed by the ControlLogix 1756-EWEB Series A Enhanced Web Server Module (the "Product"). Details of this vulnerability are as follows:

The potential exists for the Product to accept an altered or corrupted firmware image during its upgrade process that may render the Product inoperable or change its otherwise normal operation.

The results from an attacker’s successful exploitation of this vulnerability could include Denial of Service (DoS) to the Product, loss of Product availability and disruption to both Product and system operation. In an extreme case, successful exploitation could result in a potential misrepresentation of data or a repurposing of the Product for other malicious activities.

To help reduce the likelihood of exploitation and associated security risk, Rockwell Automation recommends the following mitigation strategies. When possible, multiple strategies should be employed simultaneously:

1. Obtain product firmware only from trusted manufacturer sources.
   
2. Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.
   
3. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment and perform product firmware upgrades to that equipment.
   
4. Block all traffic to the EtherNet/IP or other CIP protocol based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Port# 2222 and Port# 44818 using appropriate security technology (E.g. a firewall, UTM devices, or other security appliance).

In addition to these mitigation strategies, Rockwell Automation continues to investigate and evaluate other strategies such as product and system-level techniques and functional enhancements to verify the authenticity of firmware updates and help reduce the likelihood of file tampering.

For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.

KCS Status