Rockwell’s ICS directive comes as critical-infrastructure risk peaks

Citing “heightened geopolitical tensions and adversarial cyber activity globally,” industrial control systems (ICS) giant Rockwell Automation last month took the unusual step of telling its customers to disconnect their gear from the Internet. The move showcases not just growing cyber risk to critical infrastructure, but the unique challenges that security teams face in the sector, experts say.

By way of background, the US Cybersecurity and Infrastructure Security Agency (CISA) has been sounding the alarm for months on increased threats to water supply organizations, power plants, manufacturing, telecom carriers, military footprints, and more — attacks that are largely being spearheaded by advanced persistent threats (APTs) backed by China, Russia, and Iran. Especially now, facilities teams should be ramping up their vigilance, thanks to it being a high-volatility year of elections and war, CISA has warned.

“These nation-states are targeting critical infrastructure for political or economic gain,” says Gary Southwell, general manager at ARIA Cybersecurity. “Russian-backed attackers are targeting allies of Ukraine. They also host many cybercriminals who target high value infrastructure because of the money they can extort. China is playing the long game: get embedded in as much of our critical infrastructure as possible so they can exercise political leverage against us. In the past it was mostly to steal IP but that is now secondary.

“In both cases, these attackers are finding ways in and trying to leave behind code that they can use to control systems and potentially wreak havoc,” he warns.

Adding yet further to the security concerns are the rafts of security vulnerabilities that make online-exposed ICS gear that much more at risk for compromise. These are difficult to patch without purpose-trained expertise and often require downtime to fix, making remediation a no-go for many organizations. Rockwell’s advisory links to several concerning bugs, including CVE-2021-22681, CVE-2022-1159, CVE-2023-3595 and CVE-2023-3596, CVE-2023-46290, CVE-2024-21914, CVE-2024-21915, and CVE-2024-21917.

These can lead to attacks like denial-of-service (DoS) efforts that take down electrical grids; privilege escalation and lateral movement to burrow deeper into the operational technology (OT) environment in order to control it; modifying settings to, say, change safety thresholds for power generators; remotely compromising programmable logic controllers (PLCs) to halt water sector operations; or even conducting destructive Stuxnet-style attacks that can obliterate a site’s ability to function permanently.

In response, “removing connectivity [from ICS] as a proactive step reduces attack surface and can immediately reduce exposure to unauthorized and malicious cyber activity from external threat actors,” Rockwell noted in its advisory, adding that this should be done “immediately” (which it wrote in all caps, in case the urgency of the matter failed to resonate).

Most ICS Gear Has No Business Being Online

While the advisory pertains to “devices not specifically designed for public Internet connectivity,” that unfortunately represents the majority of ICS gear found online. Most installations still run legacy assets that have been in use for many years, and were never designed to be part of connected, “smart” installations.

It’s not a small problem, either: A Shodan search for “Rockwell” returned more than 7,000 results, including thousands of legacy PLCs, which control the physical and operational processes within ICS environments and are not meant to be exposed.

And therein lies the crux of the issue: If the machines are not meant to be reachable online, how did they end up that way in the first place?

“All too often in a world of ‘hello, it works,’ organizations find themselves in a situation where [things are working operationally, but] hardware and software are installed and configured in ways that are not recommended, leaving them vulnerable to attack,” explains Ken Dunham, cyber threat director at Qualys Threat Research Unit. “Organizations are doing the best that they can, with the limited resources they have, in compressed time frames, often without appropriate training, experience, and checks and balances in place to ensure secure, effective outcomes.”

Beyond resource constraints, there’s also a significant disconnect between the IT security staff, and those actually managing the ICS assets. For example, John Gallagher, vice president of Viakoo Labs at Viakoo, notes that in many manufacturing environments, it’s the manufacturing team and not IT that sets up OT devices, which introduces unwanted Internet-facing connections.

To read the complete article, visit Dark Reading.