2024-6-6 05:36:12 Author: www.tenable.com(查看原文) 阅读量:13 收藏
An advisory from Rockwell Automation reiterates the importance of disconnecting operational technology devices with public-facing internet access and patching and mitigating systems vulnerable to several flaws.
Background
On May 21, Rockwell Automation published an advisory (SD1672) to provide guidance to customers on best practices to protect operational technology (OT) devices.
Details
For over a decade, reports have shown that OT devices, including controllers, HMI’s (Human Machine Interfaces) and Supervisory Control and Data Acquisition (SCADA) devices, have been at risk of exposure through search engines like Shodan. These OT devices have been fingerprinted by Shodan because they are public facing and internet-accessible, allowing them to be indexed by such search engines. This allows a variety of users, including security researchers and threat actors to search for and obtain information about such devices. Public facing controllers without security controls, such as those without authentication enabled, may be altered or programmed by a remote attacker possessing the correct software, even without a vulnerability to exploit.
The warnings about the exposure of such devices have been repeated since 2014, when the Cybersecurity and Infrastructure Security Agency (CISA) issued an ICS Alert (ICS-ALERT-10-301-01) about the threat posed by the discoverability of these devices. This message was reiterated once again in 2018 as part of ICS-ALERT-11-343-01A.
Most SCADA/OT systems should not be internet accessible
Due to their critical nature, most OT systems should not be public-facing and internet-accessible. The only instances whereby such devices should be accessible are those that were designed to enable external connectivity. Segmentation of these environments is strongly suggested, and users can reference ISA/IEC 62443 Series of Standards for best practices.
COVID-19 and lockdowns required remote access
We know in 2020, the COVID-19 pandemic required organizations to allow for remote access to internal networks. This need also came at the cost of expanding the attack surface, which included the provisioning of OT systems for remote access. Many times these remote access capabilities were deployed with speed and ease of use over security. This includes cellular modems, 4G/5G, dial-up, or dedicated internet lines, which are common for original equipment manufacturers (OEMs) and vendors to monitor and access equipment.
OT devices are becoming a greater target for attackers
In recent years, OT devices have increasingly become a target for attack by a variety of threat actors, such as ransomware groups and affiliates, hacktivists and nation-state cyber criminals linked to Iran and China. In Early May, several U.S. agencies including CISA, issued an advisory about Pro-Russian hacktivist activity targeting OT environments. This links back to part of the catalyst for Rockwell Automation’s advisory, which noted the “heightened geopolitical tensions and adversarial cyber activity globally.”
Seven Vulnerabilities Highlighted in Rockwell Automation Advisory
As part of its advisory, Rockwell Automation highlighted seven CVEs in various products including flaws in its Logix Controllers and Logix Designer, Communication Modules and FactoryTalk.
| CVE | Description | CVSSv3 | Affected Equipment |
|---|---|---|---|
| CVE-2021-22681 | Rockwell Automation Insufficiently Protected Credentials Vulnerability | 10.0 | Studio 5000 Logix Designer, RSLogix 5000, Logix Controllers |
| CVE-2022-1159 | Rockwell Automation Code Injection Vulnerability | 7.7 | Studio 5000 Logix Designer |
| CVE-2023-3595 | Rockwell Automation Remote Code Execution Vulnerability | 9.8 | Allen-Bradley ControlLogix Communication Modules |
| CVE-2023-46290 | Rockwell Automation Improper Authentication Vulnerability | 8.1 | FactoryTalk Services Platform |
| CVE-2024-21914 | Rockwell Automation Cross-Site Scripting (XSS) Vulnerability | 5.3 | FactoryTalk View Machine Edition (ME) |
| CVE-2024-21915 | Rockwell Automation Incorrect Execution-Assigned Permissions Vulnerability | 9.0 | FactoryTalk Service Platform |
| CVE-2024-21917 | Rockwell Automation Improper Verification of Cryptographic Signature Vulnerability | 9.8 | FactoryTalk Service Platform |
No specific exploit intelligence is available for these flaws. However, Rockwell Automation highlighted CVE-2023-3595, a remote code execution vulnerability in the Allen-Bradley ControlLogix Communication Modules, in July 2023.
Solution
The most important takeaway from Rockwell Automation’s advisory and the repeated advice surrounding OT devices remains the same: disconnect internet-accessible OT devices unless they were designed to be enabled for such access.
If such devices do require remote access, ensure they are properly configured behind firewalls and isolated from business critical networks. Limit administrator access and ensure accounts have only the required permissions. Use strong, unique passwords for accounts and ensure all default-passwords have been changed. Enable multifactor authentication (MFA) on accounts where possible. Standardize on a secure remote access platform for OT with audit and logging capabilities to ensure access is being utilized properly.
Identifying affected systems
To identify internet facing OT systems using Nessus plugins, please review the plugins listed on this page.
Additionally, Tenable customers can use the plugins from these two links to conduct credentialed or agent scans to identify OT assets
A list of Tenable plugins for the vulnerabilities referenced in this blog post can be found on the individual CVE pages:
Please note that there is no plugin coverage for CVE-2024-21914.
These links display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.
Get more information
- SD1672 | IMPORTANT NOTICE: Rockwell Automation Reiterates Customer Guidance to Disconnect Devices from the Internet to Protect from Cyber Threats
- Control System Internet Accessibility
- Control System Internet Accessibility (Update A)-
- CVE-2023-3595, CVE-2023-3596: Rockwell Automation ControlLogix Vulnerabilities Disclosed
- Finding Rockwell Automation Allen-Bradley Communication Modules Affected by CVE-2023-3595 and CVE-2023-3596 in OT Environments
- Checking for ICS Internet Exposure Using Shodan.io
- Logix 5000 Controllers Security
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Satnam Narang
Satnam joined Tenable in 2018. He has over 15 years experience in the industry (M86 Security and Symantec). He contributed to the Anti-Phishing Working Group, helped develop a Social Networking Guide for the National Cyber Security Alliance, uncovered a huge spam botnet on Twitter and was the first to report on spam bots on Tinder. He's appeared on NBC Nightly News, Entertainment Tonight, Bloomberg West, and the Why Oh Why podcast.
Interests outside of work: Satnam writes poetry and makes hip-hop music. He enjoys live music, spending time with his three nieces, football and basketball, Bollywood movies and music and Grogu (Baby Yoda).
Jeff Rotberg
In his role as Director of Business Development at Tenable, Jeff Rotberg leads partnerships and strategy for Tenable OT Security. Jeff has over 10 years of experience working in industrial automation and OT environments. Previously, he held multiple sales and technology roles at Rockwell Automation, a leading industrial automation original equipment manufacturer (OEM). Jeff holds a bachelor of science in electrical engineering from UNC Charlotte.
Related Articles
- Exposure Management
- Vulnerability Management
Cybersecurity News You Can Use
Enter your email and never miss timely alerts and security guidance from the experts at Tenable.
Tenable Vulnerability Management
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.
Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.
Tenable Vulnerability Management
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.
100 assets
Choose Your Subscription Option:
Thank You
Thank you for your interest in Tenable Vulnerability Management. A representative will be in touch soon.
Tenable Vulnerability Management
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.
Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.
Tenable Vulnerability Management
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.
100 assets
Choose Your Subscription Option:
Thank You
Thank you for your interest in Tenable.io. A representative will be in touch soon.
Tenable Vulnerability Management
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.
Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.
Tenable Vulnerability Management
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.
100 assets
Choose Your Subscription Option:
Thank You
Thank you for your interest in Tenable Vulnerability Management. A representative will be in touch soon.
Try Tenable Web App Scanning
Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.
Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.
Buy Tenable Web App Scanning
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.
Try Tenable Lumin
Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.
Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.
Buy Tenable Lumin
Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.
Thank You
Thank you for your interest in Tenable Lumin. A representative will be in touch soon.
Request a demo of Tenable Security Center
Please fill out this form with your contact information.
A sales representative will contact you shortly to schedule a demo.
* Field is required
Request a demo of Tenable OT Security
Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.
Request a demo of Tenable Identity Exposure
Continuously detect and respond to Active Directory attacks. No agents. No privileges.
On-prem and in the cloud.
Request a Demo of Tenable Cloud Security
Exceptional unified cloud security awaits you!
We’ll show you exactly how Tenable Cloud Security helps you deliver multi-cloud asset discovery, prioritized risk assessments and automated compliance/audit reports.
See
Tenable One
In Action
Exposure management for the modern attack surface.
See Tenable Attack Surface Management In Action
Know the exposure of every asset on any platform.
Thank You
Thank you for your interest in Tenable Attack Surface Management. A representative will be in touch soon.
Try Tenable Nessus Professional Free
FREE FOR 7 DAYS
Tenable Nessus is the most comprehensive vulnerability scanner on the market today.
NEW - Tenable Nessus Expert
Now Available
Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.
Fill out the form below to continue with a Nessus Pro Trial.
Buy Tenable Nessus Professional
Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.
Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.
Try Tenable Nessus Expert Free
FREE FOR 7 DAYS
Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.
Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.
Buy Tenable Nessus Expert
Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.
Learn How Tenable Helps Achieve SLCGP Cybersecurity Plan Requirements
Tenable solutions help fulfill all SLCGP requirements. Connect with a Tenable representative to learn more.
如有侵权请联系:admin#unsafe.sh