Cisco uncovers security threat in industrial control system

The Simple Network Management Protocol exploit could let an attacker take complete control of Rockwell Automation’s MicroLogix system

Cisco’s security intelligence and research group Talos, said that it had reported a serious vulnerability in Rockwell Automation’s industrial control system – the MicroLogix 1400 programmable logic controller (PLC).

The Simple Network Management Protocol exploit could let an attacker take complete remote control of the MicroLogix system and modify the device firmware, letting an invader run his own malicious code on the device.

1766 micrologix1400controller right1 large 312w255h Rockwell Automation

Rockwell Automation’s MicroLogix system

+More on Network World: The weirdest, wackiest and coolest sci/tech stories of 2016 (so far!)

MicroLogix 1400 PLCs are use in a variety of applications from general industrial machinery and heating/air-conditioning units to SCADA (Oil and Gas, Water/Wastewater, and Electrical Power), to vending and industrial washers and dryers.

Cisco’s Talos wrote: “This vulnerability is due to the presence of an undocumented SNMP community string that could be leveraged by an attacker to gain full control of affected devices and grants the ability to manipulate configuration settings, replace the firmware running on the device with attacker-controlled code, or otherwise disrupt device operations. Depending on the role of the affected PLC within an industrial control process, this could result in significant damages.

At the most basic level, knowledge of the undocumented community string allows an attacker to read all values accessible via SNMP. In addition to read permissions, the ‘wheel’ community has the same write privileges as the ‘private’ community and can modify all writable SNMP OIDs. While it is possible for operators to change the default SNMP community strings on affected devices, the fact that this SNMP string is not documented by the vendor drastically decreases the likelihood of this value being changed prior to production deployment of the PLCs, as most operators are not likely to even be aware of its existence.

Given the severity of this issue, and the fact that this functionality has not been removed from affected devices, it is recommended that mitigations be put in place to prevent the successful exploitation of this vulnerability in production environments.”

According to an Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) post on the security problem, Rockwell Automation recommends that users using affected versions of the MicroLogix 1400 evaluate and deploy the risk mitigation strategies listed below. When possible, multiple strategies should be employed simultaneously, the post stated.

  • Utilize the product’s “RUN” keyswitch setting to prevent unauthorized and undesired firmware update operations and other disruptive configuration changes.
  • Utilize proper network infrastructure controls, such as firewalls, to help ensure that SNMP requests from unauthorized sources are blocked. See KB496391d for more information on blocking access to SNMP services.
  • Disable the SNMP service on this product. The SNMP service is enabled by default. See Page 128 in the MicroLogix 1400 product manual for detailed instructions on enabling and disabling SNMP.
    • Note: It will be necessary to re-enable SNMP to update firmware on this product. After the upgrade is complete, disable the SNMP service once again.
    • Note: Changing the SNMP community strings is not an effective mitigation.
  • Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet.
  • Locate control system networks and devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as the connected devices.

Check out these other hot stories:

Open vSwitch finds new home at the Linux Foundation

What will space living look like? NASA picks 6 habitat prototypes

Branch office links, big bandwidth needs drive SD-WAN evolution

IT’S ALIVE! DARPA looks to build programmable, self-healing, living building materials

DARPA wants to build very low frequency wireless systems

Black Hat: Quick look at hot issues

The weirdest, wackiest and coolest sci/tech stories of 2016 (so far!)

Feds need to do a better job of measuring telecommuting benefits

IRS warns on super summer scam scourge

Join the CSO newsletter!

Error: Please check your email address.

Tags cisco

More about CiscoICSAIRSLinuxNASARockwellSNMP

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Michael Cooney

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place