Citing geopolitical tensions and growing interest from advanced attack groups in targeting operational technology, Rockwell Automation on Wednesday advised its users to disconnect industrial control systems from the internet that are not specifically designed for such connectivity.
The automation giant issued an advisory urging users as well never to configure OT assets to be directly connected to the public-facing internet. The Cybersecurity & Infrastructure Security Agency (CISA) also published an alert pointing to the warning from Rockwell.
Recently published Team82 research into the exposures and secure access of OT assets, focusing specifically on engineering workstations (EWS) and human-machine interfaces (HMIs) demonstrates a consequential number of these devices that are both insecurely connected to the internet and also containing a known exploited vulnerability (KEV).
Insecure connectivity is a characteristic of a high-risk device, along with a KEV, poor access controls, allowing port-forwarding on a device, or connecting without a secure access solution or virtual private network.
“Due to heightened geopolitical tensions and adversarial cyber activity globally, Rockwell Automation is issuing this notice urging all customers to take IMMEDIATE action to assess whether they have devices facing the public internet and, if so, urgently remove that connectivity for devices not specifically designed for public internet connectivity,” Rockwell Automation said in its notice.
Advanced persistent threat groups, including Russia-linked Sandworm, have ramped up their targeting of critical infrastructure including OT assets and connected industrial control systems. Sandworm has been linked to numerous attacks against Ukrainian electric utilities dating back to 2016 and the use of the BlackEnergy malware in attacks against the country’s grid.
The group was able to disrupt power distribution by compromising substations and turning them off. They also targeted remote thermal units (RTUs), uninterruptible power supplies (UPS), and modems for remote access. BlackEnergy is a rootkit that establishes a backdoor that attackers may use to send executable code to compromised systems.
In 2022, Mandiant reported it supported Ukraine’s investigation and recovery from a disruptive attack carried out by Sandworm against a critical infrastructure organization. Mandiant reported the group was using living-off-the land techniques to trip substation circuit breakers and cause power outages that would coincide with missile strikes; it also deployed wiper malware to brick systems within the victim’s IT environment.
Rockwell also singled out seven vulnerabilities—two of which were disclosed by Team82—that were reported between 2021 and 2024 impacting its Logix Controllers, Studio 5000 Logix Designer, select communication modules, FactoryTalk Services Platform, and FactoryTalk View ME:
CVE-2021-22681: An authentication bypass disclosed by Team82 in the Studio 5000 Logix Designer. Read more about it here.
CVE-2022-1159: Code injection vulnerability enabling control over Studio 5000 Logix Designer. Read more about it here.
“Users should never configure their assets to be directly connected to the public-facing internet,” Rockwell’s advisory said. “Removing that connectivity as a proactive step reduces attack surface and can immediately reduce exposure to unauthorized and malicious cyber activity from external threat actors.”
Interested in learning about Claroty's Cybersecurity Solutions?