Rockwell Automation recommends customers to disconnect all industrial control systems (ICS) not intended to be connected to the public internet to mitigate unauthorized cyber activity. The company issued the advisory due to «heightened geopolitical tensions and adverse cyber activity globally.»
To that end, customers are required to promptly determine if they have devices accessible via the internet and, if so, sever connectivity for those that should not be exposed.
«Users should never configure their assets to be directly connected to the public internet,» added Rockwell Automation.
Furthermore, organizations are required to ensure they have implemented necessary mitigations and patches to protect against vulnerabilities affecting their products.
The alert has also been echoed by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which recommends users and administrators follow appropriate measures detailed in the guidance to reduce exposure.
This includes a 2020 advisory jointly released by CISA and the National Security Agency (NSA) warning that malicious actors are exploiting internet-accessible operational technology (OT) assets to conduct cyber activity that could pose serious threats to critical infrastructure.
«Cyber actors, including advanced persistent threat groups (APTs), have targeted OT/ICS systems in recent years to gain political and economic advantages, and potentially to execute destructive effects,» the NSA stated in September 2022.
Adversaries have also been seen connecting to publicly exposed programmable logic controllers (PLCs) and modifying control logic to trigger undesired behaviors.
In fact, a recent study presented by a group of academics from the Georgia Institute of Technology at the NDSS Symposium in March 2024 found that a Stuxnet-style attack is feasible by compromising the web application (or human-machine interfaces) hosted by the web servers integrated within the PLCs.
This involves exploiting the PLC’s web interface used for remote monitoring, programming, and configuration to gain initial access and then leveraging legitimate application programming interfaces (APIs) to sabotage the underlying actual machinery.
«These attacks include falsifying sensor readings, disabling safety alarms, and manipulating physical actuators,» the researchers said. «The emergence of web technology in industrial control environments has introduced new security concerns not present in the IT domain or consumer IoT devices.»
The new web-based PLC malware has significant advantages over existing PLC malware techniques, such as platform independence, ease of implementation, and higher levels of persistence, enabling an attacker to covertly carry out malicious actions without deploying control logic malware.
To secure OT and ICS networks, it is recommended to limit system information exposure, audit and secure remote access points, restrict access to network and control system tools and scripts to legitimate users, conduct regular security reviews, and implement a dynamic network environment.
Vía The Hacker News
