Rockwell to Customers: Remove Public ICS Devices from the Internet

In response to increased geopolitical tensions and potential attacks on critical infrastructure sectors, Rockwell Automation has published guidelines encouraging users to remove connections to all industrial control system (ICS) devices with public Internet access.

In a customer advisory, Rockwell said users should never configure their resources to be directly connected to the public Internet. A large industrial manufacturer found that removing this connectivity as a proactive step reduces the attack surface and can immediately reduce exposure to unauthorized and malicious cyber activity from external threat actors.

The Cybersecurity and Infrastructure Security Agency (CISA) published its own post on May 21, following Rockwell’s recommendation, drawing attention to Rockwell’s position.

Security Week reported that a recent Shodan search for “Rockwell” returned more than 7,000 results, including thousands of items that appear to be Allen-Bradley programmable logic controllers (PLCs).

The Rockwell Automation alert recommends the immediate removal of any device that is currently installed with access to the public Internet for which it was not designed, noted Ken Dunham, director of cyber threats at Qualys.

While this may seem like common sense, Dunham said organizations find themselves in situations where hardware and software are installed and configured in unrecommended ways, putting them at risk.

“Automated industrial control systems are a prime target for adversaries seeking to impact critical infrastructure, especially in a highly volatile year filled with elections and wars,” Dunham said.

John Gallagher, vice president of Viakoo Labs, added that while manufacturers use the Internet for a variety of purposes, from office equipment to cloud-connected manufacturing systems, the problem is with devices and systems that have not been tested and designed to work while connected to the Internet and yet has been configured this way.

Gallagher explained that in many manufacturing organizations, it is the production team, not the IT department, that configures the systems that make Internet connections possible.

Gallagher said that even if a network is fully segmented and separated from the Internet by a firewall, “breakthroughs” can happen over time, such as a night security guard wondering how to watch Netflix or someone temporarily turning on their Internet connection, and then forgetful Reset it.

When asked whether shutting down public Internet facilities will slow down factory operations, Gallagher said that for many ICS systems, even regular maintenance must be carefully scheduled to minimize disruption, so shutting down ICS systems will likely have an impact on business operations.

“However, it is recommended that you turn off Internet connectivity – not turn it off – and since these devices were never intended to connect to the Internet, it is possible that turning off the Internet will have minimal impact,” Gallagher said.

Rockwell’s advisory lists five patched vulnerabilities that security teams should take action on because they could potentially allow attackers to conduct denial of service attacks, privilege escalation or remote attack on PLCs: