Rockwell Sounds Alarm: Disconnect ICS Systems from Internet Now

Rockwell Automation strongly urges its clients to disconnect all ICS control systems not intended for internet connectivity to prevent unauthorized or malicious cyberattacks. This measure is crucial due to escalating geopolitical tensions and increased cybercriminal activity worldwide.

The company insists on immediate action: users should verify if their devices have internet access and disconnect them if they were not originally designed for public access. “This notice urging all customers to take IMMEDIATE action to assess whether they have devices facing the public internet and, if so, urgently remove that connectivity for devices not specifically designed for public internet connectivity,” emphasized Rockwell Automation.

Disconnecting from the internet will significantly reduce the likelihood of attacks and mitigate vulnerability to external threats. Additionally, the company recommends that organizations using Rockwell’s software solutions ensure all necessary updates and patches are installed to protect against vulnerabilities affecting their products.

Such vulnerabilities include:

• CVE-2021-22681 (CVSS score: 10.0)
• CVE-2022-1159 (CVSS score: 7.7)
• CVE-2023-3595 (CVSS score: 9.8)
• CVE-2023-46290 (CVSS score: 8.1)
• CVE-2024-21914 (CVSS score: 5.3)
• CVE-2024-21915 (CVSS score: 9.0)
• CVE-2024-21917 (CVSS score: 9.8)

This notification is also endorsed by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which advises users and administrators to follow the outlined measures to mitigate risks.

Among the recommendations is the joint advisory from CISA and the National Security Agency (NSA) from 2020 regarding malicious actors exploiting vulnerabilities in operational technology (OT) systems, posing significant threats to critical infrastructure.

In recent years, cybercriminal groups, including APT groups, have increasingly targeted OT/ICS systems to achieve political and economic objectives and cause disruptive consequences.

Malicious actors connect to publicly accessible programmable logic controllers (PLCs), altering control logic and causing undesirable effects.

Recent research presented at the NDSS Symposium in March 2024 demonstrated that executing a Stuxnet-type attack by compromising web applications or human-machine interfaces embedded in PLCs is not difficult for skilled adversaries.

Such attacks include falsifying sensor readings, disabling safety alarms, and manipulating physical actuators. The integration of web technologies into industrial control systems has introduced new cybersecurity challenges and problems.

New PLC malware has significant advantages over existing attack methods, such as platform independence, ease of deployment, and high resilience, allowing malicious actors to perform covert activities without needing to alter control logic.

To ensure the security of OT and ICS networks, it is recommended to restrict access to system information, audit and secure remote access points, limit access to network and control systems to legitimate users only, conduct regular security assessments, and implement a dynamic network environment.