Meet Armis at Black Hat 2024

Learn More
May 22, 2024

Rockwell’s Latest Directive to Take Devices Offline: What Should Organizations Learn?

lock on circuit background

In cybersecurity, the only constant is change. Recent events have underscored the critical need for robust security measures in industrial control systems (ICS) and operational technology (OT). Rockwell Automation’s urgent directive (issued this week) to disconnect all ICS devices not designed for online exposure from the Internet, is a wake-up call for organizations worldwide. Given the increasing malicious activity and heightened geopolitical tensions, this guidance is timely and essential. Here’s what organizations need to learn and implement from this directive.

Understanding the Directive

Rockwell Automation has warned customers about the growing threat landscape, urging them to disconnect ICS devices not meant for online exposure. Such devices should never be configured to allow remote connections from systems outside the local network. Doing so drastically reduces the attack surface, ensuring that threat actors cannot directly access systems that may be unpatched or vulnerable.

Key Vulnerabilities Highlighted

Rockwell also identified several critical vulnerabilities impacting their ICS devices, emphasizing the need for immediate and full lifecycle remediation efforts. It is important to note that Rockwell has remained vigilant in addressing vulns which is something that is laudable in their “security first” stance:

  • CVE-2021-22681: Rockwell Automation Logix Controllers
  • CVE-2022-1159: Rockwell Automation Studio 5000 Logix Designer
  • CVE-2023-3595: Rockwell Automation Select Communication Modules
  • CVE-2023-46290: Rockwell Automation FactoryTalk Services Platform
  • CVE-2024-21914: Rockwell Automation FactoryTalk View ME
  • CVE-2024-21915: Rockwell Automation FactoryTalk Service Platform
  • CVE-2024-21917: Rockwell Automation FactoryTalk Service Platform

By addressing these vulnerabilities and other security findings and taking devices offline where appropriate, organizations can significantly mitigate the risk of unauthorized and malicious cyber activity.

Steps Organizations Need to Take

1. Move Beyond Airgapping: Recognize and Embrace IT/OT Convergence

Airgapping, the practice of isolating OT environments from the Internet, has long been a cornerstone of securing industrial systems. However, with the increasing convergence of IT and OT, this legacy approach is no longer sufficient. Organizations must recognize and plan for IT/OT convergence, whether intentional or accidental.

Action Points:

  • Conduct a Risk Assessment: Identify and assess potential points of convergence within your network.
  • Implement Network Segmentation: Use firewalls, VLANs, and segmentation capabilities to create barriers between IT and OT networks.
  • Proactively Monitor for Anomalies & Threats: Employ continuous monitoring tools to detect attack signals that may be still in the formulation stage as well as unauthorized access attempts and anomalies that are indicative of potential breaches.

2. Build and Maintain a Robust OT Security Practice

A sound OT security practice begins with a comprehensive asset inventory. This inventory should provide deep situational awareness into every asset and device within your network.

Action Points:

  • Create a Detailed Asset Inventory: Catalog all devices, including their configurations, firmware versions, and patch levels.
  • Utilize Asset Management Tools: Employ automated tools to maintain up-to-date records and detect unauthorized devices.
  • Ensure Visibility: Continuously monitor your assets for changes and incorporate real-time data into your security strategies.

3. Automate and Consolidate Vulnerability & Threat Management

Managing vulnerabilities and other security issues manually is inefficient and prone to error. Organizations need an automated and consolidated list of vulnerabilities and other security incidents. These should be prioritized and sent to the right “owner” for immediate and comprehensive remediation.

Action Points:

  • Implement Automated Vulnerability & Security Issue Discovery: Use tools that continuously scan for vulnerabilities and risk that will integrate with your existing security infrastructure.
  • Prioritize Remediation: Develop a risk-based approach to prioritize vulnerabilities and threats based on their potential  business impact.
  • Assign Ownership: Clearly define roles and responsibilities for remediation efforts, ensuring accountability and timely resolution.

4. Foster an Ecosystem of Trust in Your Security Stack

Ensuring that your security stack works cooperatively is crucial for defending your organization. This “ecosystem of trust” involves integrating products and solutions that work together seamlessly to achieve the greater good of the company.

Action Points:

  • Integrate Security Tools: Ensure your security tools can communicate and share data effectively.
  • Promote Collaboration: Foster a culture of collaboration between different security teams and stakeholders.
  • Regular Audits and Reviews: Conduct regular reviews of your security ecosystem to identify gaps and areas for improvement.

Learning from Past and Present Threats

The increasing frequency of advisories and alerts from organizations like CISA and the NSA reflects the evolving threat landscape. The recent warnings about pro-Russian hacktivists and other rogue factions that have gained “red button functionality” with the goal of disrupting critical infrastructure operations highlight the urgency of securing OT systems. These incidents are not isolated; they are part of a broader trend that underscores the need for proactive security measures.

Historical Context

In the last few years, the NSA and CISA published numerous joint advisories on securing OT and ICS devices against attacks. 2024 guidance was built on previous guidance 2020-2023 which focused on stopping malicious attacks targeting OT systems and defending Internet-exposed OT assets. These advisories were part of larger initiatives by the Biden administration as well as previous administrations to strengthen U.S. critical infrastructure security.

Conclusion

Rockwell Automation’s latest directive to take ICS devices offline is a critical reminder of the evolving threat landscape and the need for robust security measures. By moving beyond traditional airgapping, building a comprehensive OT security practice with full situational awareness , automating vulnerability & risk management, and fostering an ecosystem of trust, organizations can significantly enhance their security posture.

As security leaders, it’s imperative to stay vigilant, proactive, and continuously adapt to new threats. Implementing these measures will not only defend your organization but also ensure its success in fulfilling its mission.

Get Updates

Sign up to receive the latest from Armis.