← Back to home
ICSA-22-090-05  ·  Published 2022-03-31  ·  View on CISA ICS-CERT ↗

Rockwell Automation Logix Controllers

CVSS 10.0 CRITICAL

Risk Summary

Successful exploitation of this vulnerability may allow an attacker to modify user programs. A user could then unknowingly download those modified elements containing malicious code.

CVEs (1)

Remediations

  • Users using the affected software or controllers are directed towards the risk mitigation steps listed below and are encouraged, when possible, to combine this guidance with the general security guidelines for a comprehensive defense-in-depth strategy.
  • The following mitigations should be applied for ControlLogix 5560, ControlLogix 5570, ControlLogix 5580 series, GuardLogix 5570, GuardLogix 5580, GuardLogix 5380, CompactLogix, CompactLogix 5380 devices:
  • Risk Mitigation A:
  • Recompile and download user program code (i.e., acd).
  • Put controller mode switch into Run position.
  • If keeping controller mode switch in Run is impractical, use the following mitigation:
  • Monitor controller change log for any unexpected modifications or anomalous activity.
  • Utilize the Controller Log feature.
  • Utilize Change Detection in the Logix Designer Application.
  • If available, use the functionality in FactoryTalk AssetCenter software to detect changes.
  • Risk Mitigation B:
  • Implement CIP Security to help prevent unauthorized connections when properly deployed. Supported controllers and communications modules include:
  • ControlLogix 5580 processors using on-board EtherNet/IP port.
  • GuardLogix 5580 processors using on-board EtherNet/IP port.
  • ControlLogix 5580 processors operating in High Availability (HA) configurations using 1756-EN4TR
  • ControlLogix 5560, ControlLogix 5570, ControlLogix 5580, GuardLogix 5570 and GuardLogix 5580 can use a 1756-EN4TR ControlLogix EtherNet/IP module.
  • If using a 1756-EN2T, then replace with a 1756-EN4TR
  • CompactLogix 5380 using on-board EtherNet/IP port.
  • CompactLogix GuardLogix 5380 using on-board EtherNet/IP port.
  • The following mitigations should be applied for 1768 CompactLogix, 1769 CompactLogix, CompactLogix 5370, and CompactLogix 5480 devices:
  • If keeping controller mode switch in Run is impractical, then use the following mitigation:
  • Use the Controller Log feature.
  • Use Change Detection in the Logix Designer application.
  • If available, use the functionality in FactoryTalk AssetCenter to detect changes.

Affected Vendors

Rockwell Automation

Affected Products (17)

Rockwell Automation · 1768 CompactLogix controllers vers:all/*
Rockwell Automation · ControlLogix 5570 controllers vers:all/*
Rockwell Automation · ControlLogix 5580 controllers vers:all/*
Rockwell Automation · GuardLogix 5560 controllers vers:all/*
Rockwell Automation · GuardLogix 5570 controllers vers:all/*
Rockwell Automation · GuardLogix 5580 controllers vers:all/*
Rockwell Automation · FlexLogix 1794-L34 controllers vers:all/*
Rockwell Automation · DriveLogix 5730 controllers vers:all/*
Rockwell Automation · SoftLogix 5800 controllers vers:all/*
Rockwell Automation · 1769 CompactLogix controllers vers:all/*
Rockwell Automation · CompactLogix 5370 controllers vers:all/*
Rockwell Automation · CompactLogix 5380 controllers vers:all/*
Rockwell Automation · CompactLogix 5480 controllers vers:all/*
Rockwell Automation · Compact GuardLogix 5370 controllers vers:all/*
Rockwell Automation · Compact GuardLogix 5380 controllers vers:all/*
Rockwell Automation · ControlLogix 5550 controllers vers:all/*
Rockwell Automation · ControlLogix 5560 controllers vers:all/*

Affected Sectors

Multiple Sectors

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more