Rockwell Automation Warns Admins to Take ICS Devices Offline


Rockwell Automation is advising its customers to disconnect industrial control systems not meant for public internet access to prevent unauthorized or malicious cyber activity. This urgent advisory is in response to increasing geopolitical tensions and global cyber threats. Customers should immediately identify and disconnect any internet-exposed devices that are not intended to be publicly accessible. Rockwell Automation emphasizes that ICSs should never be directly connected to the public-facing internet, as this significantly reduces the attack surface and exposure to cyber threats.

Security Officer Comments:
CISA has also released an alert, recommending users and administrators to follow the outlined measures to reduce exposure. This includes a 2020 advisory from CISA and the NSA warning of malicious actors exploiting internet-accessible operational technology assets, posing severe threats to critical infrastructure. The NSA noted in September 2022 that APT groups have targeted OT/ICS systems for political and economic gains and potentially to cause destructive effects. Adversaries have been seen connecting to PLCs to modify control logic, triggering undesirable behavior.

Suggested Corrections:
Rockwell Automation advises customers take IMMEDIATE action to assess whether they have devices facing the public internet and, if so, urgently remove that connectivity for devices not specifically designed for public internet connectivity. In addition to disconnecting assets from the public internet or if disconnection is not feasible, Rockwell Automation also urges its customers to follow the security best practices outlined in this document: Rockwell Automation | Security Best Practices [login required].

Organizations must also ensure they have implemented the necessary security patches to address specific vulnerabilities:

  • CVE-2021-22681 (CVSS score: 10.0)
  • CVE-2022-1159 (CVSS score: 7.7)
  • CVE-2023-3595 (CVSS score: 9.8)
  • CVE-2023-46290 (CVSS score: 8.1)
  • CVE-2024-21914 (CVSS score: 5.3/6.9)
  • CVE-2024-21915 (CVSS score: 9.0)
  • CVE-2024-21917 (CVSS score: 9.8)