I recently posted a vulnerability in several models of the Rockwell Automation MicroLogix product line, and noted that, per the security researcher, Eyal Udassin of C4, Rockwell had been completely cooperative with the security researcher in working out a solution to the problem.
This morning, Rockwell asked me to post a statement about the issue, and I am pleased to do so. As I told the RA folks, I will be happy to keep the end users who use RA MicroLogix completely in the loop, and I'm looking forward to the day I can post that the vulnerability has been completely solved.
It needs to be pointed out, again, that this is a vulnerability that can only be exploited by a well trained and knowledgeable attacker, not one that is a very high-risk issue.
Here's Rockwell's official statement:
Rockwell Automation - MicroLogix Security Improvement
Rockwell Automation takes network security very seriously, and works to ensure customers use proper security measures. The company recently identified a low-potential security concern to its MicroLogix™ family of programmable controllers. A highly skilled, unauthorized person, using specific tools to intercept the controller password, could potentially gain access and interrupt the controller’s intended operation. For customers who are concerned about unauthorized access, Rockwell Automation recommends using layered security and defensive system design as a best practice.
These customers should also limit physical and electronic access to automation products, networks and systems to only authorized people, regularly change the password, and make previously used passwords obsolete.
Rockwell Automation is working closely with industry groups and appropriate agencies to reduce potential security risks in industrial control systems. Rockwell Automation is confident these solutions will enable our customers to successfully manage this security concern. To assess a control system’s overall security posture, consider engaging a Rockwell Automation security consultant.
