Some good news on Quickdraw SCADA IDS and vendor vulnerability handling with Rockwell Automation’s response to the denial-of-service vulnerability on RSLogix and FactoryTalk identified by Luigi Auriemma. Rockwell and NitroSecurity developed IDS signatures that detect this attack and have graciously allowed them to be part of our Quickdraw project. They are placed in Version 1.4 of the Vulnerability Rules and are available with free registration to digitalbond.com.
Before getting to the IDS rules, consider how far this vendor has come in the past three years in vulnerability handling.
- They issued an advisory on their site the same day as Luigi’s announcement.
- More interesting is their updated advisory on Sept 30th. Rockwell Automation does not try to hedge on the significance and discusses the denial of service and denial of view. The advisory also provides context on what the vuln is not:
“no known possibility of malicious code injection and no known escalation of privilege on the target machine that results from successful exploitation of the vulnerability. Furthermore, there is no indication that exploitation will disrupt operation of a Rockwell Automation programmable controller or communications between RSLogix 5000 software and a Rockwell Automation programmable controller.”
It is unclear if they are relying on the fact that Luigi and others haven’t found it yet or if they have done their own investigation on this. Could improve a bit on this.
- They released a security patch for FactoryTalk.
- They announced a security patch for RSLogix will be available on October 14th. Other vendors need to follow this example and provide customers with information on when a fix will be available. Going back to Siemens, we still have no idea when any of the outstanding Beresford vulns will be address … 1 month, 3 months, next year, never?
- The advisory includes firewall configuration information
- And finally they have released IDS signatures to detect attacks trying to exploit this vulnerability.
Rockwell Automation worked with NitroSecurity to develop the IDS signatures for this vulnerability. There are five signatures developed to detect this attack that look at the message header and body length. They will have value even after owner/operators have applied the patch.
The signatures will detect when an adversary is running an ICS specific attack. Good information to know before the adversary finds a way to succeed. The signatures may also identify future attacks because they look for behavior that violates the protocol. We have developed some similar signatures for other protocols, such as DNP3, because protocol violations should not occur in a deployed ICS.
As mentioned at the beginning, these five signatures are now part of the Quickdraw SCADA IDS in the Vulnerability Rules section. You can download these and all the other Quickdraw SCADA IDS rules, preprocessors and plugins from the Quickdraw download page.