Rockwell Automation’s ControlLogix PLC was one of the targets in Project Basecamp, and Ruben Santamarta found a number of vulnerabilities in the product. Today we are happy to add six IDS signatures to the Quickdraw SCADA IDS release.
The new signatures were developed by Rockwell Automation and kindly donated to our Quickdraw project. They do not require a preprocessor so they should be easily modified for other IDS for those who do not use Snort. As you can tell from the signature titles, they detect attacks that could stop, modify or disclose the process details in a very serious way.
- Rockwell Automation ControlLogix Denial of Service (CPU Stop)
- Rockwell Automation ControlLogix Denial of Service (Crash CPU)
- Rockwell Automation ControlLogix EtherNET/IP modules boot code dump (Dump)
- Rockwell Automation ControlLogix EtherNET/IP reset command Denial Of Service (ResetEth)
- Rockwell Automation ControlLogix Crash 1756-ENBT module (CrashEth)
- Rockwell Automation ControlLogix EtherNET/IP Initialize the device to update the firmware (FlashUp)
These signatures offer a nice detection capability in IDS mode and some protection in IPS mode. Rockwell Automation continues to be one of the more forthcoming vendors in providing information on vulnerabilities and some fixes. I’m hopeful we will see some serious PLC security upgrades from them in the near future. (Just successfully fought the urge to write something true but nasty about other vendors, please give us something good to write about progress you are making)
IDS/IPS is a useful compensating controls in the short term step, but this or any other of the defense in depth measure should not delay the effort for vendors to finally offer robust and secure PLC’s and asset owners to replace their fragile and insecure field devices.
The vast majority of PLC’s, RTU’s and other controllers on the market today are in a fragile and insecure state, and it will take about three years of a concerted effort for the critical infrastructure to work its way out of this serious problem. Asset owners should be looking at their current and prospective vendors and see if they have a reasonable plan to provide a secure PLC.
- Is the vendor providing honest information?
- Does the vendor have a firm plan on when their secure PLC will be available?
- What is the upgrade path from your current PLC to a secure PLC?