We just finished a series of SCADApedia entries on security in Rockwell Automation (RA) controllers and software applications. Remember the SCADApedia is a place for facts, so I’ll lay out some opinions and conclusions in this two part blog.

• The ControlLogix PAC (powerful PLC) is a prime example of why we are fans of the simple, little IEEE P1686 standard effort. The Logix family only supports a single password that locks and unlocks the PAC through a CPU Lock utility, that quite frankly was not integrated with any management software at least through Version 15. P1686, which is for much simpler IED’s, requires support for ten UserID and Password combinations. Maybe P1686 is a low bar, but it would be a dramatic improvement in the security in most controllers including the RA family.
• If anyone can confirm the CPU Lock feature was integrated into RSLogix in Version 16 it would be appreciated. Screen shots and documentation hints at this. Also, how about RSLinx?
• In our informal survey of RA users, RA personnel and integrators, it was clear that even the limited security features in the Logix PAC’s (CPU Lock, Source Protection, Priority and CIP limits) were unknown and unused by most. One of the most common recommendations was to turn the physical key to Run and remove the key to prevent any remote changes. Great control, if practical in your environment. Of course, this is not possible or prohibitively expensive in many larger or geographically dispersed systems.
• Does previous point mean security awareness efforts are failing? Are Joe Weiss and others correct to continue to hammer the basics at PCSF and other events? Perhaps awareness has been achieved in a narrow percentage of the community - - the ones that attend events, contribute to standards, read SCADA security blogs, etc. The challenge is building security awareness amongst those who are not part of the control system security community, which would be the majority of control system users.
• I’m uncertain what to recommend for limiting CIP connections. The ControlLogix supports up to 128, and has a feature that can set a lower maximum. So if an asset owner knows their should only be ten valid CIP connections at most, a maximum could be set. However would this make it more or less susceptible to denial of service attacks? If forced to choose, I would recommend setting the limit because it would be so easy for an attacker to exceed the 128 maximum if denial of service was the goal. Setting the limit may identify an attacker who is trying to go low and slow.
• RA should be commended for making huge amounts of documentation available. In fact, I cannot think of any other control vendor where we can read huge manuals on all of the products and options. Often this level of detail is not even written let alone available. RA does need to retire superseded documents or mark them obsolete because they conflict with current information. For example, we read that CPU Lock was not supported on the Ethernet interface in multiple documents when in fact that was old news.

Part II will cover opinions on security in the Rockwall Software management applications. We have some very strong and important pro and con opinions on this.

Note: This series of RA blogs and SCADApedia entries was the original impetus for the SCADApedia. We were frustrated on how difficult to get accurate basic security guidance. Once we had the information, we had a lot of opinions in addition to the facts. We didn’t to mix the two, and we didn’t want the facts in the blog entry to age off and be of little use after all this work. Hopefully this helps our current and future readers.