Programmable Logic Controllers manage industrial systems of all kinds, from oil rigs to vaccine production and one of the leading manufacturers of PLC is Rockwell Automation. A bad-as-it-gets (CVSS 10) vulnerability has been discovered that affects the Logix line of PLC devices.

According to the alert issued by the US CERT:

Successful exploitation of this vulnerability could allow a remote unauthenticated attacker to bypass the verification mechanism and connect with Logix controllers. Additionally, this vulnerability could enable an unauthorized third-party tool to alter the controller’s configuration and/or application code.

The behaviour of the PLC device is configured using Rockwell’s StudioLogix software which can control the devices and reprogram them.  The flaw in the system design (CVE-2021-22681) is that the communications between the StudioLogix software all the Logix devices in the world is protected by the same static encryption key embedded into the software, and that key is now available in the wild.  This means an unauthenticated attacker can easily connect to any Logix device and control its operation or reprogram its behaviour.

A patch is not planned to resolve this issue. Instead Rockwell is advising that the design of the network should protect the PLC devices from unauthorised connections.

The main recommendation is, of course, that devices should not be accessible from the Internet, and further network segmentation should be used to isolate industrial control systems from the main corporate network.

Detailed mitigation steps are available in the security advisory including links to Rockwell’s best practices for ensuring the industrial plants controlled by the PLC are secure by design.