The Simple Network Management Protocol exploit could let an attacker take complete control of Rockwell Automation’s MicroLogix system Credit: REUTERS/Robert Galbraith Cisco’s security intelligence and research group Talos, said that it had reported a serious vulnerability in Rockwell Automation’s industrial control system – the MicroLogix 1400 programmable logic controller (PLC).The Simple Network Management Protocol exploit could let an attacker take complete remote control of the MicroLogix system and modify the device firmware, letting an invader run his own malicious code on the device. MicroLogix 1400 PLCs are use in a variety of applications from general industrial machinery and heating/air-conditioning units to SCADA (Oil and Gas, Water/Wastewater, and Electrical Power), to vending and industrial washers and dryers.Cisco’s Talos wrote: “This vulnerability is due to the presence of an undocumented SNMP community string that could be leveraged by an attacker to gain full control of affected devices and grants the ability to manipulate configuration settings, replace the firmware running on the device with attacker-controlled code, or otherwise disrupt device operations. Depending on the role of the affected PLC within an industrial control process, this could result in significant damages. At the most basic level, knowledge of the undocumented community string allows an attacker to read all values accessible via SNMP. In addition to read permissions, the ‘wheel’ community has the same write privileges as the ‘private’ community and can modify all writable SNMP OIDs. While it is possible for operators to change the default SNMP community strings on affected devices, the fact that this SNMP string is not documented by the vendor drastically decreases the likelihood of this value being changed prior to production deployment of the PLCs, as most operators are not likely to even be aware of its existence.Given the severity of this issue, and the fact that this functionality has not been removed from affected devices, it is recommended that mitigations be put in place to prevent the successful exploitation of this vulnerability in production environments.” According to an Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) post on the security problem, Rockwell Automation recommends that users using affected versions of the MicroLogix 1400 evaluate and deploy the risk mitigation strategies listed below. When possible, multiple strategies should be employed simultaneously, the post stated.Utilize the product’s “RUN” keyswitch setting to prevent unauthorized and undesired firmware update operations and other disruptive configuration changes.Utilize proper network infrastructure controls, such as firewalls, to help ensure that SNMP requests from unauthorized sources are blocked. See KB496391d for more information on blocking access to SNMP services.Disable the SNMP service on this product. The SNMP service is enabled by default. See Page 128 in the MicroLogix 1400 product manual for detailed instructions on enabling and disabling SNMP.Note: It will be necessary to re-enable SNMP to update firmware on this product. After the upgrade is complete, disable the SNMP service once again.Note: Changing the SNMP community strings is not an effective mitigation.Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet.Locate control system networks and devices behind firewalls, and isolate them from the business network.When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as the connected devices.Check out these other hot stories:Open vSwitch finds new home at the Linux FoundationWhat will space living look like? NASA picks 6 habitat prototypesBranch office links, big bandwidth needs drive SD-WAN evolutionIT’S ALIVE! DARPA looks to build programmable, self-healing, living building materials DARPA wants to build very low frequency wireless systemsFeds need to do a better job of measuring telecommuting benefitsIRS warns on super summer scam scourge Related content feature Top cybersecurity M&A deals for 2023 Fears of recession, rising interest rates, mass tech layoffs, and conservative spending trends are likely to make dealmakers cautious, but an ever-increasing need to defend against bigger and faster attacks will likely keep M&A activity steady in By CSO Staff Sep 22, 2023 24 mins Mergers and Acquisitions Mergers and Acquisitions Mergers and Acquisitions brandpost Unmasking ransomware threat clusters: Why it matters to defenders Similar patterns of behavior among ransomware treat groups can help security teams better understand and prepare for attacks By Joan Goodchild Sep 21, 2023 3 mins Cybercrime news analysis China’s offensive cyber operations support “soft power” agenda in Africa Researchers track Chinese cyber espionage intrusions targeting African industrial sectors. By Michael Hill Sep 21, 2023 5 mins Advanced Persistent Threats Cyberattacks Critical Infrastructure brandpost Proactive OT security requires visibility + prevention You cannot protect your operation by simply watching and waiting. It is essential to have a defense-in-depth approach. By Austen Byers Sep 21, 2023 4 mins Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe