Reader Comment – 01-22-10 MicroLogix

Keith Lester posted some additional information on the AB MicroLogix™ vulnerability. He wrote: “Rockwell Automation posted a TechNote on MicroLogix vulnerability in early January 2010; http://rockwellautomation.custhelp.com/app/answers/detail/a_id/65980/kw/65980/r_id/113025” Keith is obviously more experienced at searching the Rockwell Automation web site than I am, since I could not find a single mention of the problem. I really appreciate readers helping out. Actually it may be a good thing that I couldn’t find this information since it has been updated since I searched the site. Looking at the referenced page, Rockwell Automation recommends some specific mitigation strategies (printed below). To me these look like the standard precautions that someone should take with any industrial control system.

1. “Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment. 2. “Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and control networks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures. 3. “Block all traffic to the CSP, EtherNet/IP or other CIP protocol based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Port# 2222 and Port# 44818 using appropriate security technology (e.g. a firewall, UTM devices, or other security appliance). 4. “Periodically and frequently change the Product's password and obsolete previously used passwords to reduce exposure to threat from a Product password becoming known.”

Any facility security manager (or cyber security manager) that has the listed MicroLogix controllers (1000, 1100, 1200, 1400, or 1500) on site should check the web page that Keith identified.