Article Details

Rockwell Automation warns admins to take ICS devices offline. Rockwell Automation warned customers to disconnect all industrial control systems (ICSs) not designed for online exposure from the Internet due to increasing malicious activity worldwide. Network defenders should never configure such devices to allow remote connections from systems outside the local network. By taking them offline, they can drastically reduce their organizations' attack surface. This ensures that threat actors will no longer have direct access to systems that may not yet be patched against security vulnerabilities, allowing attackers to gain access to their targets' internal networks. "Due to heightened geopolitical tensions and adversarial cyber activity globally, Rockwell Automation is issuing this notice urging all customers to take IMMEDIATE action to assess whether they have devices facing the public internet and, if so, urgently remove that connectivity for devices not specifically designed for public internet connectivity," Rockwell said. "Removing that connectivity as a proactive step reduces attack surface and can immediately reduce exposure to unauthorized and malicious cyber activity from external threat actors." Rockwell also cautioned customers to take the mitigation measures required to secure their devices against the following security vulnerabilities impacting Rockwell ICS devices. Today, CISA also issued an alert regarding Rockwell Automation's new guidance to reduce ICS device exposure to cyberattacks. In September 2022, the National Security Agency (NSA) and CISA published a joint advisory on securing operational technology (OT) devices and industrial control systems (ICS) against attacks. Previously, they released guidance on stopping malicious attacks targeting OT control systems (2021) and defending Internet-exposed OT assets (2020). These advisories built upon several initiatives spearheaded by the Biden administration, including a July 2021 national security memorandum instructing CISA and NIST to develop cybersecurity performance goals and guidance for critical infrastructure operators to help strengthen U.S. critical infrastructure security. Earlier this month, multiple U.S. federal agencies, including the NSA, FBI, CISA, and cybersecurity agencies from Canada and the U.K., warned of pro-Russian hacktivists disrupting critical infrastructure operations by hacking into unsecured operational technology (OT) systems. One of these groups, the Cyber Army of Russia, was linked by Mandiant to Sandworm, a hacking group part of Russia's Main Intelligence Directorate (GRU), the country's foreign military intelligence agency.