Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

New Vulnerabilities Allow Stuxnet-Style Attacks Against Rockwell PLCs

Researchers at industrial cybersecurity firm Claroty have identified two serious vulnerabilities that could allow malicious actors to launch Stuxnet-style attacks against programmable logic controllers (PLCs) made by Rockwell Automation.

Researchers at industrial cybersecurity firm Claroty have identified two serious vulnerabilities that could allow malicious actors to launch Stuxnet-style attacks against programmable logic controllers (PLCs) made by Rockwell Automation.

Claroty on Thursday published a blog post describing its findings. Separate advisories for the two vulnerabilities were also released on Thursday by the US Cybersecurity and Infrastructure Security Agency (CISA) and Rockwell Automation (account required).

One of the security holes, tracked as CVE-2022-1161 and classified as “critical,” affects various CompactLogix, ControlLogix, GuardLogix, FlexLogix, DriveLogix and SoftLogix controllers. The second flaw, tracked as CVE-2022-1159 and rated “high severity,” affects the Studio 5000 Logix Designer programming software that runs on engineering workstations.

According to Rockwell Automation and Claroty, the vulnerabilities can allow an attacker who has access to the victim’s systems to make changes to PLC program code and modify automation processes without being detected. This could result in significant damage, depending on the type of system controlled by the PLC.

This is reminiscent of the vulnerability exploited a decade ago by the notorious Stuxnet malware, which the United States and Israel used to cause damage to Iran’s nuclear program.

“An attacker with the ability to modify PLC logic could cause physical damage to factories that affect the safety of manufacturing assembly lines, the reliability of robotic devices, or in a much more dramatic example, as we saw with Stuxnet, attackers could damage centrifuges at the core of uranium enrichment at a nuclear facility,” Claroty researchers warned.

Stuxnet targeted Siemens devices, but vulnerabilities that can be exploited to achieve a similar goal have also been found in recent years in PLCs made by Schneider Electric and other vendors.

In the case of the vulnerabilities discovered recently by Claroty in Rockwell products, they target the process of developing code and transferring it to the PLC. This process consists of developing the code on an engineering workstation using the Studio 5000 software, compiling it to PLC-compatible binary code, and transferring that code from the engineering workstation to the PLC, where it will get executed.

Advertisement. Scroll to continue reading.

Stuxnet attack on Rockwell PLC

The critical flaw enables an attacker — in combination with a previously disclosed Logix controller weakness — to deliver malicious code to a controller while the engineer is shown legitimate code in the programming software.

Learn more about vulnerabilities in industrial systems at SecurityWeek’s ICS Cyber Security Conference

The second vulnerability can be exploited by an attacker with admin privileges to a workstation running the Studio 5000 software to intercept the compilation process and inject their own code into the user program, again without raising suspicion.

“The end result of exploiting both vulnerabilities is the same: The engineer believes that benign code is running on the PLC; meanwhile, completely different and potentially malicious code is being executed on the PLC,” Claroty explained. “Changes to the logic flow or predefined local variables will alter a PLC’s normal operation and can result in new commands being sent to physical devices, such as belts and valves controlled by the PLC.”

Rockwell has shared various mitigations that can be used to prevent these types of attacks and it has also developed a tool that can detect hidden code running on a PLC.

Related: New Module Suggests Fourth Team Involved in Stuxnet Development

Related: Flaws in Rockwell Automation Product Expose Engineering Workstations to Attacks

Related: Hackers Can Target Rockwell Industrial Software With Malicious EDS Files

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.