Researchers at industrial cybersecurity firm Claroty have identified two serious vulnerabilities that could allow malicious actors to launch Stuxnet-style attacks against programmable logic controllers (PLCs) made by Rockwell Automation.
Claroty on Thursday published a blog post describing its findings. Separate advisories for the two vulnerabilities were also released on Thursday by the US Cybersecurity and Infrastructure Security Agency (CISA) and Rockwell Automation (account required).
One of the security holes, tracked as CVE-2022-1161 and classified as “critical,” affects various CompactLogix, ControlLogix, GuardLogix, FlexLogix, DriveLogix and SoftLogix controllers. The second flaw, tracked as CVE-2022-1159 and rated “high severity,” affects the Studio 5000 Logix Designer programming software that runs on engineering workstations.
According to Rockwell Automation and Claroty, the vulnerabilities can allow an attacker who has access to the victim’s systems to make changes to PLC program code and modify automation processes without being detected. This could result in significant damage, depending on the type of system controlled by the PLC.
This is reminiscent of the vulnerability exploited a decade ago by the notorious Stuxnet malware, which the United States and Israel used to cause damage to Iran’s nuclear program.
“An attacker with the ability to modify PLC logic could cause physical damage to factories that affect the safety of manufacturing assembly lines, the reliability of robotic devices, or in a much more dramatic example, as we saw with Stuxnet, attackers could damage centrifuges at the core of uranium enrichment at a nuclear facility,” Claroty researchers warned.
Stuxnet targeted Siemens devices, but vulnerabilities that can be exploited to achieve a similar goal have also been found in recent years in PLCs made by Schneider Electric and other vendors.
In the case of the vulnerabilities discovered recently by Claroty in Rockwell products, they target the process of developing code and transferring it to the PLC. This process consists of developing the code on an engineering workstation using the Studio 5000 software, compiling it to PLC-compatible binary code, and transferring that code from the engineering workstation to the PLC, where it will get executed.
The critical flaw enables an attacker — in combination with a previously disclosed Logix controller weakness — to deliver malicious code to a controller while the engineer is shown legitimate code in the programming software.
Learn more about vulnerabilities in industrial systems at SecurityWeek’s ICS Cyber Security Conference
The second vulnerability can be exploited by an attacker with admin privileges to a workstation running the Studio 5000 software to intercept the compilation process and inject their own code into the user program, again without raising suspicion.
“The end result of exploiting both vulnerabilities is the same: The engineer believes that benign code is running on the PLC; meanwhile, completely different and potentially malicious code is being executed on the PLC,” Claroty explained. “Changes to the logic flow or predefined local variables will alter a PLC’s normal operation and can result in new commands being sent to physical devices, such as belts and valves controlled by the PLC.”
Rockwell has shared various mitigations that can be used to prevent these types of attacks and it has also developed a tool that can detect hidden code running on a PLC.
Related: New Module Suggests Fourth Team Involved in Stuxnet Development
Related: Flaws in Rockwell Automation Product Expose Engineering Workstations to Attacks
Related: Hackers Can Target Rockwell Industrial Software With Malicious EDS Files