A joint advisory published Tuesday by the Cybersecurity Infrastructure & Security Agency (CISA) and several law enforcement and intelligence agencies points to an escalation in Iran's active targeting of U.S. critical infrastructure, revealing an urgent need for such organizations to ensure that internet-facing operational technology (OT) and other cyber-physical systems (CPS) are protected against opportunistic and advanced attackers.
The sabotage campaign disclosed this week is aimed at internet-facing programmable logic controllers (PLCs) sold by Rockwell Automation/Allen-Bradley, and exploits a vulnerability disclosed by Claroty Team82 in 2021.
CVE-2021-22681 affects numerous versions of the Studio 5000 Logix Designer, RSLogix 5000, and Logix Controllers. Exploits allow an attacker to remotely connect to the PLCs, download malicious code to the PLC, upload information from the PLC, or install attacker-controlled firmware. This CVE was also added to CISA’s Known Exploited Vulnerability catalog, kicking off a firestorm of concern about active exploits of this vulnerability.
In 2021, Rockwell Automation determined that the vulnerability could not be remediated with a patch, and instead urged a number of mitigations, including minimizing internet exposure of affected devices, ensuring that they are behind firewalls or secure access solutions, and segmented from business networks. On March 20 of this year, Rockwell Automation urged customers to disconnect affected controllers from the internet, specifically recommending that unauthenticated open ports be closed on edge routers.
How Iranian APT Groups Are Exploiting CPS
The risk posed by internet-facing CPS is extensive. A recent Team82 report focused on research into more than 200 attacks carried by 20 opportunistic hacktivist groups leveraging CPS for disruptive attacks. Many of the groups responsible for these attacks, according to Team82, are sympathetic to adversarial nation-states or are directly affiliated with them. They are hurdling low barriers to entry—such as legacy protocols with little to no security capabilities—to access exposed CPS. For example, 66% of incidents verified by Team82 involved the compromise of either human-machine interfaces (HMI) or supervisory control and data acquisition (SCADA) systems. (Read Team82’s report “Analyzing CPS Attack Trends”).
The Rockwell vulnerability singled out in the joint advisory exposes a secret cryptographic key in the Studio 5000 Logix Designer software; the key verifies communication between PLCs and the engineering workstation (EWS) software used to interact and manage them. A successful attack bypasses the verification mechanism meant to protect the controllers and the EWS software, and allows for remote, unauthenticated access to the system.
The joint advisory said the ongoing attacks were carried out by advanced persistent threat (APT) actors affiliated with Iran. Previous malicious activity linked to Iran against Unitronic PLCs was attributed by Team82 to the CyberAv3ngers, a threat actor linked to Iran’s Islamic Revolutionary Guard Corps.
The Unitronics attacks impacted integrated PLC/HMI devices in the fall of 2024, with defacements impacting water treatment facilities in the U.S. and Israel. While these attacks were disruptive, they were limited to threatening messages on the device screens promising further attacks against Israeli-made technology. The Unitronics attacks also demonstrated that the CyberAvengers had illicit, remote access to these devices, exposing them potentially to further attacks.
The joint advisory issued this week points out that compromised U.S. government facilities, water and wastewater systems, and the energy sector have experienced disruptions and financial losses.
“As a result of this activity, organizations from multiple U.S. critical infrastructure sectors experienced disruptions through malicious interactions with the project files and the manipulation of data displayed on human machine interface (HMI) and supervisory control and data acquisition (SCADA) displays,” the joint advisory said.
Immediate Mitigations for Joint Advisory AA26-097a
Enterprises operating within critical infrastructure sectors should check asset inventories for affected versions of the Rockwell controllers and immediately disconnect them from the public-facing internet. Inbound ports should be closed and any direct exposure to the internet cut off. The joint advisory also recommends that controllers with physical mode switches should be in the “run” position to prevent remote modification. Further mitigations and indicators of compromise are available in the joint advisory.
Securing Internet-Facing CPS
Attackers may easily discover internet-facing CPS assets via a simple search on an internet-scanning service. These searches return valuable device information, including software and firmware versions and other data that can be correlated against known exploited vulnerabilities. Insecure connections to the internet or weak configurations can also be useful for opportunistic attackers who could carry out relatively low-tech attacks to access devices and burrow deeper into production and enterprise networks.
Prioritizing Secure-By-Design in CPS
CISA and similar agencies globally have urged device manufacturers to improve the overall quality and security of internet-facing CPS assets. The industry is plagued by a litany of legacy technology that is so deeply ingrained in current industrial processes, for example, that any alteration to these devices could cause significant damage.
Insecure by design or default is a critical flaw that must be addressed. Team82’s research found that many legacy communication protocols are coveted by attackers when targeting CPS assets off-line. Many protocols are widely used in manufacturing in other industrial circles for device-to-device communication. Critical process data travels over these protocols and any alteration or disruption to process data traveling over these protocols could be detrimental.
Remediation can be challenging as the update process often requires vendor involvement, whether it’s providing new firmware that addresses vulnerabilities or wholesale configuration changes that address other legacy security issues. Such updates may often require time to assess and develop, and deployments are often on a vendor’s timetable. Therefore, defenders must be vigilant about default, or known, weak credentials, and proactively change them as devices are deployed online.
