Rockwell Automation Logix Controllers
Act Now10ICS-CERT ICSA-22-090-05Mar 31, 2022
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Rockwell Automation Logix Controllers are vulnerable to unauthorized modification of user programs through malicious code injection. Successful exploitation allows an attacker to modify controller programs so that when a user recompiles and downloads the program, the malicious code is unknowingly executed on the controller. This affects CompactLogix, ControlLogix, GuardLogix, FlexLogix, DriveLogix, and SoftLogix controller families across all firmware versions.
What this means
What could happen
An attacker could inject malicious code into PLC programs, which would then execute during normal download operations, potentially altering process setpoints, disabling safety interlocks, or halting production without the operator's knowledge.
Who's at risk
This affects any water utility, electric utility, or manufacturing facility running Rockwell Automation Logix controllers for process automation, including CompactLogix (1768, 1769, 5370, 5380, 5480), ControlLogix (5550, 5560, 5570, 5580), GuardLogix (5560, 5570, 5580 and Compact variants), FlexLogix, DriveLogix, and SoftLogix controllers. GuardLogix variants are particularly critical as they control safety-related functions.
How it could be exploited
An attacker with network access to the controller's EtherNet/IP port can modify the user program stored in the controller's memory before it is downloaded to the engineering workstation. When the plant operator recompiles and downloads the program back to the controller, the malicious modifications are deployed and executed in the running process logic.
Prerequisites
- Network reachability to the controller's EtherNet/IP port (port 44818 or via routing)
- No authentication required if CIP Security is not implemented
- Controller must be in a state where program modifications are possible (typically Program or Test mode, or accessible during normal operation)
remotely exploitableno authentication requiredlow complexityaffects all firmware versions with no patch availableaffects safety-critical systems (GuardLogix)high CVSS score (10.0)
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (17)
17 EOL
ProductAffected VersionsFix Status
Logix Controllers - 1768 CompactLogix controllersAll versionsNo fix (EOL)
Logix Controllers - 1769 CompactLogix controllersAll versionsNo fix (EOL)
Logix Controllers - CompactLogix 5370 controllersAll versionsNo fix (EOL)
Logix Controllers - CompactLogix 5380 controllersAll versionsNo fix (EOL)
Logix Controllers - CompactLogix 5480 controllersAll versionsNo fix (EOL)
Remediation & Mitigation
0/9
Do now
0/4WORKAROUNDPlace controller mode switch in Run position to prevent unauthorized program modifications
HARDENINGMonitor the controller's change log using the Controller Log feature for unexpected program modifications or anomalous activity
HARDENINGUse Change Detection functionality in Logix Designer application to detect unauthorized program changes
HARDENINGIf available, use FactoryTalk AssetCenter software to detect changes to controller programs
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
HARDENINGImplement CIP Security on supported controllers (5580 series, 5380 CompactLogix, 5380 Compact GuardLogix) to prevent unauthorized network connections
HARDENINGReplace 1756-EN2T EtherNet/IP modules with 1756-EN4TR modules to enable CIP Security support on ControlLogix 5560/5570/5580 and GuardLogix 5570/5580
HARDENINGRegularly recompile and download user program code to ensure current, unmodified programs are deployed
Mitigations - no patch available
0/2The following products have reached End of Life with no planned fix: Logix Controllers - 1768 CompactLogix controllers, Logix Controllers - 1769 CompactLogix controllers, Logix Controllers - CompactLogix 5370 controllers, Logix Controllers - CompactLogix 5380 controllers, Logix Controllers - CompactLogix 5480 controllers, Logix Controllers - Compact GuardLogix 5370 controllers, Logix Controllers - Compact GuardLogix 5380 controllers, Logix Controllers - ControlLogix 5550 controllers, Logix Controllers - ControlLogix 5560 controllers, Logix Controllers - ControlLogix 5570 controllers, Logix Controllers - ControlLogix 5580 controllers, Logix Controllers - FlexLogix 1794-L34 controllers, Logix Controllers - GuardLogix 5560 controllers, Logix Controllers - GuardLogix 5570 controllers, Logix Controllers - GuardLogix 5580 controllers, Logix Controllers - DriveLogix 5730 controllers, Logix Controllers - SoftLogix 5800 controllers. Apply the following compensating controls:
HARDENINGIsolate control system networks from the business network using firewalls and network segmentation
HARDENINGEnsure controllers are not directly accessible from the Internet; use VPNs for required remote access
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/2f0b5be8-04a4-4d26-bbd9-9c5cde397a5b