Rockwell To Patch SCADA Flaw Soon
HMI 11th annual ACS Conference Douglas Wylie scada vulnerabilities RnaUtility.dll human-machine interface Rockwell Automation RSLogix 5000 Luigi Auriemma RSLogix 5000 Programable Logic Control Internet of Things
Within the next seven days, Rockwell Automation will release a patch for a supervisory control and data acquisition (SCADA) vulnerability first made public last Friday.
Initially, security researcher Luigi Auriemma posted code for a denial of service attack vulnerability only affecting Rockwell Automation's RSLogix 5000 Programmable Logic Control (PLC). However, Douglas Wylie, Business Development Manager for Networks and Security at Rockwell Automation said in-house research found the vulnerability to be more pervasive within the Rockwell family of software. He said the patch expected within the next seven days would address a component (RnaUtility.dll) used for human-machine interface (HMI) within Rockwell's industrial control software.
In alert # 456065 posted September 13, then updated September 16, the company acknowledged Auriemma's code could lead to a denial of service, but stressed there is "no known possibility of malicious code injection and no known escalation of privilege on the target machine that results from successful exploitation." Additionally, the company suggested companies block up to ten TCP ports in their firewalls when using RSLogix 5000 with an optional service, FactoryTalk Services Platform (FTSP) enabled until the patch is released.
Speaking at the 11th annual ACS Conference in Washington D.C. on Wednesday, Wylie said a patch exists but Rockwell is still testing it internally. "We don't want our customers to be beta testers," he told the audience.
Proper disclosure ethics have dogged software vendors vulnerabilities for years. Researchers claim vendors ignore their warnings and vendors claim researchers hold unrealistic expectations for when a proper patch should be expected. Some researchers publish their findings straight to the Internet without contacting the vendor. This is what's known as a zero-day.
After last year's targeting of PLC by the author of Stuxnet, both researchers and bad guys alike have sought out vulnerabilities affecting industrial control systems, such as those systems used for gas, water and electrical utilities. Most of Auriemma's recent vulnerability disclosures, however, have concerned software interface components for industrial control software used on SCADA systems.
In March 2011, after claiming he had no prior experience with SCADA systems, Auriemma published thirty vulnerabilities in SCADA system produced by Siemens Tecnomatix FactoryLink, Iconics, Genesis32 and Genesis64, DATAC RealWin, and 7-Technologies IGSS. In addition to Rockwell, Auriemma's latest list includes Azeotech DAQFactory, Beckhoff TwinCAT, Cogent Datahub, Measuresoft SCADAPro, and Progea Movicon.
Wylie said the Rockwell Automation has an internal security team dedicated to working with security researchers. Further, for the last three years, the Rockwell site has had an online vulnerability submission form. Regarding Auriemma, Wylie said the Italian security researcher made "no attempts to contact Rockwell prior to code release."