Advisory ID: 
                            
                            
                                PN1594
                            
                        
                                Veröffentlichungsdatum: 
                            
                            
                                May 06, 2022
                            
                        
                                Zuletzt aktualisiert: 
                            
                            
                                May 06, 2022
                            
                        
                                Revision Number: 
                            
                            
                                1.0
                            
                        
                                Known Exploited Vulnerability (KEV): 
                            
                            
                                Nein
                            
                        
                                Corrected: 
                            
                            
                                Nein
                            
                        
                                Workaround: 
                            
                            
                                Nein
                            
                        
                    Zusammenfassung
                
                
                    APT Cyber Tools Targeting ICS/SCADA Devices (PIPEDREAM/INCONTROLLER)
                
              Revision History 
   Revision History 
   Version 1.0 – May 6, 2022 
 Executive Summary
  On April 13, 2022, researchers announced a new set of tools that was developed by an Advanced Persistent Threat (APT). This set of tools allows threat actors to attack specific ICS and OT hardware and software. Rockwell Automation is providing this advisory to notify customers of our response to this threat.
 
We are diligently working through our process to evaluate the threat and provide security mitigations as needed. Rockwell Automation recommends that customers apply hardening techniques, in addition to security best practices for a comprehensive defense in depth approach.
 
 We are diligently working through our process to evaluate the threat and provide security mitigations as needed. Rockwell Automation recommends that customers apply hardening techniques, in addition to security best practices for a comprehensive defense in depth approach.
Affected Products
  We are aware that the tool set contains modules that target OPC UA servers, CODESYS runtimes, and ASRock drivers. After evaluation, Rockwell Automation is aware that the products, listed below, use one of the targeted components. This list may be updated if more products are identified.
 
Products that use OPC UA servers:
 Products that use OPC UA servers:
- FactoryTalk® Linx Gateway - Editions include embedded, basic, standard, extended distributed, professional
- Versions include 6.10, 6.11, 6.20, 6.21 and 6.30
 
Risk Mitigation & User Action
  We recommend the following compensating controls for customers using Rockwell Automation products that use the targeted hardware and software: 
 - Disable anonymous authentication and configure the use of FactoryTalk Security using the following guidance. FactoryTalk Linx Gateway Getting Result Guide FTLG-GR001E - Chapter 4 - UA Server Endpoints - Endpoint Properties
- Appendix D - Secure FactoryTalk Linx Gateway using FactoryTalk Security
 
- Enforce a lockout threshold for failed authentication attempts and configure audit logs using the following guidance to detect signs of an attack. FactoryTalk Security System Configuration Guide Publication FTSEC-QS001R - Chapter 9 - Set system policies - Account Policy Settings
- Set audit policies - Monitor security-related events
 
General Security Guidelines
  Refer to the Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.
 
See the Industrial Security Services website for information on security services from Rockwell Automation to assess, help protect, detect, respond, and recover from incidents. These services include assessments, designs, implementations, industrial anomaly detection, patch management, and remote infrastructure monitoring and administration.
 
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation in PN1354 – Industrial Security Advisory Index
 
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.
 
If you have questions regarding this notice, please send an email to our product security inbox at: PSIRT@rockwellautomation.com
 See the Industrial Security Services website for information on security services from Rockwell Automation to assess, help protect, detect, respond, and recover from incidents. These services include assessments, designs, implementations, industrial anomaly detection, patch management, and remote infrastructure monitoring and administration.
We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation in PN1354 – Industrial Security Advisory Index
Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.
If you have questions regarding this notice, please send an email to our product security inbox at: PSIRT@rockwellautomation.com
Additional Links
Copyright ©2022 Rockwell Automation, Inc.