Introduction
Description
Issued February 2, 2010. Updated March 3, 2010 - Version 1.2
Updated March 19, 2013 (see below)
Rockwell Automation has identified a potential security vulnerability in the programming and configuration client software authentication mechanism employed by certain versions of the PLC5 and SLC family of programmable controllers. The particular vulnerability affects older versions the following catalog numbers: 1785-Lx and 1747-L5x (the "Product"). Newer Products, programmed with current versions of RSLogix 5 or RSLogix 500, can enable specific security features like FactoryTalk Security services to effectively enhance security and reduce risks associated with this vulnerability. When coupled with contemporary network design practices, remaining risks linked to this vulnerability can be further reduced.
Details of this potential vulnerability to the affected Product are as follows:
The potential exists for a highly skilled, unauthorized person, with specific tools and know-how, to intercept communications between a Product and an authorized software client to gain access to the Product and interrupt its intended operation.
Customers who are concerned about unauthorized access to their Products can take immediate steps as outlined below to reduce associated security risk from this potential vulnerability. These same steps can also serve as a checklist to verify available security capabilities are in place in a system’s configuration too.
To help reduce the likelihood of exploitation and to help reduce associated security risk in the PLC5 and SLC family of controllers, Rockwell Automation recommends the following immediate mitigation strategies (Note: when possible, multiple strategies should be employed simultaneously):
1. When applicable, upgrade Product firmware to a version that includes enhanced security functionality compatible with Rockwell Automation’s FactoryTalk Security services. This functionality can be enabled via RSLogix 5 or RSLogix 500 software. Recommended firmware revisions are as follows:
a. The 1747-L5x firmware should be OS Series C FRN 10, or higher.
b. 1785-Lx processor firmware should be at or above the following (refer to included table):
| Catalog Number | Series A | Series B | Series C | Series D | Series E | Series F |
| Enhanced | Revision | Revision | Revision | Revision | Revision | Revision |
| 1785-L11B | R.2 | U.2 | L.2 | K.2 | ||
| 1785-L20B | R.2 | U.2 | L.2 | K.2 | ||
| 1785-L30B | S.2 | U.2 | L.2 | K.2 | ||
| 1785-L40B | S.2 | U.2 | L.2 | K.2 | ||
| 1785-L40L | S.2 | U.2 | L.2 | K.2 | ||
| 1785-L60B | S.2 | U.2 | L.2 | K.2 | ||
| 1785-L60L | S.2 | U.2 | L.2 | K.2 | ||
| 1785-L80B | U.2 | L.2 | K.2 | |||
| Protected | Revision | Revision | Revision | Revision | Revision | Revision |
| 1785-L26B | R.2 | U.2 | L.2 | K.2 | ||
| 1785-L46B | S.2 | U.2 | L.2 | K.2 | ||
| 1785-L46L | S.2 | U.2 | ||||
| 1785-L86B | U.2 | L.2 | K.2 | |||
| Ethernet | Revision | Revision | Revision | Revision | Revision | Revision |
| 1785-L20E | U.2 | L.2 | K.2 | A.2 | ||
| 1785-L40E | U.2 | L.2 | K.2 | A.2 | ||
| 1785-L80E | U.2 | L.2 | K.2 | A.2 | ||
| ControlNet | Revision | Revision | Revision | Revision | Revision | Revision |
| 1785-L20C15 | U.2 | L.2 | K.2 | E.2 | ||
| 1785-L40C15 | U.2 | L.2 | K.2 | E.2 | ||
| 1785-L46C15 | K.2 | E.2 | ||||
| 1785-L60C15 | L.2 | |||||
| 1785-L80C15 | L.2 | K.2 | E.2 |
2. Use the latest version of RSLogix 5 or RSLogix 500 configuration software and enable FactoryTalk Security services.
3. Disable where possible the capability to perform remote programming and configuration of the Product over a network to a controller by placing the controller’s key switch into RUN mode.
4. For PLC5 controllers, enable and configure "Passwords and Privileges" to restrict access to critical data and improve password security.
5. For SLC controllers, enable static protection via RSLogix 500 on all critical data table files to prevent any remote data changes to critical data.
<START UPDATE>
Added: 19 Mar 2013
Both RSLogix 500 and RSLogix Micro software version 8.40 were enhanced to introduce password encryption without any changes necessary to SLC and MicroLogix firmware. This implementation is compatible with all SLC and MicroLogix platforms.
In order to use this capability, a new "Encrypt Password" checkbox has been included in RSLogix 500/Micro version 8.40. This "Encrypt Password" checkbox is located on the Password tab of the Controller Properties page.
NOTE: Once an encrypted password is loaded into a controller, earlier versions of RSLogix 500 and RSLogix Micro will not be able to match the controller password.
For detailed information, refer to Publication 1766-RM001E-EN-P - May 2012, Program Password Protection
<END UPDATE>
6. Employ layered security and defense-in-depth methods in system design to restrict and control access to individual products and ControlNetworks. Refer to http://www.ab.com/networks/architectures.html for comprehensive information about implementing validated architectures designed to deliver these measures.
7. Block all traffic to the CSP, EtherNet/IP or other CIP protocol based devices from outside the Manufacturing Zone by restricting or blocking access to TCP and UDP Port# 2222 and Port# 44818 using appropriate security technology (e.g. a firewall, UTM devices, or other security appliance).
8. Restrict physical and electronic access to automation products, networks and systems to only those individuals authorized to be in contact with control system equipment.
Rockwell Automation is committed to making additional security enhancements to our systems in the future.
For more information and for assistance with assessing the state of security of your existing controls system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site at http://www.rockwellautomation.com/solutions/security.
