Team82, the research division of Claroty, the specialist in cyber-physical systems (CPS) security for industrial, healthcare and enterprise environments, and Rockwell Automation have jointly disclosed two vulnerabilities in Rockwell's programmable logic controllers (PLCs) and engineering workstation software. CVE-2022-1161 affects multiple versions of Rockwell's Logix controllers and has been assigned the highest CVSS score of 10, while CVE-2020-1159 affects multiple versions of the Studio 5000 Logix Designer application. The vulnerabilities could allow modified code to be downloaded to a PLC while the process appears normal to technicians at their workstations. This is reminiscent of Stuxnet and the Rogue7 attacks. Rockwell provides users with a tool that detects such hidden code. In addition, users are strongly advised to update the affected products, which can reveal manipulations.

Sensitized by Stuxnet

Successful stealth attacks on programmable logic controllers (PLCs) are among the rarest, most time-consuming and investment-intensive attacks. The Stuxnet authors laid the groundwork here by finding a way to hide malicious bytecode running on a PLC while the technician programming the controller sees only the normal state on his workstation. To do this, the bytecode and the text code must be decoupled. For example, in the Rogue7 attack on Siemens SIMATIC S7 PLCs, the researchers were able to modify the textual code while transmitting the malicious bytecode to the PLC.

Team82 tested the Rockwell Automation PLC platform for these Stuxnet-like attacks. They uncovered two vulnerabilities that make the company's Logix controllers and Logix Designer application for engineering workstations susceptible to such attacks. Attackers capable of modifying PLC logic inconspicuously could cause physical damage to factories, compromising the safety of production lines and the reliability of robots.

The two identified vulnerabilities make it possible to decouple the text code from the binary code and transfer it to the PLC, modifying only one but not the other. This makes the technician believe that the regular code is running on the PLC, when in reality a completely different, potentially malicious code is running.

In their proof-of-concept, the Team82 researchers modified the binary code so that certain variables of the automation process (also known as tags) are secretly set to different values. In a real-world situation, these modified values could potentially cause great harm to the automation process (e.g. tags that control the speed of an engine or valves).

The solutions

Team82 worked closely with Rockwell Automation engineers to identify the root cause of these attacks. The Rockwell engineers then developed sophisticated solutions for detecting hidden code. For this purpose, the text code and the binary code running on the PLC are analyzed and compared. If a discrepancy is detected, the tool issues a warning message.

To be able to use this detection function, asset operators must update to the following versions:

• Studio 5000 V34 or higher
• Corresponding versions of the Logix 5580, 5380, 5480, GuardLogix 5580 and Compact GuardLogix 5380 control firmware

Alternatively, tools are available to detect deviations:

• Logix Designer application Compare Tool V9 or higher, installed with Studio 5000 Logix Designer
• FactoryTalk AssetCentre V12 or higher (available from fall 2022)