This morning, Rockwell Automation disclosed vulnerabilities, including a critical remote-code execution flaw that could be exploited to disrupt critical infrastructure systems. We wanted to learn more, so we connected with Marty Edwards, deputy CTO for OT/IoT at Tenable. Take a look...
Chris McNamara, Smart Industry editor in chief: How worrisome are these vulnerabilities for the utilities sector?
Marty: Organizations that already have security controls in place in their environments and follow industry best practices, such as IEC-62443/ISA99 to segment OT environments, are in much better shape than those who lagged behind in security adoption. In the last few years, there has been an uptick of remote access in OT environments, so organizations that have the tools to detect and identify anomalous communications and connections can quickly mitigate this risk posed by these vulnerabilities.
Chris: What segments are particularly exposed?
Marty: The Rockwell devices affected by this vulnerability are used in many different types of industries and processes from manufacturing, water and wastewater, mining, oil and gas, chemical, transportation and logistics, and sometimes even defense. The degree of exposure is dependent on how these devices are deployed and their network accessibility within a user's environment.
Chris: What remedies should be made to bolster defenses on these fronts?
Marty: Affected devices run many different types of mission-critical applications, so manufacturers should upgrade to the latest firmware version as soon as possible to bolster their defenses. Certain industries may only have downtime for 1-2 weeks a year, reducing their ability to patch assets. Asset owners need to understand their risks and create a plan to address—with compensating controls—if they are not able to apply the revised firmware to these devices.
Chris: Is the electrical grid becoming more of a target for cyber-attacks?
Marty: The electrical sector, typically, is more mature from a cybersecurity standpoint, so we hear more about it. But in this particular case we have no information to indicate that any specific sector is being targeted.
Chris: Is there any upside to announcements like this? Do they lead to smarter approaches and safer utilities?
Marty: Most definitely. If you drive a car you get a safety recall or notice if there is an issue with the vehicle. This is very similar—if there is a weakness that can be exploited in your industrial-control system, notifications like these ensure that you are aware and can take proper steps to protect your most critical business functions.
