Netography Releases Detection Models for Activity Targeting Rockwell Automation ICS Devices
by Netography Detection Engineering Team
Last week, Rockwell Automation issued an urgent message to customers urging them to “take immediate action” to disconnect any Rockwell ICS devices exposed to the internet. Rockwell issued this notice due to “heightened geopolitical tensions and adversarial cyber activity globally” and made reference to several previously disclosed vulnerabilities in Rockwell ICS devices. CISA followed up with its own corresponding bulletin.
When vendors publish advisories like these it is essential that you determine whether you have vulnerable devices in your OT network before threat actors can use them to disrupt operations. Too often, threat actors establish their foothold on legacy devices that are no longer being actively monitored for various reasons, and as a result no one noticed they were compromised.
Network metadata is an excellent resource to use for investigating whether you have relevant traffic on your network–it provides visibility into every corner of your network and is unaffected by technologies like encryption for Zero Trust initiatives. Rockwell Automation devices communicate on distinct TCP and UDP ports (TCP 44818 and UDP 2222), which makes finding traffic to or from those devices relatively easy.
Netography has released several Network Detection Models (NDMs) that provide you with real-time observability of activity related to Rockwell Automation ICS devices, including attempts to scan your internal network for these devices.
Even if you are confident that any devices you have are not exposed to the open internet today, it’s possible that an accidental misconfiguration or firewall policy change could expose them tomorrow. Monitoring your network activity for signs of accidental exposures is critical because the faster you become aware of unwanted activity caused by a misconfiguration or change in policy, the faster you can remediate it.
You can also use Netography Query Language (NQL) searches to search historical data to see if any of your devices were communicating with external IP addresses, or exhibiting other anomalous behavior in the weeks or months prior to an advisory’s publication.
Rockwell-Specific Network Detection Modules
Netography Fusion® customers who want to search their metadata for activity related to Rockwell Automation ICS devices communicating with external IP addresses are advised to use the following NQL search syntax:
(protocol == tcp and tcpflags.syn == true and tcpflags.ack == true and srcport == 44818 and dstport > 44818 and (srcinternal == true && dstinternal == false) and packets > 1) or (protocol == udp and srcport == 2222 and dstport > 2222 and (srcinternal == true && dstinternal == false))
This syntax is employed in two new Netography NDMs that will detect interaction with Rockwell Automation ICS devices from external source addresses:
external_tcp_44818
external_udp_2222
In addition, Netography has released the following NDMs which will detect attempts to scan your network for these services:
rockwellics_tcp_scan_internal_internal
rockwellics_tcp_scan_internal_external
rockwellics_tcp_scan_external_internal
rockwellics_udp_scan_internal_internal
rockwellics_udp_scan_internal_external
rockwellics_udp_scan_external_internal
Events like this help illustrate the value that network metadata can provide for multi-cloud and hybrid networks. Metadata delivers value both as a searchable historical record of network activity and as a critical control for detecting real-time network activity and changes in your network configuration across your cloud, datacenter, and on-premises network environments.
If you want to learn more about the Netography Fusion platform and how it detects activity that should never happen in your network, you can:
- Take a self-guided tour
- Attend a demo every Wednesday.
- Or contact us