The world of industrial control systems (ICS) has been thrown into disarray over the announcement of a widespread security flaw in some of the most popular logic controllers on the market. An industry-wide vulnerability has been identified in the underlying programmable logic controllers (PLCs) which are commonly used to control large industrial systems. The flaw, known as CVE-2020-9441, raises the specter of the infamous “Stuxnet” virus, which caused massive disruption to industrial processes and infrastructure around the world in 2010.
CVE-2020-9441 affects only certain versions of PLCs manufactured by Rockwell Automation, but the scope and scale of the flaw is serious enough that the company has attempted to mitigate the risk by releasing new firmware versions to existing systems. The issue, however, is that all deployed versions remain vulnerable unless and until the patch is applied. Further, there have been no public reports of the exploit being used to target any critical infrastructure, but it is feared that the vulnerability is easily exploitable by knowledgeable malicious actors.
The scale of the risk posed by CVE-2020-9441 is directly comparable to the notorious Stuxnet virus of 2010. Stuxnet was a computer worm designed to target industrial control systems, specifically it caused massive disruption to the uranium enrichment infrastructure in Iran. The virus was crafted to exploit a specific control system flaw in order to damage the operations of a select target organization. Similarly, the new Rockwell Automation vulnerability carries the potential to be weaponized in the same way, and the fact that it affects a huge portion of deployed ICS systems around the world is cause for serious concern.
Fortunately, Rockwell Automation is taking the issue seriously, and working hard to provide a software patch which can be implemented by affected operators. Until the vulnerability is patched in all affected systems, there is a risk that malicious actors could access and control these systems, potentially causing devastating damage to ICS operations worldwide. The significance of CVE-2020-9441 cannot be overstated, and it is a stark reminder of the very real threats posed by industrial cyber-security flaws.