This scenario is designed for use with ThreatGEN AutoTableTop™, leveraging the platform’s dynamic, AI-driven exercise capabilities to help organizations practice and refine their incident response strategies.
Rockwell Advisory PN1633 Tabletop Scenario Summary
A critical vulnerability (CVE-2023-3595 and CVE-2023-3596 in Advisory ID PNI1633) has been discovered in Rockwell Automation’s FactoryTalk Linx product, which is widely used for industrial automation. The flaw allows for remote code execution and denial-of-service attacks, potentially giving attackers administrator-level access and control over industrial systems. The scenario begins when a security researcher reports the vulnerability to Rockwell’s product security team. The exercise focuses on the company’s coordinated response, spanning technical investigation, patch development, communications, and public disclosure.
Using This Scenario in AutoTableTop™
AutoTableTop™ enables rapid, customizable, and repeatable tabletop exercises without the need for extensive manual planning. This Rockwell scenario can be used to:
- Test Incident Response Plans: Simulate a real-world, high-impact product vulnerability incident and evaluate your organization’s readiness.
- Practice Cross-Department Coordination: Engage multiple teams-product security, software development, legal, communications, and executive leadership-in a realistic, time-sensitive situation.
- Customize Injects and Playbooks: The scenario includes a series of injects (events) that drive decision-making and collaboration. AutoTableTop™ can dynamically generate additional injects or allow you to tailor them to your environment.
- Identify Gaps and Improve Processes: After the exercise, AutoTableTop™ generates a detailed report with analysis and actionable recommendations, helping you pinpoint weaknesses and areas for improvement.
- Fulfill Compliance and Training Requirements: Easily run this and other scenarios as often as needed to support compliance, training, and ongoing improvement efforts45.
Example Exercise Flow
- Setup: Select the Rockwell PN1633 scenario in AutoTableTop™. Define participant roles and departments.
- Execution: The AI presents scenario injects-such as vulnerability discovery, patching challenges, media inquiries, and customer communications-while participants respond and make decisions.
- Debrief: Review the automatically generated report, which includes a transcript of decisions, key findings, and improvement recommendations.
Sample Exercise Files
New AutoTableTop™ facilitators can use all of these files to execute their own exercise and compare their outcomes with those included in the Case Study. This approach is designed to help users become comfortable with the tool and determine effective responses.
Save these files to your PC to complete the Rockthe MWAA cyberattack exercise yourself:
| File Description | Description |
|---|---|
| A Settings File that can be uploaded into AutoTableTop™ settings window to execute an exercise based on the MWAA attack. |  |
| A Scenario Document discussing each setting within the Settings File, both general settings and specific to this scenario’s real-world event at MWAA. |  |
Advisory Details
Advisory ID: PN1633
Published: July 12, 2023
CVE IDs: CVE-2023-3595 (Critical, RCE), CVE-2023-3596 (High, DoS)
Here is a summary of the Rockwell Advisory:
- Remote code execution and denial-of-service vulnerabilities in select Rockwell ControlLogix communication modules.
- Exploitation could allow attackers to manipulate firmware, establish persistence, exfiltrate data, or disrupt industrial processes.
- Rockwell has released patches for all affected products, including those out of support.
The affected products include:
- 1756-EN2T, 1756-EN2TR, 1756-EN2F, 1756-EN3TR, 1756-EN4TR (various series and versions).
Mitigation could include these actions, which are included within the advisory:
- Update to the latest firmware (signed versions strongly recommended).
- Segment ICS/SCADA networks.
- Monitor for anomalous network activity using provided Snort signatures.
- Regularly back up devices and disable unused features.
References:
- Rockwell Advisory PN1633
- CISA ICS Advisory ICSA-24-046-16
- Rockwell Automation Product Documentation
This scenario template provides a realistic, high-impact exercise for organizations to run within AutoTableTop™, ensuring teams are prepared for critical product security incidents and can respond effectively across technical and business domains145.
Scenario released Monday, May 5, 2025.
Copyright © 2025 by Derezzed Inc. D/B/A ThreatGEN, all rights reserved.