Slashdot Mirror

← Back to Stories (view on slashdot.org)

Niagra Framework Leaves Government, Private Infrastructure Open To Hacks

Posted by timothy on from the is-this-your-all-eggs-basket? dept.

benfrog writes "Tridium's Niagra framework is a 'marvel of connectivity,' allowing everything from power plants to gas pumps to be monitored online. Many installations are frighteningly insecure, though, according to an investigation by the Washington Post, leaving both public and private infrastructure potentially open to simple hacks (as simple as a directory traversal attack)."

40 comments

  1. I must say... by Anonymous Coward · · Score: 1

    Niagra, please!

    1. Re:I must say... by ackthpt · · Score: 4, Funny

      Niagra, please!

      Niagra Fails?

      --

      A feeling of having made the same mistake before: Deja Foobar
    2. Re:I must say... by Arancaytar · · Score: 1

      Even better, the "Niagra" is a consistent misspelling by the submitter. It is actually called Niagara, as the submitter could have discovered by RTFA he linked to. (And Tridium's corporate website also calls it Niagara.)

  2. NIAGARA FALLS! by TheGoodNamesWereGone · · Score: 2

    .... Slowly I turned, step by step, inch by inch...

    1. Re:NIAGARA FALLS! by interval1066 · · Score: 1

      Its kind of cool to see people are still aware of an 80+ y-o vaudville routine.

      --
      Python: 'And then suddenly you have a language which says "we're all stuck with whatever the whiniest coder wants".'
    2. Re:NIAGARA FALLS! by TheGoodNamesWereGone · · Score: 2

      :-) http://youtu.be/_yJBhzMWJCc

  3. Am I the only one... by Darkness404 · · Score: 1

    Am I the only one who read this as "Nigeria" and thought, why is there a /. story about networks in Nigeria?

    --
    Taxation is legalized theft, no more, no less.
    1. Re:Am I the only one... by Anonymous Coward · · Score: 0

      No, i did the same.

  4. I'm certified in this by schitso · · Score: 4, Informative

    As someone certified and experienced in the Niagara framework, I can this with some authority:
    Most of the contractors who install this know absolutely nothing about security. NOTHING. Like, leaving the platform password (OS-level access) at its default. If anyone has the link to the actual exploit used, I'd be interested to read it, but it almost certainly comes down to bad security practice.

    1. Re:I'm certified in this by schitso · · Score: 1

      Say this, rather.

    2. Re:I'm certified in this by Anonymous Coward · · Score: 0

      I am guessing someone mandated this be done without first understanding it actually substantially increases the possibility of a multi-point mass attack. I am also guessing that almost no consideration was given to all the totally insecure legacy systems at each endpoint. Why not declare it tested, disconnect it, and oly reconnect nodes that have passed security testing and exploit attempts. CONSIDERING THE MAIN CONCERN IS REMOTE ATTACKS, THEY COULD TEST IT FROM CREECH.

    3. Re:I'm certified in this by Anonymous Coward · · Score: 5, Insightful

      As someone certified and experienced in the Niagara framework, I can this with some authority:
      Most of the contractors who install this know absolutely nothing about security. NOTHING.

      Imagine you design chainsaws. If most of your customers end up missing a limb, you probably fucked up the design.

      Do the 1-5-25 triage
      If 1% of your users have the problem, that's a user problem
      If 5% of your users have the problem, that's a documentation problem
      If 25% of your users have the problem, that's a design problem

      So, if most of the contractors installing Niagara are fucking up the security, then Niagara is to blame. If default passwords are a common problem, don't let the system function until the default is changed.

    4. Re:I'm certified in this by schitso · · Score: 2

      The problem is with the entire culture of this business, though. People would bitch about having to remember different passwords, or would use the same for every single install. The same goes for insecure IP CCTV systems. As far as I know, Axis is the only company that forces you to change the password. Most contractors are just too lazy or ignorant.

    5. Re:I'm certified in this by rjr162 · · Score: 2

      "If default passwords are a common problem, don't let the system function until the default is changed."

      Even something as common as DD-WRT understands this and requires you to enter a new password when you first access the router (granted you can change it to the existing default but hey, that's your own fault then). Then again look at the OE firmwares... they don't require a change and even Belkin routers which use a "default password" of nothing allows you to keep that as your password (when it prompts you just click "login" and in you go)

    6. Re:I'm certified in this by Anonymous Coward · · Score: 0

      Great to hear from you. So, does Tridium make any effort at all to see that the product is sold to, and handled by, security-aware professionals? Does it come with warnings, or at least a clear User Guide, that says don't use default passwords?

      Just digging thought Tridium's website, I'm not getting any impression on that one way or the other -- which is a really good sign. Marketing would usually play-up "easy to install!" if you didn't need skilled techs to do it.

      Other thing I'm looking for, and not finding there yet, is a list of Tridium certified contractors -- people they know have the skills, and have their refs checked in at least some way. You say you're certified, so, by who, Tridium? What was involved with that? Any followup structure? Does Tridium push clients to use certified people?

      That sort of thing; kindly give us some more detail of what it looks like from inside.

    7. Re:I'm certified in this by Anonymous Coward · · Score: 1

      You're pointing the finger at whoever made your door because you couldn't figure out how to lock it, so you ended up not locking it right then went away over the weekend and promptly got burglarized. I'm happy it takes a very costly specialist to secure these things and I'm glad it's so hard to get it right, because ... oh hey what a coincidence I'm a very costly specialist and yes especially government should pay until it's ass bleeds honey. To forestall your cattle moos: That way at least a few % of what they take from us actually comes back to us little guys directly. You got that right, buddy, 50% taxes go directly for tanks and missiles, the other 45% go to the banks for interest and the banks shove that money back into commie-greenie projects that work at so there's more taxes and less hot water for you to shower with. Why do you think Bank of America is getting to take people's property under property-tax liens they are permitted to buy?? How do you think that happened?

    8. Re:I'm certified in this by schitso · · Score: 1

      During the certification (which is done directly by Tridium, not their new owner Honeywell), they go over best practice, which includes security. There's actually several levels of certification, all of which I have taken, and they cover basic security practice (which should in all honesty be obvious to anyone) from the lowest level of certification. To my knowledge, it's not even possible for someone not certified to get the equipment.

    9. Re:I'm certified in this by Anonymous Coward · · Score: 1

      There are various ways to get there - Tridium offers classes, but there are a number of vendors who put their own sticker on Tridium's kit. They offer their own classes as well. One week of sitting in class, followed by an "exam" where you build a small system from scratch, and you're certified.

      The class I took was focused on setting the devices up to communicate with the lower-level hardware (in my case HVAC systems, although they're used in all kinds of applications) and getting a user interface put together. There is very little focus on network security, both because of a lack of time in the class and because by and large you're dealing with (again in my business) HVAC contractors. Almost none of them know a thing about networking. Some of them were doing good to figure out how to use the computer and software.

      Vendors who sell the product are supposed to verify the company they sell to has certified people to do the installs, but that takes just one person. You could easily have one person certified but several others poorly trained in-house or on-the-job doing the installs as well. Not that it matters in this case, as network security isn't a major focus of the class.

      I'm a computer nut who wound up in HVAC controls, so I do know about network security (not that I'm an expert) and it's a VERY hard sell to the end users. All they want is to see their system from home or on their phone, they don't want to hear about security. Throw in that the default setup is a simple username / password login box on a web page (even https is an extra-cost option), and the end-users will NOT use secure passwords, I've had a few jobs that really worried me. A few places will have a good IT staff with rules they can use to enforce security, but most sites don't bother - if there's actually an IT department at all.

    10. Re:I'm certified in this by dexotaku · · Score: 1

      So.. if you can't get the equipment without being certified, and all levels of the certification teach security "best practices" .. then the security problems can only be deliberate negligence.

    11. Re:I'm certified in this by schitso · · Score: 0

      Or ignorance. These contractors are all 40+ and very well set in their old-school (non-networked) ways. It's an entirely new world to them. One they aren't very adept at.

    12. Re:I'm certified in this by Anonymous Coward · · Score: 0

      Or ignorance. These contractors are all 40+ and very well set in their old-school (non-networked) ways. It's an entirely new world to them. One they aren't very adept at.

      dude.. leave some respect here..40+ is nothing. I am an old UNIX guy now doing consulting, and i can kick your ass on any "networked" way your weak ass can handle - very adept.. where the fuck do you come up with your phrases?

    13. Re:I'm certified in this by dexotaku · · Score: 2

      Ignorance after training is just stupidity. There's no excuse after it's been [allegedly] pointed out to you a number of times.

      Retranslated: if training includes this information, there's no excuse.

    14. Re:I'm certified in this by SpzToid · · Score: 1

      But times are changing, because we learn as each comes to pass. Sometimes by listening carefully and considering the wisdom of others that have passed before. Or else The Hard Way can also serve as an effective teacher.

      Oh wait, your post also dealt with accountability. Nevermind.

      --
      You can't be ahead of the curve, if you're stuck in a loop.
    15. Re:I'm certified in this by schitso · · Score: 1

      But they're 40+ in a field that, until very recently, has never had to deal in any way with networking. They generally are almost computer illiterate. No offense intended to 40+ still in their own field.

    16. Re:I'm certified in this by DarkFall · · Score: 2

      In this case, it's not that simple.

      It's an industry issue. Building automation has been changing from a mechanical, trades-based industry, to a data-driven, high-tech one much more rapidly than the workforce.

      The majority of controls technicians have little networking knowledge, even less programming knowledge, approaching 0 design knowledge, and absolutely no data and computer systems foundations yet are pretty well versed in the mechanical systems, engineering, electrical subtrades group. To be a good controls tech these days you need a LOT of all those other things and giving a damn about security requires one to understand why it's important. Most techs assume that if there's a password, it's "secure enough" and "not my problem" yet the systems are extremely complex (for good reason). This Niagara issue is primarily a bad-practices issue as the other poster mentioned. The Niagara Framerwork is not DD-WRT or other such network tool, it's much, much more complex than that and properly securing a system requires some study, some planning (this is almost always missing) and some deliberate attempt to understand the many different levels of access permissions that need to be granted to a system depending on the function of the person logging in. Furthermore, even IF the controls tech from the vendor has done the appropriate work to properly secure a system, once it's turned over to the facility and their maintenance, you're relying on the operators who are by no means experts in the field, to continue to administer the system, issue users and access privileges and maintain some kind of access policy. Can Tridium do more? A little, but not a whole lot. You can already use SSL, HTTPS and certificate based security for all your connections if you wished. You can already granulate the access to every single resource in a system. They could make it more obvious to change the platform (OS level) access, but it would only go so far because the likelihood of vendors making that password universal across all sites is very, very high. There are good eggs out there, don't get me wrong, but as usual, the problem isn't the system, it's lack of knowledge.

      For all computer, network and design folks out there, if you really want to challenge yourselves and discover a world you've never even considered existed, try the controls and building automation industry. You need to know a lot of different things, know them really really well, but if you do, you'll print your own money.

  5. ply to this by Quakeulf · · Score: 2

    I can't wait to see the whole country getting screwed over by the push of a button!

    1. Re:ply to this by Anonymous Coward · · Score: 0

      very patriotic, moron, very patriotic..

      this doesn't mean my dick stands in attention when i see the flag, but all of you morons who think "boom" is the best sound and a dynamite is cool, is the fucking reason why veterans are rotting in the streets and dictatorships (think hitler) like china are "ruling" the world.

  6. Holy shit by Anonymous Coward · · Score: 2, Funny

    can we at least spell "Niagara" correctly?

    1. Re:Holy shit by cyber-vandal · · Score: 1

      Too many viagaras possibly.

  7. OK by Anonymous Coward · · Score: 0

    I wasn't the only one to read 'Viagra' for 'Niagra' was I?

  8. Seems like... by stigamet · · Score: 1

    ...Niagra couldn't erect a firewall.

  9. Basically Wrong by sociocapitalist · · Score: 1

    None of this infrastructure should be on the Internet anyway. Anything that we don't want the rest of the world to have access to shouldn't be online.

    And don't give me shit about saving money or convenience because at some point you have to have stop trying to save money and do it right, even if it takes more effort.

    --
    blindly antisocialist = antisocial
    1. Re:Basically Wrong by Anonymous Coward · · Score: 0

      I thought that those movies where government or mysterious types can simply hack into any system, anyplace, are science fiction. Now to find out that it's real.

  10. But ... by Anonymous Coward · · Score: 0

    does it run Stuxnet?

  11. It's not just one vendor... by MiniMike · · Score: 2

    This is an industry wide problem that has been known for a long time, and is just recently receiving wider attention. For example, Wired had two articles on this topic in January alone. The SCADA/controls industry really needs to get their act together

  12. over-hyped concern by Anonymous Coward · · Score: 0

    Yes, these system are "lightly" secured...but so what? If someone gets in and shuts down the cooling or heating system, then the maintenance people get called and the system is restarted. A bit of a hassle and the event may cost a few $$ - but the impact will probably be minimal for most buildings. In older buildings the HVAC systems may fail periodically anyway, so no big deal. Applying heavy network security to these types of system is just dumb. So what if some goober fanboy goes in and pokes around. If it is clear that someone is poking around, then the phone/data line gets pulled from the JACE panel switch and life goes on...

    1. Re:over-hyped concern by Anonymous Coward · · Score: 0

      Wow- these trolls are getting good! But nobody could be that ignorant and still know how to type. Were you trying for funny?

  13. Viagra by Anonymous Coward · · Score: 0

    Yes, I was reading viagra. Don't ask me why.

  14. Tempest in a teapot by Anonymous Coward · · Score: 0

    The security vulnerability affects systems with the guest account enabled. I too am certified (since 2006) and I'm under 40 :-) I have hundreds of these systems installed - ZERO of them have the guest account enabled. The security researcher basically got into a demo site (nothing physically controlled by this). I do agree with the other "certified" poster, there are thousands of clueless controls contractors out there.

    Security Alert:
    http://www.niagara-central.com/ord?portal:/dev/wiki/Niagara_AX_Framework_Software_Security_Alert
    ICS-CERT Alert:
    http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-12-195-01.pdf (PDF)
    Steps to Secure Niagara:
    http://www.niagara-central.com/ord?portal:/blog/BlogEntry/229