Slashdot Mirror

← Back to Stories (view on slashdot.org)

Niagra Framework Leaves Government, Private Infrastructure Open To Hacks

Posted by timothy on from the is-this-your-all-eggs-basket? dept.

benfrog writes "Tridium's Niagra framework is a 'marvel of connectivity,' allowing everything from power plants to gas pumps to be monitored online. Many installations are frighteningly insecure, though, according to an investigation by the Washington Post, leaving both public and private infrastructure potentially open to simple hacks (as simple as a directory traversal attack)."

12 of 40 comments (clear)

  1. Re:I must say... by ackthpt · · Score: 4, Funny

    Niagra, please!

    Niagra Fails?

    --

    A feeling of having made the same mistake before: Deja Foobar
  2. NIAGARA FALLS! by TheGoodNamesWereGone · · Score: 2

    .... Slowly I turned, step by step, inch by inch...

    1. Re:NIAGARA FALLS! by TheGoodNamesWereGone · · Score: 2

      :-) http://youtu.be/_yJBhzMWJCc

  3. I'm certified in this by schitso · · Score: 4, Informative

    As someone certified and experienced in the Niagara framework, I can this with some authority:
    Most of the contractors who install this know absolutely nothing about security. NOTHING. Like, leaving the platform password (OS-level access) at its default. If anyone has the link to the actual exploit used, I'd be interested to read it, but it almost certainly comes down to bad security practice.

    1. Re:I'm certified in this by Anonymous Coward · · Score: 5, Insightful

      As someone certified and experienced in the Niagara framework, I can this with some authority:
      Most of the contractors who install this know absolutely nothing about security. NOTHING.

      Imagine you design chainsaws. If most of your customers end up missing a limb, you probably fucked up the design.

      Do the 1-5-25 triage
      If 1% of your users have the problem, that's a user problem
      If 5% of your users have the problem, that's a documentation problem
      If 25% of your users have the problem, that's a design problem

      So, if most of the contractors installing Niagara are fucking up the security, then Niagara is to blame. If default passwords are a common problem, don't let the system function until the default is changed.

    2. Re:I'm certified in this by schitso · · Score: 2

      The problem is with the entire culture of this business, though. People would bitch about having to remember different passwords, or would use the same for every single install. The same goes for insecure IP CCTV systems. As far as I know, Axis is the only company that forces you to change the password. Most contractors are just too lazy or ignorant.

    3. Re:I'm certified in this by rjr162 · · Score: 2

      "If default passwords are a common problem, don't let the system function until the default is changed."

      Even something as common as DD-WRT understands this and requires you to enter a new password when you first access the router (granted you can change it to the existing default but hey, that's your own fault then). Then again look at the OE firmwares... they don't require a change and even Belkin routers which use a "default password" of nothing allows you to keep that as your password (when it prompts you just click "login" and in you go)

    4. Re:I'm certified in this by dexotaku · · Score: 2

      Ignorance after training is just stupidity. There's no excuse after it's been [allegedly] pointed out to you a number of times.

      Retranslated: if training includes this information, there's no excuse.

    5. Re:I'm certified in this by DarkFall · · Score: 2

      In this case, it's not that simple.

      It's an industry issue. Building automation has been changing from a mechanical, trades-based industry, to a data-driven, high-tech one much more rapidly than the workforce.

      The majority of controls technicians have little networking knowledge, even less programming knowledge, approaching 0 design knowledge, and absolutely no data and computer systems foundations yet are pretty well versed in the mechanical systems, engineering, electrical subtrades group. To be a good controls tech these days you need a LOT of all those other things and giving a damn about security requires one to understand why it's important. Most techs assume that if there's a password, it's "secure enough" and "not my problem" yet the systems are extremely complex (for good reason). This Niagara issue is primarily a bad-practices issue as the other poster mentioned. The Niagara Framerwork is not DD-WRT or other such network tool, it's much, much more complex than that and properly securing a system requires some study, some planning (this is almost always missing) and some deliberate attempt to understand the many different levels of access permissions that need to be granted to a system depending on the function of the person logging in. Furthermore, even IF the controls tech from the vendor has done the appropriate work to properly secure a system, once it's turned over to the facility and their maintenance, you're relying on the operators who are by no means experts in the field, to continue to administer the system, issue users and access privileges and maintain some kind of access policy. Can Tridium do more? A little, but not a whole lot. You can already use SSL, HTTPS and certificate based security for all your connections if you wished. You can already granulate the access to every single resource in a system. They could make it more obvious to change the platform (OS level) access, but it would only go so far because the likelihood of vendors making that password universal across all sites is very, very high. There are good eggs out there, don't get me wrong, but as usual, the problem isn't the system, it's lack of knowledge.

      For all computer, network and design folks out there, if you really want to challenge yourselves and discover a world you've never even considered existed, try the controls and building automation industry. You need to know a lot of different things, know them really really well, but if you do, you'll print your own money.

  4. ply to this by Quakeulf · · Score: 2

    I can't wait to see the whole country getting screwed over by the push of a button!

  5. Holy shit by Anonymous Coward · · Score: 2, Funny

    can we at least spell "Niagara" correctly?

  6. It's not just one vendor... by MiniMike · · Score: 2

    This is an industry wide problem that has been known for a long time, and is just recently receiving wider attention. For example, Wired had two articles on this topic in January alone. The SCADA/controls industry really needs to get their act together