Niagra Framework Leaves Government, Private Infrastructure Open To Hacks

benfrog writes "Tridium's Niagra framework is a 'marvel of connectivity,' allowing everything from power plants to gas pumps to be monitored online. Many installations are frighteningly insecure, though, according to an investigation by the Washington Post, leaving both public and private infrastructure potentially open to simple hacks (as simple as a directory traversal attack)."

Re:I must say...

[ackthpt]

Niagra, please!

Niagra Fails?

I'm certified in this

[schitso]

As someone certified and experienced in the Niagara framework, I can this with some authority:
Most of the contractors who install this know absolutely nothing about security. NOTHING. Like, leaving the platform password (OS-level access) at its default. If anyone has the link to the actual exploit used, I'd be interested to read it, but it almost certainly comes down to bad security practice.

Re:I'm certified in this

As someone certified and experienced in the Niagara framework, I can this with some authority:
Most of the contractors who install this know absolutely nothing about security. NOTHING.

Imagine you design chainsaws. If most of your customers end up missing a limb, you probably fucked up the design.

Do the 1-5-25 triage
If 1% of your users have the problem, that's a user problem
If 5% of your users have the problem, that's a documentation problem
If 25% of your users have the problem, that's a design problem

So, if most of the contractors installing Niagara are fucking up the security, then Niagara is to blame. If default passwords are a common problem, don't let the system function until the default is changed.