Forgot your password?
typodupeerror
Government Networking Security Software IT

Niagra Framework Leaves Government, Private Infrastructure Open To Hacks 40

Posted by timothy
from the is-this-your-all-eggs-basket? dept.
benfrog writes "Tridium's Niagra framework is a 'marvel of connectivity,' allowing everything from power plants to gas pumps to be monitored online. Many installations are frighteningly insecure, though, according to an investigation by the Washington Post, leaving both public and private infrastructure potentially open to simple hacks (as simple as a directory traversal attack)."
This discussion has been archived. No new comments can be posted.

Niagra Framework Leaves Government, Private Infrastructure Open To Hacks

Comments Filter:
  • by Anonymous Coward

    Niagra, please!

  • by TheGoodNamesWereGone (1844118) on Friday July 13, 2012 @07:23PM (#40644799)
    .... Slowly I turned, step by step, inch by inch...
  • Am I the only one who read this as "Nigeria" and thought, why is there a /. story about networks in Nigeria?
  • by schitso (2541028) on Friday July 13, 2012 @07:25PM (#40644813)
    As someone certified and experienced in the Niagara framework, I can this with some authority:
    Most of the contractors who install this know absolutely nothing about security. NOTHING. Like, leaving the platform password (OS-level access) at its default. If anyone has the link to the actual exploit used, I'd be interested to read it, but it almost certainly comes down to bad security practice.
    • by schitso (2541028)
      Say this, rather.
    • by Anonymous Coward on Friday July 13, 2012 @07:45PM (#40645009)

      As someone certified and experienced in the Niagara framework, I can this with some authority:
      Most of the contractors who install this know absolutely nothing about security. NOTHING.

      Imagine you design chainsaws. If most of your customers end up missing a limb, you probably fucked up the design.

      Do the 1-5-25 triage
      If 1% of your users have the problem, that's a user problem
      If 5% of your users have the problem, that's a documentation problem
      If 25% of your users have the problem, that's a design problem

      So, if most of the contractors installing Niagara are fucking up the security, then Niagara is to blame. If default passwords are a common problem, don't let the system function until the default is changed.

      • by schitso (2541028)
        The problem is with the entire culture of this business, though. People would bitch about having to remember different passwords, or would use the same for every single install. The same goes for insecure IP CCTV systems. As far as I know, Axis is the only company that forces you to change the password. Most contractors are just too lazy or ignorant.
        • by SpzToid (869795)

          But times are changing, because we learn as each comes to pass. Sometimes by listening carefully and considering the wisdom of others that have passed before. Or else The Hard Way can also serve as an effective teacher.

          Oh wait, your post also dealt with accountability. Nevermind.

      • by rjr162 (69736)

        "If default passwords are a common problem, don't let the system function until the default is changed."

        Even something as common as DD-WRT understands this and requires you to enter a new password when you first access the router (granted you can change it to the existing default but hey, that's your own fault then). Then again look at the OE firmwares... they don't require a change and even Belkin routers which use a "default password" of nothing allows you to keep that as your password (when it prompts y

      • by Anonymous Coward

        You're pointing the finger at whoever made your door because you couldn't figure out how to lock it, so you ended up not locking it right then went away over the weekend and promptly got burglarized. I'm happy it takes a very costly specialist to secure these things and I'm glad it's so hard to get it right, because ... oh hey what a coincidence I'm a very costly specialist and yes especially government should pay until it's ass bleeds honey. To forestall your cattle moos: That way at least a few % of what

      • by DarkFall (14299)

        In this case, it's not that simple.

        It's an industry issue. Building automation has been changing from a mechanical, trades-based industry, to a data-driven, high-tech one much more rapidly than the workforce.

        The majority of controls technicians have little networking knowledge, even less programming knowledge, approaching 0 design knowledge, and absolutely no data and computer systems foundations yet are pretty well versed in the mechanical systems, engineering, electrical subtrades group. To be a good cont

  • I can't wait to see the whole country getting screwed over by the push of a button!
  • Holy shit (Score:2, Funny)

    by Anonymous Coward

    can we at least spell "Niagara" correctly?

  • None of this infrastructure should be on the Internet anyway. Anything that we don't want the rest of the world to have access to shouldn't be online.

    And don't give me shit about saving money or convenience because at some point you have to have stop trying to save money and do it right, even if it takes more effort.

  • by MiniMike (234881) on Saturday July 14, 2012 @07:57AM (#40647423)

    This is an industry wide problem that has been known for a long time, and is just recently receiving wider attention. For example, Wired had two [wired.com] articles [wired.com] on this topic in January alone. The SCADA/controls industry really needs to get their act together

Real computer scientists don't comment their code. The identifiers are so long they can't afford the disk space.

Working...