Niagra Framework Leaves Government, Private Infrastructure Open To Hacks

benfrog writes "Tridium's Niagra framework is a 'marvel of connectivity,' allowing everything from power plants to gas pumps to be monitored online. Many installations are frighteningly insecure, though, according to an investigation by the Washington Post, leaving both public and private infrastructure potentially open to simple hacks (as simple as a directory traversal attack)."

I must say...

[Anonymous Coward]

Niagra, please!

Re:I must say...

[ackthpt]

Niagra, please!

Niagra Fails?

Seems like...

[stigamet]

...Niagra couldn't erect a firewall.

Re:

[Arancaytar]

Even better, the "Niagra" is a consistent misspelling by the submitter. It is actually called Niagara, as the submitter could have discovered by RTFA he linked to. (And Tridium's corporate website also calls it Niagara.)

NIAGARA FALLS!

[TheGoodNamesWereGone]

.... Slowly I turned, step by step, inch by inch...

Re:

[interval1066]

Its kind of cool to see people are still aware of an 80+ y-o vaudville routine.

Re:

[TheGoodNamesWereGone]

:-) http://youtu.be/_yJBhzMWJCc [youtu.be]

Am I the only one...

[Darkness404]

Am I the only one who read this as "Nigeria" and thought, why is there a /. story about networks in Nigeria?

I'm certified in this

[schitso]

As someone certified and experienced in the Niagara framework, I can this with some authority:
Most of the contractors who install this know absolutely nothing about security. NOTHING. Like, leaving the platform password (OS-level access) at its default. If anyone has the link to the actual exploit used, I'd be interested to read it, but it almost certainly comes down to bad security practice.

Re:

[schitso]

Say this, rather.

Re:I'm certified in this

[Anonymous Coward]

As someone certified and experienced in the Niagara framework, I can this with some authority:
Most of the contractors who install this know absolutely nothing about security. NOTHING.

Imagine you design chainsaws. If most of your customers end up missing a limb, you probably fucked up the design.

Do the 1-5-25 triage
If 1% of your users have the problem, that's a user problem
If 5% of your users have the problem, that's a documentation problem
If 25% of your users have the problem, that's a design problem

So, if most of the contractors installing Niagara are fucking up the security, then Niagara is to blame. If default passwords are a common problem, don't let the system function until the default is changed.

Re:

[schitso]

The problem is with the entire culture of this business, though. People would bitch about having to remember different passwords, or would use the same for every single install. The same goes for insecure IP CCTV systems. As far as I know, Axis is the only company that forces you to change the password. Most contractors are just too lazy or ignorant.

Re:

[SpzToid]

But times are changing, because we learn as each comes to pass. Sometimes by listening carefully and considering the wisdom of others that have passed before. Or else The Hard Way can also serve as an effective teacher.

Oh wait, your post also dealt with accountability. Nevermind.

Re:

[rjr162]

"If default passwords are a common problem, don't let the system function until the default is changed."

Even something as common as DD-WRT understands this and requires you to enter a new password when you first access the router (granted you can change it to the existing default but hey, that's your own fault then). Then again look at the OE firmwares... they don't require a change and even Belkin routers which use a "default password" of nothing allows you to keep that as your password (when it prompts y

Re:

[Anonymous Coward]

You're pointing the finger at whoever made your door because you couldn't figure out how to lock it, so you ended up not locking it right then went away over the weekend and promptly got burglarized. I'm happy it takes a very costly specialist to secure these things and I'm glad it's so hard to get it right, because ... oh hey what a coincidence I'm a very costly specialist and yes especially government should pay until it's ass bleeds honey. To forestall your cattle moos: That way at least a few % of what

Re:

[DarkFall]

In this case, it's not that simple.

It's an industry issue. Building automation has been changing from a mechanical, trades-based industry, to a data-driven, high-tech one much more rapidly than the workforce.

The majority of controls technicians have little networking knowledge, even less programming knowledge, approaching 0 design knowledge, and absolutely no data and computer systems foundations yet are pretty well versed in the mechanical systems, engineering, electrical subtrades group. To be a good cont

Re:

[schitso]

During the certification (which is done directly by Tridium, not their new owner Honeywell), they go over best practice, which includes security. There's actually several levels of certification, all of which I have taken, and they cover basic security practice (which should in all honesty be obvious to anyone) from the lowest level of certification. To my knowledge, it's not even possible for someone not certified to get the equipment.

Re:

[dexotaku]

So.. if you can't get the equipment without being certified, and all levels of the certification teach security "best practices" .. then the security problems can only be deliberate negligence.

Re:

[schitso]

Or ignorance. These contractors are all 40+ and very well set in their old-school (non-networked) ways. It's an entirely new world to them. One they aren't very adept at.

Re:

[schitso]

But they're 40+ in a field that, until very recently, has never had to deal in any way with networking. They generally are almost computer illiterate. No offense intended to 40+ still in their own field.

Re:

[dexotaku]

Ignorance after training is just stupidity. There's no excuse after it's been [allegedly] pointed out to you a number of times.

Retranslated: if training includes this information, there's no excuse.

Re:

[Anonymous Coward]

There are various ways to get there - Tridium offers classes, but there are a number of vendors who put their own sticker on Tridium's kit. They offer their own classes as well. One week of sitting in class, followed by an "exam" where you build a small system from scratch, and you're certified.

The class I took was focused on setting the devices up to communicate with the lower-level hardware (in my case HVAC systems, although they're used in all kinds of applications) and getting a user interface put tog

ply to this

[Quakeulf]

I can't wait to see the whole country getting screwed over by the push of a button!

Holy shit

[Anonymous Coward]

can we at least spell "Niagara" correctly?

Re:

[cyber-vandal]

Too many viagaras possibly.

Basically Wrong

[sociocapitalist]

None of this infrastructure should be on the Internet anyway. Anything that we don't want the rest of the world to have access to shouldn't be online.

And don't give me shit about saving money or convenience because at some point you have to have stop trying to save money and do it right, even if it takes more effort.

It's not just one vendor...

[MiniMike]

This is an industry wide problem that has been known for a long time, and is just recently receiving wider attention. For example, Wired had two [wired.com] articles [wired.com] on this topic in January alone. The SCADA/controls industry really needs to get their act together