Tridium’s Niagara AX Framework Software controls millions of industrial control systems, heating, lighting, and security devices via the Internet. The U.S. Department of Homeland Security (DHS) issued a vulnerabilities warning that the company’s software, with 300,000 copies installed globally, contains a directory transversal flaw and weak credential storage. Attackers can potentially access and download files containing username and passwords for all who access a Niagara server within their company.
What to do? The alert indicates that a quick but temporary “fix” is to disable “guest” and “demo” user accounts on their Niagara server and use the “lockout” feature to prevent access after multiple attempts. The alert also called on those with industrial control systems to disconnect their control systems networks from the business networks to prevent them from Internet access. Beyond the interim moves, the company is working on a solution.
The ICS-CERT Alert was initially held up until the company could prepare patches but it seems that word leaked causing the Alert to be broadcast anyway.
Attempts to hack industrial control systems, water supplies, and power services are becoming more prevalent. Most attacks have to date been those that harass and embarrass the targets rather than to cause real harm, but incidents are growing.
Are companies taking these attempts seriously enough?