On Friday the DHS ICS-CERT team published an alert about vulnerabilities in the Tridium Niagara AX Framework software. This is an unusual alert for a couple of reasons. First the vulnerabilities were initially disclosed via a coordinated disclosure, second it was outed by the Washington Post, and it isn’t really an ‘industrial’ control system in the way most of us think of a control system.
Billy Rios and Terrry McCorkle initially reported to ICS-CERT a directory traversal and a weak credential storage vulnerability in the Tridium software. At first there wasn’t any action by Tridium and ICS-CERT considered publishing an alert based upon that lack of action. Then Tridium responded and ICS-CERT withheld the alert. But then the Washington Post published an article (Hey. ICS-CERT published a link to that article in a footnote in the Alert; more about that later.) about the vulnerabilities (a nice detailed and well written article by the way). So ICS-CERT was forced to publish this alert.
The Use of Niagara
The Niagara software is used to control a wide variety of devices in applications that include “energy management, building automation, telecommunications, security automation, machine to machine (M2M), lighting control, maintenance repair operations (MRO), service bureaus and total facilities management” (pg 2). Now these are certainly control applications but not what is usually thought of as ‘industrial control’ (though the only actual ICS attack that ICS-CERT has reported was on a building automation system). On a special note, however, we should probably be really concerned about this vulnerability in ‘security automation’; physical security systems are certainly part of cybersecurity.
Tridium has provided some interesting mitigation measures that can be taken while they are finishing work on a software update that will fix the problem. Those recommendations include:
• Disable the “guest” and “demo” user accounts if enabled.
• Use the “Lock Out” feature to lock out accounts for excessive invalid login attempts.
• Use strong passwords.
• Change default credentials
• Limit user access to the file system following the instructions in the Niagara AX Framework Software Security Alert below
• Ensure that control systems are not directly Internet facing.
Since the whole point of Niagara is the remote control of various devices via the internet the last point is kind of silly. I suppose what Tridium is trying to say is that access to the system should be through a virtual private network (VPN), but that is effectively not much protection when access to VPNs via any number of social networking attacks is so easily available. Hopefully, the patch will provide better security to these systems.
It was very interesting to see ICS-CERT not only acknowledge the identity of the agency that publicly disclosed the vulnerability (an improvement in process that I noted last year) but also the provision of a link to that disclosure. Back in February Dale Peterson and I discussed this in an exchange of comments here on this blog. We both agreed that it is important for ICS-CERT to provide links to disclosures.
This is the first time that a publication of ICS-CERT has included such a link. I would like to think that the comments in this blog helped to influence the provision of that link. Unfortunately, I think that there is a better explanation for this disclosure; compared to the standard security researcher the Washington Post is the 8,000 lb. gorilla in the room; failure to provide the link might attract the wrath (and perhaps legal department) of the WP.
To prove that I am wrong all ICS-CERT has to do is to insure that all future alerts include links to the actual disclosure.