Tridium’s Niagara Framework: Marvel of connectivity illustrates new cyber risks

John Sublett and his colleagues had an audacious, digital-age plan. They wanted to use the Internet to enable businesses to manage any kind of electronic device, anywhere on the planet, through the computer equivalent of a universal remote control. In 1996, nothing like it had been seen before.

“We said, ‘Hey, there’s this cheap network, ready to use,’ ” Sublett recalled.

Their company, Richmond-based Tridium, would succeed — but with far-reaching implications for the security of the online universe known as cyberspace.

Tridium’s driving technology, 4 million lines of software code called the Niagara Framework, is a marvel of innovation. With the click of a mouse, Niagara enables plant managers to view video streams, high-rise superintendents to operate air conditioners and elevators, security officials to track personnel inside U.S. military facilities, and nurses to monitor medical devices in hospitals.

At least 11 million devices and machines in 52 countries, including security and surveillance systems in homes, have been linked to the Internet through Niagara, most of them in the past two years. But behind that success is a looming threat: an unknown number of Niagara-run networks are vulnerable to attacks from hackers, an examination by The Washington Post has found.

Last week, after more than a month of conversations with The Post, the company in a confidential security bulletin warned customers about the vulnerabilities and described ways to mitigate them.

“We’re not going to say Niagara is secure,” Sublett said in an interview. “We try to soften it and say we’re trying to make it as secure as possible.”

Tridium’s story illustrates the unintended consequences of the world’s rush to connect machines and devices in cyberspace. It also demonstrates how even small missteps in writing software or configuring systems can have huge implications. In cyberspace, determined hackers routinely transform obscure gaps into major security holes.

Over the past two years, hackers and cyberwarriors who once focused primarily on traditional computers and networks have put control systems in their crosshairs, damaging machinery, stealing information from networks and spying on facilities. Warnings from the Department of Homeland Security about the threats have become a drumbeat, while officials at the Pentagon and the White House consider them a national security priority.

After discussing Tridium with a Post reporter, a pair of security researchers decided on their own to zero in on Niagara and discovered gaps that would enable hackers to download and decrypt user names and passwords. The researchers, Billy Rios and Terry McCorkle, shared their findings with The Post and reported them to cybersecurity officials at the Department of Homeland Security, who recommended several measures to Tridium, including better security training for customers.

“There are hundreds of thousands of installations on networks, including [Defense Department] installations and Fortune 500 firms,” said Rios, a 34-year-old security researcher and a co-author of “Hacking: The Next Generation,” a handbook for security experts. “These customers have no idea they are exposed.”