The Department of Homeland Security on Friday warned that a popular system used by organizations around the world to manage millions of machines and devices over the Internet is vulnerable to attack from hackers.
The software system known as the Niagara Framework enables corporate, military, health-care and other users to remotely control or monitor medical devices, elevators, video cameras, security systems and a wide array of other sensitive operations.
In an alert issued Friday, cybersecurity officials said that Niagara users should immediately prohibit guest users, bolster passwords, cut off direct access to the Internet and take other steps to prevent hackers from exploiting configuration and software flaws.
“Disable the ‘guest’ and ‘demo’ user accounts if enabled,” says the alert, issued by the department’s Industrial Control Systems Cyber Emergency Response Team. The alert advised other steps:
●Lock out accounts that receive excessive invalid login attempts.
●Use stronger passwords.
●Change default user names and passwords.
●Limit user access to the file system.
The alert follows a Washington Post report Thursday that described Niagara and the vulnerabilities, which were discovered by two security specialists who work as “white hat” hackers, Billy Rios and Terry McCorkle. The system is vulnerable to a “directory traversal attack,” a well-known technique among hackers, the alert said. The attack could enable an intruder to access files containing user names and passwords.
Last week, Niagara’s maker, Richmond-based Tridium, privately warned customers about security problems. On Thursday, months after the firm was first notified of the issues, Tridium released a public alert.
Officials at DHS said they had delayed issuing a warning to allow Tridium to work on fixes.
“Incident response is an essential part of cybersecurity,” the department said in a statement, adding that it works closely with vendors and others in the process. “The number of incidents reported to DHS’s ICS-CERT has increased, partly due to this increased communication.”
In a blog post cited in the department’s cyberalert, Rios praised the department for its efforts but criticized Tridium.
“We are disappointed that it took so long for the public to become aware of this issue,” Rios said. “According to the Washington Post article, Tridium became aware of this vulnerability ‘almost a year ago, when a Niagara customer that uses the software to manage Pentagon facilities turned up issues in an audit.’ ”
Tridium’s parent company, Honeywell, issued a statement Friday responding to the alert.
“Tridium understands the importance of security and is committed to helping our customers make any necessary adjustments to their Niagara AX Framework software to ensure the highest security. We’ve released a security alert guiding our customers how to verify that their system is properly configured to protect against directory traversal. In addition, we will soon be providing a software update that hardens those settings against inadvertent user changes.”