Niagara Vulnerabilities Show Security Flaws in Infrastructure

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

My goodness. I take some time off for a vacation, and I can’t believe all the security news that happened while I was having fun away from the computer. Yahoo passwords got breached. Malware was found in the Apple Store. Malware was found in Instagram — which was announced the day after my traveling partner asked me if Instagram was known to have security-related issues. My response was, “Not that I know of now, but in the security world, that could change tomorrow.” I had no idea how correct I'd be on that one.

Unfortunately, the bad guys never take a vacation.

Now I’m back to work, and as soon as I logged on to my computer, I was greeted with news of serious vulnerabilities on a network system that controls HVAC operations, elevators, physical security systems and other critical operations.

While I know that security of the critical utility infrastructure is a growing concern, I admit that I didn’t realize there was a network system that covered a broad spectrum of a building’s interior infrastructure. I wouldn’t have imagined that a company’s security alarm system would be controlled by the same network that controls air conditioning and heating. And this Internet network is used across a number of industries like the military and hospitals. According to an article on Ars Technica:

The defects in the Niagara Framework, which links more than 11 million devices in 52 countries, could allow malicious hackers to seize control of critical infrastructure, an article published by The Washington Post warned. The vulnerabilities were unearthed by Billy Rios and Terry McCorkle, two researchers who have spent the past 18 months exposing security holes in a variety of ICS, or industrial control systems.

The company that developed Niagara, Tridium, began to privately warn customers about the vulnerabilities, according to The Washington Post. And security experts have provided tips on what companies should do to protect themselves until the fixes are available, including not allowing third-party guests access to the system and shutting down the system’s Internet access.

This comment is a little disturbing: One of the researchers said that the security of iTunes is better than the security for Niagara and similar systems. What a comforting thought: The elevator I’m riding in could be disabled by a hacker but I can still download my music safely as my elevator car plunges to the basement.

OK, that example might be a little extreme, but you get the point. As virtually everything that makes life easier is connected to an Internet network, we leave ourselves more vulnerable to the whims of the bad guys. Eugene Kaspersky of Kaspersky Lab said to me that it is only a matter of time until the bad guys are taking control of our smart homes, our office buildings, our computer-laden cars. What he didn’t say is lax security on the front end of these systems will only make matters worse.