Crossing the Security Boundary with Internet Enabled Applications
On Monday, April 8, 2013 the headline of The Morning Dowload daily email from the Wall Street Journal, titled “The Morning Download: Hackers Used Building Energy-Management Systems”, authored by Michael Hickins, editor, reported a dangerous security vulnerability in a piece of Facilities Management (FM) software manufactured by a unit of Honeywell, Inc, Tridium. The “Niagara” system software from Tridium can be used to manage automated building control processes including, temperature, access control systems and more. Researchers have found security vulnerabilities in the software, which, the report notes, Tridium has patched on at least 2 occasions.
The Tridium software is not described as a cloud offer. But it is capable of data communications over the internet. On April 5, 2013, Rachel King quoted two staff member os Cylance who discovered the vulnerabilities. They specifically pointed out ” . . . insecure storage of user names and passwords” (quoted from Rachel King’s article of April 5, 2013, a link to which has been provided in this post). We followed up our read of this article with a visit to the US Department of Homeland Security web site, where we ran a search for “Tridium.” The results specifically described the “insecure storage” (which, we need to note, was originally reported by Wired on December 13, 2012 in an article written by Kim Zetter, titled FBI Memo: Hackers Breached Heating System via Backdoor as a “backdoor” vulnerability.
Any and all software packages under serious consideration for FM applications, Industrial Control Systems (ICSs), and Supervisory Control and Data Acquisition (SCADA) systems must be thoroughly researched by anyone looking for this type of solution. How the application handles data communication with a Human Machine Interface (HMI) must be very carefully scrutinized. If the application is capable of data communications over the internet, a thorough search of prominent web sites like the US DHS web site must be conducted for the specific product name and manufacturer name to gain an understanding of any security vulnerabilities found to be built into the product.
There is a clear line between types of internet security exploits. Some are directly attributable to user errors. But the Tridium Niagara example is of a different variety, which resulted from flaws in the design of the software, itself. This latter type of vulnerability is easier for most organizations to avoid, while the former is more complicated.
© IMB Enterprises, Inc. & Ira Michael Blonder, 2013 All Rights Reserved