Vulnerabilities in Tridium Niagara Framework Result in Unauthorized Access to a New Jersey Company’s Industrial Control System
- 5 pages
- For Official Use Only
- July 23, 2012
(U//FOUO) In February and March 2012, unauthorized IP addresses accessed the Industrial Control System (ICS) network of a New Jersey air conditioning company, US Business 1. The intruders were able to access a backdoor into the ICS system that allowed access to the main control mechanism for the company’s internal heating, ventilation, and air conditioning (HVAC) units. US Business 1 was using the Tridium Niagara ICS system, which has been widely reported in the media to contain multiple vulnerabilities that could allow an attacker to remotely control the system.
(U//FOUO) On 21 and 23 January 2012, an unknown subject posted comments on a known US website, titled “#US #SCADA #IDIOTS” and “#US #SCADA #IDIOTS part-II”. The postings were linked to the moniker “@ntisec”, and indicated that hackers were targeting SCADA systems this year, and something had to be done to address SCADA vulnerabilities.
(U) The user of the “@ntisec” moniker searched Google, and the website www.shodanhq.com, for the term “:(unknown character) slot:/” and “#TRIDIUM / #NIAGARA vector”. The posting by “@ntisec” included a list of URLs, one of which was an IP address that resolved to US Business 1, and was assigned to its office building’s HVAC control system.
(U//FOUO) The main control box for the HVAC system of US Business 1 was a Tridium brand, Niagara model controller. US Business 1 actively used this system in-house, but also installed the control system for customers, which included banking institutions and other commercial entities. An IT contractor of US Business 1 confirmed the Niagara control box was directly connected to the Internet with no interposing firewall.
(U//FOUO) US Business 1 had a controller for the system that was password protected, but was set up for remote/Internet access. By using the link posted by the hacktivist, the published backdoor URL provided the same level of access to the company’s control system as the password-protected administrator login. The backdoor required no password and allowed direct access to the control system.
(U//FOUO) Logs from the controller at US Business 1 dated back to 3 February 2012, and access to the controller was found from multiple unauthorized international and US-based IP addresses.
(U//FOUO) The URL that linked to the control system of US Business 1 provided access to a Graphical User Interface (GUI), which provided a floor plan layout of the office, with control fields and feedback for each office and shop area. All areas of the office were clearly labeled with employee names or area names.
(U) On 13 July 2012, the Department of Homeland Security released ICS-CERT ALERT entitled, “Tridium Niagara Directory Traversal and Weak Credential Storage Vulnerability”, which detailed vulnerabilities within the Niagara AX ICS that are exploitable by downloading and decrypting the file containing the user credential from the server.
(U) According to the Tridium website, over 300,000 instances of Niagara AX Framework are installed worldwide in applications that include energy management, building automation, telecommunications, security automation and lighting control.