Security Street Knowledge
  • Video: Industrial Control and Building Automation at Risk


    The rapidly changing world of technology continues to be leveraged to help improve our daily lives by making everything we do more efficient.  Through building automation devices; our lights can be controlled to save on electricity, water plant systems can be monitored for efficiency, fire detection systems can be remotely monitored for alerts and ICS devices are used to ensure HVAC systems are running at their maximum efficiency.  Improvements in such smart buildings are done through software such as the NiagaraAX Framework by Tridium.  The NiagaraAX is a Java Application Control Engine (JACE) running on a small appliance or installed as a desktop fat-client.  The beauty of the NiagaraAX is in its flexibility to integrate with various protocols such as BACNet or Modbus typically used in many PLCs, SCADA and Building Automation environments.

    Shodan Niagara search statsAt present we now have an integrated architecture where Industrial Control Systems are no longer isolated from traditional networking equipment.  In fact, a quick search using the SHODAN search engine will reveal thousands of NiagaraAX devices accessible over the Internet. A weakness within this system could allow an attacker access to critical environmental controls.

    A July Washington Post article highlighting security researchers Billy Rios’ and Terry McCorkle’s discovery of a backdoor vulnerability noted that Niagara controls are linked to at least 11 million devices and machines in 52 countries. The 4 million-line piece of software enables industrial and commercial facility managers, as well as homeowners, to track a range of systems. The Niagara Framework is used to manage 110,000 sensors in Singapore’s Changi Airport, facilities in 575 Wawa convenience stores across the U.S. and heating and lighting for a number of federal government offices.

    What is more troubling is that many of these devices are being exposed to the public Internet with little to no security controls.  Let me elaborate, there are many systems in your Country, City or Organization that may be exposed to the Internet with absolutely no requirement for a username or password.  Yep, just point, click and YOU ARE IN!


    The Video: This revelation motivated me to do a little ‘vulnerability research’ on the NiagaraAX Framework. To share my findings, I decided to create a short video illustrating how an attacker can leverage multiple weaknesses to hack into a buildings’ automation system. The objective is to give security professionals a peek into the world of vulnerable industrial control systems so that they may understand the importance of ICS risk assessments and protecting their Industrial Control & Automation networks.

    Note: Most of the NiagaraAX vulnerabilities have been fixed with the latest software update version: or Major Release 3.7. However, you can still find older/vulnerable versions with a SHODAN query:

    Niagara -www-authenticate country: US Web Server/3.5.39 ord’



  • Comments: Off Category: Uncategorized
  • Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Comments are closed.