DHS issues warning on widely used industrial control system software
The Homeland Security Department issued July 13 an alert warning of security problems with widely used industrial control system software.
The Tridium Niagara AX Framework software platform integrates systems and devices for online management, according to the alert (.pdf), from the Industrial Control Systems Cyber Emergency Response Team.
More than 300,000 Niagara AX Frameworks are installed worldwide in applications that include energy management, building automation and telecommunications.
ICS-ALERT-12-195-01 says the specific problem is a directory traversal and weak credential storage vulnerability with the software's proof-of-concept code. The platform's vulnerabilities can be exploited by downloading from the server and decrypting the file containing the user credentials, ISC-CERT says.
Tridium issued its own 3-page security alert the same day as the ICS alert. It recommends taking the following steps to mitigate the security vulnerabilities:
- Disable the "guest" and "demo" user accounts if enabled
- Use the "Lock Out" feature to lock out accounts for excessive invalid login attempts
- Use strong passwords
- Change default credentials
- Limit user access to the file system following the instructions in the Niagara AX Framework Software Security Alert
- Ensure that control systems are not directly Internet-facing.
IT professionals also can perform a control system cybersecurity assessment using a free downloadable tool from the Control Systems Security Program run by the Department of Homeland Security.
ICS-CERT credits independent security researchers Billy Rios and Terry McCorkle with finding the vulnerability.
Cyber attacks on critical infrastructure could have been foiled with common precautions
DHS: no evidence that Flame targets industrial systems
ENISA: Data breach notification regulation could divert attention from causes
DHS to set up continuous monitoring at civilian agencies