Building control system flaw opens door to hackers

Billy Rios and Terry McCorkle, researchers at security firm CyLance, uncovered vulnerabilities in The Niagara control system made by Honeywell International Inc's Tridium division last year that prompted the US Department of Homeland Security to warn customers to change their settings.

The warning resulted in Honeywell releasing a software update that successfully addressed the problems, but speaking at a security conference in San Juan, Puerto Rico on Tuesday they revealed they have since uncovered new flaws.

The system is configured to connect to the Internet by default, even though it is not necessary for them to function, and the pair showed they could take control of a Niagara system using a new piece of software they had written to demonstrate the vulnerabilities.

While they declined to explain their techniques out of concern that malicious hackers might try to copy their methods, they said attackers could accomplish the same ends by taking advantage of weak encryption and passwords stored internally on the Tridium control devices.

Once inside, hackers could wreak havoc with the physical environment of buildings using the system and in many cases could also jump to a building's main office computers.

"It's a little worrisome," Mr McCorkle said. "Don't put it on the net."

Poor security in industrial control systems, including those that run manufacturing facilities and power plants, has become a major focus for security researchers and hackers alike since 2010 when the Stuxnet virus surfaced.

Stuxnet attacked Iran's nuclear program, targeting centrifuges at a uranium enrichment facility running on widely used control systems from German conglomerate Siemens AG, by exploiting previously unknown security flaws in Siemens technology.

In their presentation, the two researchers showed that some 21,000 Niagara systems used at hospitals and other facilities can currently be accessed via the public Internet, using a specialized search engine known as Shodan.

Many Niagara customers do not realize their systems are attached to the internet because they were originally installed by outside contractors and building operators typically control Niagara systems directly from inside the facilities they control, with Internet access surviving as a back-up, they said.

It is feared it will be difficult to fix the bugs because equipment often remains in place for decades and some manufacturers have no easy way to get security improvements to their customers.

Mr Rios said they notified Tridium of their most recent findings and that the division hoped to have a fix available to customers of the current version of Niagara within a week, with fixes for older versions coming later.

A spokeswoman for Tridium said she could not immediately comment on the findings but Honeywell spokesman Mark Hamel said the company was working to address the new problems as quickly as possible and would alert customers of the risks.

He said: "We appreciate the fact that Mr Rios and Mr McCorkle are continuously reminding the user community of these sorts of vulnerabilities and we share their interest in getting them fixed."