Honeywell vulnerability exposes building systems to cyber attacks Facilities Dive
p
Let Facilities Dives free newsletter keep you informed straight from your inbox
ppppResearchers have found vulnerabilities in the Niagara Framework developed by a Honeywell company which could allow attackers to disable building automation and security systemsppVulnerabilities have been discovered in Honeywells smart building middleware that could allow hackers to manipulate physical systems or disable security alarms cybersecurity firm Nozomi Networks Labs said Wednesday ppResearchers at the cybersecurity firm have discovered 13 vulnerabilities affecting the Niagara Framework which was developed by Tridium a Honeywell company ppOnce an attacker gains access to a network they could use the vulnerability to pivot across an organizations network to target IoT or IT systems Nozomi Networks said This could enable malicious actors to alter building automation processes disable critical systems or cause broader outages that could lead to safety risks service interruptions or financial losses the company said ppTridiums Niagara Framework is a software framework designed to connect manage and control diverse devices in building management industrial automation and smart infrastructure environments Tridium says It acts as a vendorneutral middleware platform that allows systems like HVAC lighting energy management and security to interoperate making it a critical backbone for many internet of things technologies across industries worldwide Nozomi Networks said ppMore than a million instances of the Tridium Niagara Framework exist globally BankInfo Security reported ppBecause Niagara often connects critical systems and sometimes bridges IoT technology and information technology IT networks it could represent a highvalue target Nozomi Networks said A vulnerability in Niagara has the potential to not only threaten digital assets it can also lead to other realworld consequences impacting safety productivity and service continuity across sectors like commercial real estate healthcare transportation manufacturing and energyppThese vulnerabilities are fully exploitable if a Niagara system is misconfigured thereby disabling encryption on a specific network device which produces a warning on the security dashboard If chained together they could allow an attacker with access to the same network such as through a ManintheMiddle MiTM position to compromise the Niagara system Nozomi Networks said ppThe firm noted that vulnerability would depend on a specific network service being configured without encryption allowing an attacker to collect sensitive data from the network ppThe vulnerability was discovered in Niagara Framework version 413 with the vendor confirming that Niagara Framework and Niagara Enterprise Security version 410u10 and earlier and 414u1 and earlier are affected A full list of vulnerabilities can be found here ppTridium addressed the vulnerabilities earlier this year through security patches for the Niagara Framework and released a technical bulletin strongly urging asset owners and operators to address the vulnerabilities ppIn addition to updating systems Tridium says that owners should review and validate users who are authorized and can authenticate Niagara allow only trained and trusted persons to have physical access to the system including connected devices consider using a VPN or other means to ensure secure remote connections into the network and sign all modules and program objects provided by thirdparty teams ppAdditionally the company urges operators to review the Niagara Hardening Guide and implement recommended techniques for securing installations and to review the security dashboard for current installations that may have any warnings or errorsppGet the free daily newsletter read by industry expertsppCapturing security images isnt the same as capturing peoples biometric data but a risk manager thinks its close enough that disclosing what youre doing is a good ideappAs electricity costs rise and federal incentives drop building operators are tapping the contracts to improve efficiency and boost resilienceppKeep up with the story Subscribe to the Facilities Dive free daily newsletterppSubscribe to Facilities Dive for top news trends analysisppGet the free daily newsletter read by industry expertsppWant to share a company announcement with your peerspp
Get started
ppCapturing security images isnt the same as capturing peoples biometric data but a risk manager thinks its close enough that disclosing what youre doing is a good ideappAs electricity costs rise and federal incentives drop building operators are tapping the contracts to improve efficiency and boost resilienceppThe free newsletter covering the top industry headlinesp
Let Facilities Dives free newsletter keep you informed straight from your inbox
ppppResearchers have found vulnerabilities in the Niagara Framework developed by a Honeywell company which could allow attackers to disable building automation and security systemsppVulnerabilities have been discovered in Honeywells smart building middleware that could allow hackers to manipulate physical systems or disable security alarms cybersecurity firm Nozomi Networks Labs said Wednesday ppResearchers at the cybersecurity firm have discovered 13 vulnerabilities affecting the Niagara Framework which was developed by Tridium a Honeywell company ppOnce an attacker gains access to a network they could use the vulnerability to pivot across an organizations network to target IoT or IT systems Nozomi Networks said This could enable malicious actors to alter building automation processes disable critical systems or cause broader outages that could lead to safety risks service interruptions or financial losses the company said ppTridiums Niagara Framework is a software framework designed to connect manage and control diverse devices in building management industrial automation and smart infrastructure environments Tridium says It acts as a vendorneutral middleware platform that allows systems like HVAC lighting energy management and security to interoperate making it a critical backbone for many internet of things technologies across industries worldwide Nozomi Networks said ppMore than a million instances of the Tridium Niagara Framework exist globally BankInfo Security reported ppBecause Niagara often connects critical systems and sometimes bridges IoT technology and information technology IT networks it could represent a highvalue target Nozomi Networks said A vulnerability in Niagara has the potential to not only threaten digital assets it can also lead to other realworld consequences impacting safety productivity and service continuity across sectors like commercial real estate healthcare transportation manufacturing and energyppThese vulnerabilities are fully exploitable if a Niagara system is misconfigured thereby disabling encryption on a specific network device which produces a warning on the security dashboard If chained together they could allow an attacker with access to the same network such as through a ManintheMiddle MiTM position to compromise the Niagara system Nozomi Networks said ppThe firm noted that vulnerability would depend on a specific network service being configured without encryption allowing an attacker to collect sensitive data from the network ppThe vulnerability was discovered in Niagara Framework version 413 with the vendor confirming that Niagara Framework and Niagara Enterprise Security version 410u10 and earlier and 414u1 and earlier are affected A full list of vulnerabilities can be found here ppTridium addressed the vulnerabilities earlier this year through security patches for the Niagara Framework and released a technical bulletin strongly urging asset owners and operators to address the vulnerabilities ppIn addition to updating systems Tridium says that owners should review and validate users who are authorized and can authenticate Niagara allow only trained and trusted persons to have physical access to the system including connected devices consider using a VPN or other means to ensure secure remote connections into the network and sign all modules and program objects provided by thirdparty teams ppAdditionally the company urges operators to review the Niagara Hardening Guide and implement recommended techniques for securing installations and to review the security dashboard for current installations that may have any warnings or errorsppGet the free daily newsletter read by industry expertsppCapturing security images isnt the same as capturing peoples biometric data but a risk manager thinks its close enough that disclosing what youre doing is a good ideappAs electricity costs rise and federal incentives drop building operators are tapping the contracts to improve efficiency and boost resilienceppKeep up with the story Subscribe to the Facilities Dive free daily newsletterppSubscribe to Facilities Dive for top news trends analysisppGet the free daily newsletter read by industry expertsppWant to share a company announcement with your peerspp
Get started
ppCapturing security images isnt the same as capturing peoples biometric data but a risk manager thinks its close enough that disclosing what youre doing is a good ideappAs electricity costs rise and federal incentives drop building operators are tapping the contracts to improve efficiency and boost resilienceppThe free newsletter covering the top industry headlinesp
