Folks…a firewall isn’t enough. You should not even leave the ports open for these devices. the only way to have a remote chance of doing this safely is to use a vpn so your connection is encrypted then you can get it. Honestly for these systems that are deemed critical it is simply foolish to have it on the internet at all…it will get taken over even with firewalls and vpn’s in place. Unless folks really want to use proper security(which most don’t) these incidents are not only going to continue but will grow in size and damage potential..or damage actually caused. Small businesses are also very lax in their security postures these days. many of the compromises could be avoided with some simple behavioral changes…technology can’t solve the issue if the issue is the loack of good security habits by their human operators or caretakers.
Hackers illegally accessed the Internet-connected controls of a New Jersey-based company’s internal heating and air-conditioning system by exploiting a backdoor in a widely used piece of software, according to a recently published memo issued by the FBI.
The backdoor was contained in older versions of the Niagara AX Framework, which is used to remotely control boiler, heating, fire detection, and surveillance systems for the Pentagon, the FBI, the US Attorney’s Office, and the Internal Revenue Service, among many others. The exploit gave hackers using multiple unauthorized US and international IP addresses access to a “Graphical User Interface (GUI), which provided a floor plan layout of the office, with control fields and feedback for each office and shop area,” according to the memo, which was issued in July. “All areas of the office were clearly labeled with employee names or area names.”
An IT contractor for the unnamed business told FBI agents the “Niagara control box was directly connected to the Internet with no interposing firewall,” according to the memo, which was published Saturday by Public Intelligence. The website has an established track record of posting authentic government documents. Barbara Woodruff, a spokeswoman in the Newark, New Jersey division of the FBI, where the memo originated, said the document appeared to be authentic.
The unauthorized access began in February, a few weeks after someone using the Twitter handle @ntisec posted comments indicating hackers were targeting SCADA—or supervisory control and data acquisition—systems. One tweet included a list of Internet addresses, including one that was assigned to the heating system belonging to the New Jersey business. The hack came five months before security researchers Billy Rios and Terry McCorkle blew the whistle on serious vulnerabilities in the Niagara system, which is marketed by Tridium, a company with US offices located in Richmond, Virginia.
Only getting worse
The revelation that Niagara vulnerabilities have been actively exploited in the wild is significant because the system is widely used to control critical equipment used around the world. Further, the number of Internet-facing Niagara systems appears to be growing. A search using the Shodan computer search engine late last year found about 16,000 systems, with more than 12,000 of those based in the US, according to Billy Rios, one of the security researchers who documented the vulnerabilities in the industrial control system. This year, the same search returned more than 20,000 systems, with about 16,000 of them in the US. While patches released earlier this year apply only to versions 3.5 and 3.6 of Niagara, Shodan continues to show “tons” of systems running earlier versions, including 1.1, Rios said.
“These things keep popping up,” he told Ars. “It’s not going away. It’s getting worse.”
Perhaps the only other documented case of an industrial control system being breached in the US came in 2009, when a security guard abused his physical access to breach computers that controlled air-conditioning systems at a Texas hospital. The intrusion came to light after he posted a screenshots and other evidence showing he had control of the systems that cool operating rooms and other critical areas of the Texas facility, where temperatures regularly hit the triple digits. He has spent most of his time since in federal prison.