Rios and McCorkle worked with the newspaper in an investigation of Tridium’s Niagara Framework, which enables millions of devices to be linked and controlled via the internet.
The researchers discovered security gaps in Niagara that could enable hackers to download and decrypt user names and passwords, among other issues.
In a follow-up blog to the report, Rios and McCorkle said they were “disappointed” that it took so long for the public exposure of the security gaps in the Niagara Framework and that the US government continued to purchase the Niagara software even though an audit last year turned up critical, remotely exploitable vulnerabilities.
“We are disappointed that our taxpayer money paid for the ignored security audit, paid for the acquisition, and paid for the implementation/deployment of known vulnerable software. We’d like to challenge our nation’s leadership to evaluate the failures in our current processes surrounding the acquisition of software that support critical infrastructure and industrial control systems”, they wrote.
At the same time, the researchers had praise for the Department of Homeland Security’s ICS-CERT. After being informed of the security issues, ICS-CERT has been making “every effort” with Tridium to get the problems fixed. “We especially want to thank those ICS-CERT analysts who kept us apprised of developments despite the lack of response and unwillingness of Tridium to accept responsibility for the issue”, they wrote.
Rios and McCorkle chastised Tridium for its inaction and “eagerness to blame the customer.” In the Washington Post article, Tridium founder John Sublett said that the company was trying to better communicate to customers the security risks in cyberspace.
The researchers scoffed at Tridium’s view that its customers needed to be better informed about security. “The root cause of these issues is poor design and coding practices from Tridium itself. Maybe Tridium should invest in training their developers about security first”, they concluded.