Google is hacked through Tridium Niagara Framework

According to news from InfoSecurity Magazine, Researchers at Cylance have hacked a Tridium Niagara system at Google’s Australian office building. This should be a wakeup call for many in the industry building or implementing control systems tied to the Internet. Security is a very important cornerstone for all products that reside on a connected network. These researchers, Billy Rios and Terry McCorkie, should be thanked profusely for bringing these security issues to light. Their work is far from over with nearly every Energy Management System now having a cloud computing component; fortifying the need for security to be included at the beginning of the product design cycle.

Google is not alone; according to the researchers’ scans there are over 25,000 other Tridium systems connected to the Internet, some of which are likely vulnerable. Most in product development know that security is an ongoing process that requires diligence and fast responses. If you’re technology is being hacked, the best thing you can do is acknowledge the problem and fix it fast. The alternative is media nightmare.

I believe hacks in control systems are particularly dangerous because of the blurred area of responsibility within an organization. Please forgive me for overgeneralizing, the majority of the time an energy management system (EMS), building automation system (BAS), or industrial control system (ICS) is implemented, it’s by someone specializing in controls. All the modern EMS, BAS, or ICS products communicate over the network, and commonly over the Internet. And in general, the group that is most responsible for the integrity and security of the network (and connected devices) is the IT organization. If these two groups don’t engage in regular dialog, an IT group may never be made aware of potential security issue to fix.

There is a growing need for IT groups to be well versed in the EMS, BAS, or ICS products that connect to their networks. Vendors, like Tridium, regularly communicate with their customers and inform them of best practices, updates, and security patches. Update and security patch information sent to someone focused on controls may never be forwarded to an IT group responsible for network security. Even though a good company like Tridium does everything they can to inform customers, some will simply not get the message leaving unpatched systems connected to the Internet.

The buck will stop with poor folks responsible for security—even if they were unaware of the need to patch a system.