The DHS and ICS-CERT has issued a warning about security flaws in the popular Tridium Niagara AX industrial control system software.
The software is at the heart of most of the US infrastructure and the security experts claim that its protection is laughable.
Firstly there are a series of major vulnerabilities in the applications that are remotely exploitable and could be used to take over vulnerable systems.
According to Threat-Post, the bugs found by researchers Billy Rios and Terry McCorkle, are just the latest of many found in the ICS software packages. It would appear that the only thing that has saved the US utilities from being taken down is the fact that the software was esoteric and no-one bothered to learn how it worked.
The latest string of bugs include a directory traversal issue that gives an attacker to get into restricted files. Niagara software stores user credentials where they can be seen and there are publicly available exploits for some of the vulnerabilities.
For example Tridium Niagara AX is not configured to deny access to restricted parent directories. This means that an attacker can access the file that stores all system usernames and passwords.
All they would have to do is send a request to the Web server running on Port 80/TCP, ICS-CERT warned. Not only that but password storage was a joke.
User authentication credentials are stored in the Niagara station configuration file, config.bog, which is located in the root of the station folder. It is not as if a hacker would not think of looking there.
But what makes the problem worse is the glacial speed that Tridium is moving to fix the problems. The company was told about the flaws a year ago and ICS-CERT has been working with them.
But the researchers claim that Tridium was unresponsive to the problems. Now users are starting to find them.
ICS-CERT had its hands tied as it did not want to make too much noise about the problem because hackers would start swotting up on the systems to break into them
Tridium has now issued an alert about the problems and also published a patch to address them.
McCorkle said the company was stuck in the Nineties and the state of ICS security is laughable.