* Experts found new flaws in building control systems
* Bugs make buildings vulnerable to attack via Internet
* Honeywell working to resolve problems quickly
By Joseph Menn
SAN JUAN, Puerto Rico, Feb 5 A widely used
system for controlling electricity, heating and other systems
inside buildings remains vulnerable to attacks over the
Internet, despite warnings from U.S. officials, researchers said
The Niagara control system from Honeywell International
Inc's Tridium division are configured to connect to the
Internet by default, even though that is not necessary for them
to function, two researchers from security firm CyLance said at
a security conference in San Juan, Puerto Rico.
The pair, Billy Rios and Terry McCorkle, uncovered
vulnerabilities last year that prompted the Department of
Homeland Security to warn customers to change their settings and
resulted in Honeywell releasing a software update that the two
researchers previously said had successfully addressed the
Yet they revealed on Tuesday they have since uncovered new
flaws in Tridium's technology that continue to make customers
vulnerable to attack via the Internet.
They showed they could take control of a Niagara system
using a new piece of software they had written to demonstrate
the vulnerabilities in the system.
They declined to explain their techniques out of concern
that malicious hackers might try to copy their methods. They
said attackers could accomplish the same ends by taking
advantage of weak encryption and passwords stored internally on
the Tridium control devices.
Once inside, hackers could wreak havoc with the physical
environment and in many cases could also jump to a building's
main office computers, McCorkle said.
"It's a little worrisome," McCorkle said. "Don't put it on
A Honeywell spokesman said the company was working to
address the new problems as quickly as possible and would alert
customers of the risks.
"We appreciate the fact that Mr. Rios and Mr. McCorkle are
continuously reminding the user community of these sorts of
vulnerabilities and we share their interest in getting them
fixed," said Honeywell spokesman Mark Hamel.
Department of Homeland Security spokesman Peter Boogaard
declined to comment on the security of the Niagara technology.
Poor security in industrial control systems, including those
that run manufacturing facilities and power plants, has become
an intense focus for security researchers and hackers alike
since 2010 when the Stuxnet virus surfaced.
Stuxnet attacked Iran's nuclear program, targeting
centrifuges at a uranium enrichment facility running on widely
used control systems from German conglomerate Siemens AG
. It exploited previously unknown security flaws in
Scores of security experts have since rushed to identify
similar bugs in an effort to prevent malicious hackers from
launching potentially devastating attacks on power systems,
chemical plants, water utilities and other facilities that run
on industrial control systems technology.
In their presentation, the two researchers showed that some
21,000 Niagara systems used at hospitals and other facilities
can currently be accessed via the public Internet, using a
specialized search engine known as Shodan.
Many Niagara customers do not realize their systems are
attached to the internet because they were originally installed
by outside contractors, the two said.
Building operators typically control Niagara systems
directly from inside the facilities they control, with Internet
access surviving as a back-up, they said.
Experts in industrial control systems security compare the
problems to those in the early days of Microsoft Corp's
Windows software for PCs. But they warn it will be harder to fix
the bugs because equipment often remains in place for decades
and some manufacturers have no easy way to get security
improvements to their customers.
Rios said they notified Tridium of their most recent
findings and that the division hoped to have a fix available to
customers of the current version of Niagara within a week, with
fixes for older versions coming later.
A spokeswoman for Tridium said she could not immediately
comment on the findings from Rios and McCorkle.