The threat against industrial control systems (ICS) is very real. This is demonstrated by a recently published FBI memo which details a breach that affected a New Jersey air conditioning company’s ICS network.
According to the document, the hack occurred in February and March 2012. The hackers leveraged a backdoor in the ICS which allowed them to access the main control mechanisms for the organization’s internal heating, air conditioning and ventilation.
The New Jersey company had been using Tridium’s Niagara AX Framework, which is utilized worldwide in 300,000 instances for building automation, telecommunications, security automation and lighting control.
The targeted organization didn’t use such control systems only for themselves, but also installed them for customers, including financial institutions and other commercial entities.
The FBI reveals that a hacktivist posted some details related to vulnerabilities in Tridium Niagara ICS on a known US website back in January. A hacker using the @ntisec online moniker claimed to have utilized shodanhq.com to identify organizations that utilized the vulnerable systems.
The New Jersey firm had a controller set in place for the systems, which was password protected, but it was configured to allow remote access.
By exploiting the backdoor, the hackers circumvented the password protection and gained access to the company’s control systems with the same privileges as an administrator.
The attackers had published a URL that provided access to a graphical user interface representing floor plan layout of the office, control fields and feedback for each area. Everything was clearly labeled with area names and even employee names.
The vulnerabilities in Niagara AX systems were detailed back in July by ICS-CERT and Tridium finally issued a fix for them in August. However, one year had already passed since Billy Rios and Terry McCorkle reported the flaws to the company.