Security Experts:

Tridium Boosts Security in New Release of Niagara Framework

New Features Niagara Framework 3.7 include Enhanced Security and Built-in Mobile Support

Today, Tridium, the Honeywell subsidiary that makes the Niagara Framework, pushed a significant update to its flagship software product.

For those unfamiliar, the Niagara framework is a popular software platform that integrates various control systems and devices and allows them to be managed over the Internet. The Framework is used in industrial control systems as well as building automation systems including environmental controls, security, lighting, energy, and fire and safety. Think everything from large office buildings and facilities such as airports, hospitals, and government buildings, to Department of Defense deployments and more.

According to Tridium, security enhancements in NiagaraAX Framework 3.7 include expanded encryption, and full support for public key infrastructure (PKI) with certificate management tools similar to what is available in standard web browsers or web servers.

“Encryption is now available for the core connection types used in all Niagara installations including HTTP connections, Fox connections, and Niagara platform connections,” the company explained.

“NiagaraAX Release 3.7, our highly anticipated release of the Niagara Framework, contains several new features including significant security enhancements, user interface improvements, and mobile application support,” said Tridium Chief Technology Officer, John Sublett. “Security is very important to our customers, so with this release Tridium has included Workbench tools for certificate management as well as expanded SSL/TLS capabilities.”

Back in July of this year, US-CERT issued a warning after independent security researchers Billy Rios and Terry McCorkle identified multiple vulnerabilities in Tridium’s Niagara AX Framework that allowed an attacker to conduct a directory traversal attack, a type of attack that enables one to retrieve information from the directory in an attempt to find hidden files that were inadvertently exposed to an application. From there, the researchers were able to use proof-of-concept (PoC) exploit code, and download and decrypt a file containing user credentials from a server, a vulnerability type classified as “weak credential storage”. 

These vulnerabilities have been fixed in version 3.7, a Tridium spokesperson confirmed with SecurityWeek on Monday.

Other security features added in this release of NiagaraAX 3.7 include enhanced password security supporting common practices like expiring passwords, password history, and forcing a password change on first logon.

In addition to the mobile and security features, NiagaraAX 3.7 includes an expanded photo-realistic graphics library, enhanced history reporting, and greater branding opportunities. Several mobile applications now come standard with the Framework, the company said.

Tridium’s website boasts the fact that over 318,000 instances of its Java-based Niagara Framework are operating around the world.

Related: Niagara Vulnerabilities Put Office Buildings, Airports, Hospitals at Risk