Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Tridium Boosts Security in New Release of Niagara Framework

New Features Niagara Framework 3.7 include Enhanced Security and Built-in Mobile Support

Today, Tridium, the Honeywell subsidiary that makes the Niagara Framework, pushed a significant update to its flagship software product.

New Features Niagara Framework 3.7 include Enhanced Security and Built-in Mobile Support

Today, Tridium, the Honeywell subsidiary that makes the Niagara Framework, pushed a significant update to its flagship software product.

For those unfamiliar, the Niagara framework is a popular software platform that integrates various control systems and devices and allows them to be managed over the Internet. The Framework is used in industrial control systems as well as building automation systems including environmental controls, security, lighting, energy, and fire and safety. Think everything from large office buildings and facilities such as airports, hospitals, and government buildings, to Department of Defense deployments and more.

According to Tridium, security enhancements in NiagaraAX Framework 3.7 include expanded encryption, and full support for public key infrastructure (PKI) with certificate management tools similar to what is available in standard web browsers or web servers.

“Encryption is now available for the core connection types used in all Niagara installations including HTTP connections, Fox connections, and Niagara platform connections,” the company explained.

“NiagaraAX Release 3.7, our highly anticipated release of the Niagara Framework, contains several new features including significant security enhancements, user interface improvements, and mobile application support,” said Tridium Chief Technology Officer, John Sublett. “Security is very important to our customers, so with this release Tridium has included Workbench tools for certificate management as well as expanded SSL/TLS capabilities.”

Back in July of this year, US-CERT issued a warning after independent security researchers Billy Rios and Terry McCorkle identified multiple vulnerabilities in Tridium’s Niagara AX Framework that allowed an attacker to conduct a directory traversal attack, a type of attack that enables one to retrieve information from the directory in an attempt to find hidden files that were inadvertently exposed to an application. From there, the researchers were able to use proof-of-concept (PoC) exploit code, and download and decrypt a file containing user credentials from a server, a vulnerability type classified as “weak credential storage”. 

These vulnerabilities have been fixed in version 3.7, a Tridium spokesperson confirmed with SecurityWeek on Monday.

Advertisement. Scroll to continue reading.

Other security features added in this release of NiagaraAX 3.7 include enhanced password security supporting common practices like expiring passwords, password history, and forcing a password change on first logon.

In addition to the mobile and security features, NiagaraAX 3.7 includes an expanded photo-realistic graphics library, enhanced history reporting, and greater branding opportunities. Several mobile applications now come standard with the Framework, the company said.

Tridium’s website boasts the fact that over 318,000 instances of its Java-based Niagara Framework are operating around the world.

Related: Niagara Vulnerabilities Put Office Buildings, Airports, Hospitals at Risk  

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.