Security Experts:

Connect with us

Hi, what are you looking for?



Tridium Boosts Security in New Release of Niagara Framework

New Features Niagara Framework 3.7 include Enhanced Security and Built-in Mobile Support

Today, Tridium, the Honeywell subsidiary that makes the Niagara Framework, pushed a significant update to its flagship software product.

New Features Niagara Framework 3.7 include Enhanced Security and Built-in Mobile Support

Today, Tridium, the Honeywell subsidiary that makes the Niagara Framework, pushed a significant update to its flagship software product.

For those unfamiliar, the Niagara framework is a popular software platform that integrates various control systems and devices and allows them to be managed over the Internet. The Framework is used in industrial control systems as well as building automation systems including environmental controls, security, lighting, energy, and fire and safety. Think everything from large office buildings and facilities such as airports, hospitals, and government buildings, to Department of Defense deployments and more.

According to Tridium, security enhancements in NiagaraAX Framework 3.7 include expanded encryption, and full support for public key infrastructure (PKI) with certificate management tools similar to what is available in standard web browsers or web servers.

“Encryption is now available for the core connection types used in all Niagara installations including HTTP connections, Fox connections, and Niagara platform connections,” the company explained.

“NiagaraAX Release 3.7, our highly anticipated release of the Niagara Framework, contains several new features including significant security enhancements, user interface improvements, and mobile application support,” said Tridium Chief Technology Officer, John Sublett. “Security is very important to our customers, so with this release Tridium has included Workbench tools for certificate management as well as expanded SSL/TLS capabilities.”

Back in July of this year, US-CERT issued a warning after independent security researchers Billy Rios and Terry McCorkle identified multiple vulnerabilities in Tridium’s Niagara AX Framework that allowed an attacker to conduct a directory traversal attack, a type of attack that enables one to retrieve information from the directory in an attempt to find hidden files that were inadvertently exposed to an application. From there, the researchers were able to use proof-of-concept (PoC) exploit code, and download and decrypt a file containing user credentials from a server, a vulnerability type classified as “weak credential storage”. 

These vulnerabilities have been fixed in version 3.7, a Tridium spokesperson confirmed with SecurityWeek on Monday.

Other security features added in this release of NiagaraAX 3.7 include enhanced password security supporting common practices like expiring passwords, password history, and forcing a password change on first logon.

In addition to the mobile and security features, NiagaraAX 3.7 includes an expanded photo-realistic graphics library, enhanced history reporting, and greater branding opportunities. Several mobile applications now come standard with the Framework, the company said.

Tridium’s website boasts the fact that over 318,000 instances of its Java-based Niagara Framework are operating around the world.

Related: Niagara Vulnerabilities Put Office Buildings, Airports, Hospitals at Risk  

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.