Hmmm. I haven't bothered to try what you did.
Originally Posted by elitecodex
But if I had, I'd not have been surprised ... in the least.
It's not just a matter of Tridium-Niagara systems ... a heck of a lot of systems of all sorts still have the factory default user and password left in place. Or a name and password that a particular contractor uses as a default on all installations done by said contractor. Or a single super user name and password used by whomever in the customer's organization (fac depart head for instance) that's good for accessing everything in every site customer has. Or some other variation of the above.
Of course, that is only one issue ... tho the most obvious ... and most easily corrected.
As I previously mentioned, in the case of where I work, one of the very first things we do when the Jace comes out of the shipping box is to change the default user names and passwords. We can't control what the customer-owner does or does not do later ... unless they have specified they want us to handle the security aspects for them (which we'll do if they want) ... but we choose to not be able to be blamed for leaving the factory defaults in place.
But whether or not customer site employs more and stronger methods ... is really up to them. We advise em, but we can't make em do a darn thing they don't want to do.
In the case of our own Jace boxes (and other similar devices) we have installed in our own facilities ... our own in house rules require VPN connections for remote access, unique user names and passwords for each of us, etc. Plus our own IT department has other measures in place. i.e. Scan and watch for suspicious activity. Lock out upon failed log-in attempts exceeding a certain number of tries. Only certain, designated, personnel can access certain portions of our in-house network. Likewise only certain personnel can transfer, open, manipulate, or whatever certain file types. And so forth.
But implementing such things takes extra time and effort, also coordination with and assistance from our IT department. Who're very cooperative and used to our needs since the company for whom I work not only does BAS, alarm/security systems, etc but also industrial/process controls systems.
However, a lot of folks and installations ... just don't bother to do much security wise. Or, the steps taken are haphazard at best.
i.e. One group of sites owned by a customer. VPN is required for remote access. However if you're on one of the sites, linking in via wifi and their AP, they have a Guest account that's not at all secure, open for use to anyone. And you can get into their BAS system that way. User name and password isn't the Tridium default ... but its easy as heck to guess ... and will give you unlimited rights and access.
At another set of sites, different customer, non-Tridium system, they've guarded web/browser access well enough ... but telnet is wide open.
Now, our more security conscious customers do a pretty good job of things.
Some more so than others. i.e. With some, if WE want access, to make changes, view and troubleshoot, etc ... it takes a call to their security folks, voice call. You then have to go through an authentication procedure so those folks can reasonably believe you are who you say you are, and then once that's done they issue temporary user name, password, and instructions for a VPN connection which will only work for a specified amount of time.
Still others ... forget it. You gotta go there in person, you'd better have previously submitted all relevant info for background and security check which has to have been completed before your arrival, have your picture and prints in their files, etc. Then you are given a time limited access.
But ... that's overkill for most customers. As previously discussed, actual threat should be reviewed and decision made as to how much is enough as concerns reasonable precautions.
i.e. If all that's gonna likely happen is someone is gonna make some unauthorized changes to set points that are not likely to damage equipment or endanger life ... probably not worth going through a lot of time and effort security wise.
OTOH, with some sites, i.e. I can think of a certain high value target which is all Tridium for everything, and the kink of target the bad guys would dearly love to hit ... not even a little doubt in my mind they would if they could ... yah might want to take more steps and precautions.
Well, I don't know that I'd make some statement like "its the installer's fault". You don't think the customer; especially when talking about commercial, industrial, and/or governmental customers; bears at least equal responsibility/blame?
Originally Posted by elitecodex
Personally, I think they have the primary responsibility. Unless they've hired me to be their security consultant/implementer. Otherwise, I take the basic steps, then ADVISE them as concerns others I think should be taken. Whether or not they take the advice is up to them.
Just my opinion, and not worth 2 cents more than that.
I believe the customer has some responsibility but the customer can't be expected to know how to secure a system that is a proverbial black box... unless they take the initiative to send an employee to get certified themselves. Which I guess would be a positive thing but thats costs money... and come on, who wants to spend any more money than necessary. And even that has its downside... putting the security of a whole system in the hands fresh out of certification class is an accident (and/or service-call) waiting to happen.
I agree about advising and taking the basic steps, especially customers that have their networks publicly accessible should definitely be made aware of the security risks but I think if the installers leave them with an open hole when they walk out the door then they should be blamed as well.
How about a security agreement in the contract? IF the customer abides by these simple rules then we promise a secure system up until commissioning (and possibly through the warranty). Just log the hell of out of everything to C-Y-A for both parties.
All in all I think that everyone needs to be conscious of security but nobody cares until its too late. This is where I think Tridium needs to make it as secure as possible without causing an inconvenience which I think they are in the process of doing.
Old post, but I'm bumping it up for easy access for a friend.....
And here I thought you had new information...
Don't worry zombies are looking for brains, you're safe...
The researchers scoffed at Tridium’s view that its customers needed to be better informed about security. “The root cause of these issues is poor design and coding practices from Tridium itself. Maybe Tridium should invest in training their developers about security first”, they concluded.
Greetings Asd;ljk, I think you will find the answer to some of the things Tridium was missing in this update they call 3.7.