Researchers find hundreds of insecure building control systems

Google's office is not the only one in Australia with vulnerable building control software

By , IDG News Service |  Security

"It seems like the integrators aren't patching these devices," Rios said. "The problem is the patch is not getting applied to the device on the Internet, and that is the integrator's responsibility."

Graves said Tridium continues "to work with our system integrators and customers to address the problem through seminars, forums and on-line training about security best practices."

With Google's system, it also appeared the integrator reused login and password credentials for the Web-based control panel. "It very much highlights the poor security practices being used by integrators all over the world," Rios said.

Google's NiagaraAX system was connected via a digital subscriber line that the company may not have even been aware of, Rios said. Many ICSes installed by system integrators are not incorporated directly into a company's networks, which may allow them to escape regular security scans.

Hardware devices running NiagaraAX also may have two network ports -- one that is connected to the DSL line administered by the systems integrator, and the other port which is connected to the company's internal network, McCorkle said.

The meeting of those two connections is gold for a hacker.

"That is one of the classic ways these devices get connected to the corporate network," Rios said. Attackers find the ICS on the Internet, compromise it and then use it "as a lily pad to get on the corporate network," he said.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness