Mitigating Meltdown and Spectre Vulnerabilities
Dear valued partner,
On January 3, 2018, a group of researchers from Google Project Zero, Cyberus Technology and several universities revealed two major flaws in computer chips that could leave a huge number of computers and smartphones vulnerable to security concerns. Called “Meltdown” and “Spectre,” the flaws exist in processor families and could allow an attacker to read sensitive data stored in the memory, like passwords, or look at what tabs someone has open on their computer. Researchers indicate almost every computing system – desktops, laptops, smartphones, and cloud servers – is affected by these flaws.
Tridium takes the security of our customers and products seriously. Upon learning about this CPU issue, we began a company-wide product review to determine which of our devices are affected, and what corrective actions are necessary. Our findings to date are summarized below.
IMPACTED TRIDIUM PRODUCTS:
Niagara Supervisor running on Windows or Linux
If you have a Niagara Supervisor that runs on Windows or Linux, your machine may be affected.
Recommended Customer Actions:
* Update your operating systems with the latest patches, making sure that your organization has a patch management plan that is always executed.
* For Windows, please follow the instructions from Microsoft for patching your systems. You may access this information via this link.
* For Linux, please follow the instructions for Red Hat for patching your systems. You may access this information via this link.
* Ensure anti-virus software is up-to-date.
* Ensure that your Supervisor machine, which is a mission-critical system, is not being used for email access or general web browsing. The Spectre/Meltdown threats require malware be executed on a target machine. Malware attacks typically come from malicious web links, malware-based email attachments and infected USB disks.
* Control physical access to your mission critical systems to prevent attackers from using infected USB disks to infect your machines. Physical security is critical, and your systems must be protected.
We are continuing to work with our vendors in our investigation, but at this point, we know the following:
* The JACE 2/3/6/7 families use a much older PPC architecture, and the processor vendor has determined that they are not susceptible to Spectre and Meltdown.
The JACE-8000 is not affected by Meltdown.
The JACE-8000 uses an ARM chip that is reportedly vulnerable to a Spectre The vendor of the operating system of the JACE is doing further investigation into what patches could possibly apply. Tridium will be working closely with them to determine what OS changes, if any, should be made to mitigate any threat. In the meantime, Tridium has employed significant security measures that mitigate the threat of malware executing on a device.
A Spectre attack requires malware execution. The security controls that are employed by the JACE-8000 include (but are not limited to) the following:
* Niagara’s JACE-8000 employs a “secure boot” process, providing integrity validation of the image at boot time, providing non-repudiated assurance that the root image wasn’t tampered with.
* Niagara 4 employs integrity validation of the core framework at run-time, validating the digital signatures of all Niagara run-time components, ensuring that core Tridium Software has not been tampered with.
* Niagara 4’s Security Manager provides malware prevention by “sandboxing” third party modules, restricting installed software to a limited set of permissions, and terminating execution of any installed software that attempts unauthorized privileges.
* Niagara limits administrative controls and access to sensitive areas of Niagara to authenticated administrators with platform access.
It is important to understand that the security of your Niagara system also revolves around how your system is configured on your network. Please refer to the following documents to ensure that your systems are up-to-date with best practices:
* Niagara AX Hardening Guide (Step-by-Step Guidance for securing your AX systems)
* Niagara 4 Hardening Guide (Step-by-Step Guidance for securing your Niagara 4+ systems)
* TridiumTalk on Cybersecurity – “Defending Your Business Against Cyber Threats” (One hour webinar on Cybersecurity best practices in your organization)
* Q&A from TridiumTalk on Cybersecurity
* Tridium Cybersecurity White Paper
If you have any questions, please contact your Tridium account manager or contact Customer Support via firstname.lastname@example.org.