Problem

Concern about published Niagara vulnerabilities and risk of remote compromise of JACEs or Supervisors exposed to untrusted networks.

Root Cause

Instances reachable from broader networks without being configured per Tridium's hardening guidance (default accounts, open services, weak TLS).

Solution

1. Restrict Network Exposure

• Place JACEs/Supervisors behind firewalls or VPN
• Do not expose them directly to the internet

2. Apply Vendor Patches

• Apply vendor-recommended patches
• Upgrade to a currently supported Niagara 4 version whenever security bulletins are released

3. Implement Hardening Guide

• Unique per-user accounts (no shared "admin" accounts)
• Strong passwords (12+ characters, complexity requirements)
• Limited permissions (least-privilege principle)
• Disabled unused services and ports
• Proper TLS/certificates (no self-signed in production)

4. Monitor and Log

• Monitor logs for suspicious login attempts
• Watch for unexpected station restarts
• Integrate with site SIEM where possible

Hardening Checklist Summary

• All default accounts renamed or disabled
• Unique passwords for each user
• HTTPS only (HTTP disabled)
• TLS 1.2+ enforced
• Unused services disabled (Telnet, FTP, etc.)
• Firewall restricts access to management subnet
• Regular patching schedule established
• Login attempt monitoring enabled