Security Portal

Overview

Welcome to the Inductive Automation Trust Portal

Thousands of companies worldwide depend on Ignition every day

Compliance

CCPA Logo
CCPA
GDPR Logo
GDPR

Product Security

Role-Based Access Control
Audit Logging
Data Security
See more

Reports

PCI DSS
Pentest Report

Self-Assessments

Other Questionnaires
SIG Lite
VSA Core

Data Security

Access Monitoring
Backups Enabled
Data Erasure
See more

App Security

Code Analysis
Software Development Lifecycle
Secure Development Training
See more

Access Control

Data Access
Logging
Password Security

Infrastructure

Anti-DDoS
Amazon Web Services
Data Center
See more

Endpoint Security

Disk Encryption
DNS Filtering
Endpoint Detection & Response
See more

Network Security

Firewall
IDS/IPS
Security Information and Event Management
See more

Corporate Security

Asset Management Practices
Email Protection
Employee Training
See more

Policies

We are working to provide external versions of our policies. Please contact us if specific policies are needed.

Security Grades

Qualys SSL Labs
inductiveautomation.com
A
account.inductiveautomation.com
A
forum.inductiveautomation.com
A+
docs.inductiveautomation.com
A+
inductiveuniversity.com
A
icc.inductiveautomation.com
A
api.inductiveautomation.com
A+
licenses.inductiveautomation.com
A+
support.inductiveautomation.com
A+

Trust Center Updates

Inductive Automation Trust Center Updates

General

Trust Center Updates are the primary public information conduit for Coordinated Vulnerability Disclosure (CVD) with Ignition. Please subscribe for email updates. Posts and associated emails summarize Ignition-related vulnerabilities, issues, impact, and recommendations. Technical Advisory links will often include additional information.

Inductive Automation takes pride in significant investment in stability, security, quality, and privacy throughout the entire Ignition secure Software Development Lifecycle (SDLC) and associated processes. This includes a commitment to prioritize resolution, proactively seek vulnerabilities, and be transparent with our outstanding community. We love hiring regular third-party penetration testing and participating in the S4x Pwn2Own competition each year!

Recommendations: Inductive Automation provides resources such as the Ignition Security Hardening Guide and the Ignition Server Sizing and Architecture Guide. The online user manual, Inductive University, and forum, also provides free resources. Paid training is also available.

Inductive Automation recommends partnering with one of the thousands of System Integrators who can help navigate the process of securing and assuring Ignition within the customer environment throughout the system lifecycle in accordance with business requirements.

Reporting and communication: Inductive Automation welcomes all feedback, especially on security-related matters. The best email address is: security@inductiveautomation.com, using the Inductive Automation public PGP key if encrypted communication is needed. Support, Account Representatives, and Sales Engineers are also available to help.

Published at N/A*

Session token appears to exist in Ignition login URL. False Positive

General

False positive. The best practice configuration recommendation is to enforce https (TLS 1.2+) with genuine certificates in accordance with the Ignition Security Hardening Guide, preferably enabling HSTS.

Background. Some cybersecurity scanning tools flag on a URL string like "idp/default/authn/login?token=xxxx", assuming that the token is a session identifier. It is not. The token is a cryptographic nonce with a short "time to live" value. Ignition uses the token to orchestrate the handoff between the internal Ignition Identity Provider's OpenID Connect authorization endpoint and the authentication workflow. This is separate from a possible nonce variable that might also appear in the same URL string.

The token is bound to the user's session which is tracked by an HTTP cookie passed in the HTTP headers. The session cookie is protected when Ignition is properly configured to use https. Therefore, it follows that as long as a user's session is secure, associated tokens will also be secure, even if they are leaked, since an attacker would have to know the session ID in order to use the token.

Published at N/A*

Ignition is not impacted by OpenSSL vulnerabilities

Incidents

Informational. Ignition is not affected by the OpenSSL vulnerabilities in CVE-2022-3786 and CVE-2022-3602. No action required.

After a comprehensive search for usage of the offending libraries, Inductive Automation has determined that Ignition has no reliance on, and found no evidence of OpenSSL 3.0.x.

Published at N/A

Ignition is back to ICS Pwn2Own S4x23 Miami 14-16 Feb. 2023

General

Announcement. Inductive Automation will be back to compete in the ICS/SCADA-themed Pwn2Own event at S4x in Miami for the “OPC UA Server” and “OPC UA Client” categories. Attack Scenarios are: Denial of Service (DOS), Remote Code Execution (RCE), Credential Theft, and Bypass Trusted Application Check. Other categories include “Data Gateway” and “Edge”.

Best of luck to all participants! Updates to follow as vulnerabilities are found and fixed!

ZDI Announcement

Published at N/A*

Regarding CVE-2022-42889 (Apache Commons Text)

Incidents

Informational. Recommend upgrading to Ignition 8.1.23+. Ignition 8 versions before 8.1.23 are bundled with a vulnerable version of the Apache Commons Text library. However, Inductive Automation assesses the vulnerability at “low risk” based on the fact that Ignition does not invoke any of the vulnerable functions. In other words, a local cybersecurity scanning tool+ may note the existence of the binary, but associated exploits are unlikely to work.

Version 8.1.23+ updates the dependency to 1.10.0, which fixes the CVE.

Tech advisory link.

Published at N/A*

Ignition Embedded SVG problem from 7.9.x (fixed 8.1.23)

General

Informational. Low impact. Upgrade to 8.1.23+ to fix. Ignition 8 versions before 8.1.23 do not properly process SVG images stored in pre-release (Alpha and Beta) versions of 8.x (prior to April 10, 2019).

The tech advisory provides upgrade instructions.

Published at N/A*

Ignition Linux ARMv6 and ARMv7 compatibility (8.1.22 update)

General

Informational. Ignition version 8.1.22, released 11/1/2022, includes an updated version of its Internal Database (SQLite) that requires a newer version of GLIBC on Linux systems running on ARMv6 and ARMv7 hardware.

The minimum required GLIBC version on ARMv6 and ARMv7 hardware will increase from v2.4 to v2.28. Consequently, some older operating systems that ship with older versions of GLIBC will be unable to run newer versions of Ignition.

The minimum required GLIBC version on x86-64 hardware remains v2.3.

Known affected: Debian 9 and its derivatives such as Raspbian 9 Debian 9 reached EOL status on June 30, 2022

Tech advisory link.

Published at N/A*

Ignition CVE-2022-1704 (fixed 7.9.21 and 8.1.8)

Incidents

Update Ignition to 8.1.8 or greater. On July 26, 2022 the Cybersecurity and Infrastructure Security Agency (CISA) published an Industrial Control Systems (ICS) Advisory ICSA-22-207-01 disclosing Ignition security vulnerability CVE-2022-1704 that was patched in version 8.1.8.

The vulnerability enables an attacker to compromise an Ignition Gateway if a privileged Ignition user restores a maliciously crafted backup file.

Tech advisory link

Published at N/A

Microsoft SQL Server Database compatibility. TLS v1.0 and v1.1 no longer supported by default. Recommend TLS 1.2+.

General

Configure Ignition Gateway MS SQL Server connections to use TLS 1.2 or 1.3. A Java 8 (8u291+) and corresponding Java 11 (11.0.11+) security update disables the use of TLS 1.0 and 1.1, which is a recommended cybersecurity best practice. The recommended fix is to update MS SQL Server database connections on Ignition gateways (not individual Vision or Perspective runtime clients) to TLS 1.2 or 1.3. This might require configuration changes on the database server(s). Seek support from IT departments as applicable.

The IA Tech advisory includes instructions including links from Microsoft. Alternatively, it describes how to configure Java to connect using less secure TLS 1.0 or 1.1 (not recommended).

Published at N/A*

Ignition 2022 Pwn2Own Vulnerabilities (fixed 7.9.20 and 8.1.17).

General

Update Ignition to 8.1.17 or greater. On April 19-21, 2022, Trend Micro’s Zero Day Initiative (ZDI) brought their Pwn2Own competition back to the ICS world for a second time at the S4x22 conference. Inductive Automation eagerly participated after a successful ICS Pwn2Own at S4x20.

The Pwn2Own competition resulted in 32 entries registered by 11 contestants. Of 6 entries targeting Ignition, 4 successfully demonstrated unique exploits, 1 was a duplicate, and 1 failed to be successfully demonstrated in the time allotted. All 6 entries targeting Ignition were responsibly disclosed to Inductive Automation. One additional finding was separately disclosed by researchers who were unable to compete.

Inductive Automation thanks the ZDI and all participating researchers.

See tech advisory for detailed information.

Published at N/A*

Active Directory SSO Disabled for 8.1.17 & 7.9.20. Feature no longer safe.

General

Informational. Ignition no longer supports Single Sign On (SSO) with native Active Directory user source profiles (LDAP based). There will not be a “fix” using this technology set. The implication is that a user must separately log on to Windows and Ignition environments (Designer, Gateway, and Clients). Inductive Automation recommends integration with Identity Providers using the modern OpenID Connect or SAML protocols. For Microsoft environments, this could be AzureAD or many other options.

Tech advisory link

Published at N/A

CISA National Cyber Awareness System (NCAS) Alert AA22-103A. Informational.

General

No known Ignition impact. On April 13, 2022 the Cybersecurity and Infrastructure Security Agency (CISA) published National Cyber Awareness System (NCAS) Alert ICSA-22-102-03 (pdf Report)which mentioned an Advanced Persistent Threat (APT) tool for OPC-UA. See the OPC Foundation response.

Tech advisory link

Published at N/A*

Ignition CVE-2022-1264 (patched 8.1.0)

Incidents

Update Ignition to 8.1.0 or greater. On April 12, 2022 the Cybersecurity and Infrastructure Security Agency (CISA) published an Industrial Control Systems (ICS) Advisory ICSA-22-102-03 disclosing an Ignition security vulnerability that was patched in version 8.1.10.

The vulnerability enables an attack allowing placement of arbitrary files on the host OS of an Ignition Gateway if a privileged Ignition user restores a maliciously crafted backup file.

Tech advisory link

Published at N/A*

Ignition not affected by Log4j vulnerability (CVE-2021-44228).

Incidents

Informational. Inductive Automation completed a full audit of direct and transitive dependencies in Ignition to confirm that log4j vulnerabilities to not apply to any supported or unsupported release of Ignition, and as such it is not vulnerable to the RCE outlined in CVE-2021-44228 or Chainsaw GUI vulnerabilities associated with CVE-2022-23307. This includes LTS versions 7.9 and 8.1, as well as all past and non-LTS versions.

Tech advisory link.

Published at N/A*

Ignition Critical Settings Issue (Port Reset in 8.1.8). Build removed.

General

Informational. Regression disclosure. Installing Ignition 8.1.8 resets network ports to default values (http=8080, https=8043, Gateway Network=8060). This build was promptly taken down and updated as 8.1.9. Quality assurance remedial actions were taken.

Tech advisory link.

Published at N/A*

Ignition Critical Settings Issue (UDT import overwrite in 8.1.6). Build removed.

General

Informational. Regression disclosure. Installing Ignition 8.1.6 introduces a problem when importing User Defined Type (UDT) tags. This build was promptly taken down and updated as 8.1.7. Quality assurance remedial actions were taken.

Tech advisory link.

Published at N/A*

If you think you may have discovered a vulnerability, please send us a note.