Cybersecurity and HVAC: Are You Vulnerable?

Press enter to search
Close search
Open Menu

Cybersecurity and HVAC: Are You Vulnerable?


By Dwayne Melancon, chief technology officer, Tripwire

Increasingly, commercial heating, ventilation and air-conditioning (HVAC) and other building management systems in retail stores are connected to the Internet. And as recent events have shown, such systems (often called “smart systems”) also raise big security implications.

One of the risks associated with smart systems is that they are often accessed and managed by a pool of people. Some of these folks may be working for a contractor or a third-party vendor hired to manage a particular infrastructure, such as the HVAC. Once a person logs in to access the controls, they tend to remain the same for quite some time. Also, because technicians need to be able to find information quickly, crucial data tends to be stored in many different places, making it accessible to even more people. Such a situation allows a wide network of individuals, including even associates of contractors, to gain access to the credentials to an HVAC system.

For many devices, this kind of access may not be a big deal. However, the security implications can be serious if any of these building management systems are on the same network as critical corporate assets. The situation is particularly worrisome if these systems are part of the corporate network. The reality is, without broader security scrutiny, even systems as mundane as HVAC can be used as a launch point to attack other systems in the network.

Based on the latest information available, this could be exactly what happened at Target. I can't think of a good business reason why an HVAC system would be able to connect directly to point-of-sale infrastructure — other than someone just not thinking about it as an attack path that could be used by malicious individuals.

Information security is often outside the core competencies of retailers, which makes it more difficult for them to be able to effectively evaluate risk holistically, especially risks associated with the interconnected systems that support today’s businesses. One of the notions I have been advocating is to take a "connect security to the business" approach in which people engage in a concerted effort to understand the relationships between IT infrastructure and critical business processes. As the number of cyber attacks increase, such an understanding will become a core requirement for businesses, and its importance will only increase in the future.

There's an old saying that goes "you can't pick up one end of the stick" – this sentiment is true for information security. Everything is connected, and once you touch one part of the infrastructure, you can't forget about what happens to the rest. The problem is that in implementing “smart devices,” such as HVAC controls, many retailers haven’t thought through the security risks of placing these devices on a production network with access to other sensitive data or systems.

Target’s experience illustrates the need for security professionals to take a step back and look at the overall ecosystem of devices and how they are connected. Attackers will find and exploit the weakest link in an interconnected network every time.

The link between automated building systems and security breaches will be explored at the SPECS workshop entitled “Tech Boot Camp: Operational Technology,” which will be held on Tuesday, March 11 at 1:40 p.m.