Cybersecurity Insight

Is Your HVAC System Vulnerable to a Cyber Attack?

18 Feb

A company’s HVAC (Heating, Ventilation, and Air Conditioning) system is yet another potential entry point for hackers looking to steal precious information. You’re probably thinking, “This article is some kind of joke, right? My HVAC system can’t be hacked”. Unfortunately this isn’t a joke – a company’s HVAC system can be a portal for cyber criminals to wage war on the network and its accompanying devices.

HVAC systems are automated in many professional and retail settings in order to create a comfortable environment and monitor energy efficiency. Normally, there are two ways a company can monitor energy usage simultaneously in multiple locations. One of those ways is through proprietary automated software, and another is to hire the help of a third party – who also uses some sort of software. Where things get fuzzy for many people is how to connect the dots between the HVAC system and, for example, the credit card numbers of customers.

A key example is the Target cyber attack: it was national news for months on end. Ultimately, it was determined that a third party HVAC system company was the entry point for the hackers. Specifically, the third party company was given entry to Target’s network, which they accessed externally. According to reports, this same network the HVAC company was working within also happened to house the payment systems network. Through this entry point, hackers were able to utilize the external access of the HVAC company to attack Target’s payment systems network. They then installed the malware that stole customer card data.

Adding to the sophistication of this plan is how the hackers utilized other compromised computer systems or “drop” locations. Scattered across the United States and South America, the attackers took the data from Target’s network and “dropped” it into these other compromised networks. It allowed them to access the data from these networks and avoiding detection.

As was the case in the Target attack, automation HVAC systems are often connected to a computer network. Problems arise when system integration occurs and the third party companies – like the one used by Target during the breach process  – installing these HVAC automation systems don’t have the IT security knowledge to ensure that everything is properly protected. Both instances leave gaping holes that hackers can easily find and exploit.

Ultimately, Target was trying to help its business by monitoring energy efficiency while providing a better experience for its customers and employees. What they failed to do was separate these systems from other critical ones such as their payment network. And while we really don’t know where the future of network computing is headed, what we do know is security should be at the top of the list of concerns for everyone involved. If it’s not, we’ll have a lot more to worry about.

How can an organization protect itself when dealing with third party vendor security deficiencies? Look toward experienced cyber security monitoring and management firms, like Neovera, who can pinpoint vulnerabilities in and around your network. Third party vendors are bound to traipse in and out of your business, and while you may not have any control over their cyber security “best practices”, Neovera can assist you in implementing best practices for cyber security so that your vital data is protected and secure.