My Advice for HVAC Companies

If you are in the HVAC service business, you are going to come under increasingly high levels of scrutiny.  I predict that for the rest of 2016 and the foreseeable future, you could be one of the primary targets for hackers around the globe.  The reason is not that they have any particular interest in you, rather they have a huge interest in your clients.

Large companies are increasingly outsourcing management of HVAC and other building systems to outside contractors and service providers.  As these companies assume the responsibility to keep costs in check as well as all systems online and functional, service providers are getting access to the systems through something called a VPN tunnel, and in some cases direct access over the internet.  In order to make these connections possible, networks have to be opened up through the firewall to provide access.

Almost all companies of any size will have a firewall in place to protect the business from outside attackers.  Think of a firewall as a security guard that makes the decision of what to allow and whom to allow.  In order for someone to get access to any device on the network, the firewall administrator must open a hole into the network.  (Now holes are not necessarily bad, there are many valid reasons to open up holes in a firewall.)  Once the administrator opens up this hole for the HVAC system through the firewall, they connect the HVAC system to the network, and bingo the HVAC system is accessible from the outside world.  The administrator can take certain steps to lock down this access if they choose, however in our experience this is rare.  Most systems are just open.  The HVAC provider logs into their system and they can now maintain the system from the comfort of their own offices.

All of that is pretty straight forward and to the point.  But here is where the problems can start.  In many organizations, and Target stores was guilty of this, the network the HVAC system was connected to had access to the rest of the network.  So if the HVAC service providers was ever attacked, guess what the attackers would have access to?  You guessed it, the company the HVAC service provider is working with.  So instead of an attacker targeting a company directly, some simple social engineering would let the attacker know what outside building service providers the company works with.  Armed with this information, the attacker proceeds with targeting the less protected HVAC provider and gains access to the target company, and maybe others they didn’t expect.

Let me word this another way.  The HVAC company is providing the attacker a conduit into the target company.  No one would consider disclosing the name of a maintenance company is security related.  That isn’t something anyone would normally blink an eye at, except if you re me and have seen it all!

Now if you are in the HVAC service business ask yourself how much have you spent on securing your network?  But if this attack occurs, you could be held liable for any damages.  When you established business with your client you most likely assumed liability for any damage you caused while working at that site.  So this activity would qualify as damage caused by you because of an improperly secured network.

Don’t get me wrong, I am not advocating for this transfer of liability.  I am just writing what we are seeing in the marketplace.  There is a trend in transferring the risk from insurance companies and banks to the company where the breach originated from.

In the case of Target, the firewall administrators could have prevented this attack from working, however they were careless and didn’t restrict the access nor segment it so the HVAC systems did not have access to the rest of the network.  But that didn’t help the much maligned HVAC service provider.

The good news is that this type of attack is easy to thwart and without a lot of money.  You can limit your exposure easily so even if you client has not taken the proper security steps, you can make sure you will not be the one responsible for the attack.

It all comes down to proper polices and procedures.  So lean on whomever is providing you with IT support, whether internal or external, and ask them how you are protected and is your liability limited.  Don’t give the lawyers any ground to stand on.  Once they make the changes make sure to have someone test those settings.  Take time to prepare yourself now.