Cyber Security and the HVACR Contracting Community

March 10, 2014
The Target hack is just one example of cyber thieves riding on HVACR contractor credentials to steal consumer data Contractors take heed: remote monitoring could put you and your customers at risk.

Back in November of 2013 the consumer retail world was rocked by news that the Target department stores had been violated by Internet hackers who gained access to the national chain’s customer credit card database. As it turns out, 40 million people were at risk.

FORTY MILLION! That not only got the attention of local authorities, but the U.S. Secret Service is running the investigation.

The hack affected customers who shopped at U.S. Target stores between November 27 and December 15, 2013, Target reported at the time.

Customer names, credit or debit card numbers, expiration dates and CVVs(card verification value or security code) were stolen and could be used to make card replicas. The good news, if there is any, is that PIN codes, social security numbers, and other data were not compromised.

Mike Weil, Editorial Director

OK, so why is this pertinent to the HVAC industry? Because it’s our fault.

Can you believe this? In early February, 2014, spokespeople at Target told reporters of the Wallstreet Journal ( that they’d discovered the hackers initial intrusion into its systems came from some “network credentials” that were stolen from a third party vendor.  Guess what: that third party turned out to be an HVACR contracting firm whose personnel worked at a number of Target stores (and other retailers as well).

Apparently the contractor was hacked first, and then his credentials were used to hack Target. In the breaking article, the Wallstreet Journal quoted a security blogger named Brian Krebbs, as saying “the hackers took the login information from Fazio Mechanical Services, a Pennsylvania firm.”

You gotta be kidding me, right? Wrong. Krebbs’ February 5th blog post says Fazio had access to the Target server infrastructure to monitor energy use and temperatures to help Target save on energy costs and to alert store managers if store temperatures fluctuate.

This is a standard practice, especially in the commercial marketplace. In addition to monitoring the refrigeration systems, contractors also can remote into the system to do maintenance or to troubleshoot issues and repair them. We call this good service.

But now such service is under scrutiny because, in the case of Fazio Mechanical, they were hacked and then used as the bridge to get into the Target servers.

For the record, the management team at Fazio issued a statement stating that the only access they had into the Target servers was a data connection for electronic billing, contract submission, and project management. They were not doing any system monitoring or controlling of Target’s HVACR systems. Their entire statement can be found here:

In that statement, Fazio president and owner Ross Fazio says, “Like Target, we are a victim of a sophisticated cyber attack. We are fully cooperating with the Secret Service and Target to identify the possible cause of the breach and to help create proactive remedies to enhance the security of client/vendor connections make them less vulnerable to future breaches.”

Here’s the issue as I see it:

In the 21st Century, more HVACR contractors than ever are using Internet access to manage client accounts — not only in the commercial sector, but the industrial and residential sectors as well. Simultaneously, there are organizations around the world using the Internet as a hunting ground for malicious attacks or for government-sanctioned espionage. Not only is the U.S. mercantile and industrial infrastructure at risk, but so is the power grid, individual nuclear power plants, and much more.

This is scary stuff and it does the HVACR industry no good to be unwitting accomplices to outside criminals. It’s incumbent upon everyone in the HVACR industry to make sure that their own Internet networks and systems are as secure as possible, so we can prevent a Target-like attack in the future. Do you agree? Please share your thoughts with me at [email protected].