Cyber Attacks are becoming so frequent they are giving rise to a new industry

Cyber Security in the HVAC Building Controls Industry

May 8, 2014
For commercial HVAC customers, security extends beyond access, fire, and safety issues. Cyber security has become one of the hottest topics in the industry.

In March, Contracting published a column titled, "Cyber Security and the HVACR Contracting Community," that addressed the growing vunerability of commercial buildings to Internet-based attacks. The article focused on an attack on Target retail stores and their customers that apparently happened through an unwitting mechanical contracting firm whose wireless billing systems had also been compromised.

Though such attacks aren't new, they are happening with such increased frequency, that there is major cause for alarm. According to the FireEye website, enterprises and government agencies are under virtually constant attack today. Significant breaches at RSA, Global Payments, ADP, Symantec, International Monetary Fund, and a number of other organizations have made headlines — and undoubtedly thousands more have occurred that we haven’t even heard about. Flame, Stuxnet, and a number of other cyber attacks have been uncovered that set an entirely new standard for complexity and sophistication.

Fundamentally, these developments make clear that the cybercriminals, nation-states, and hacker activists waging these attacks are growing increasingly sophisticated and more effective in their efforts to steal and sabotage. Leveraging dynamic malware, targeted spear phishing emails, elaborate Web attack,s and a host of other tactics, these criminals know how to bypass traditional security mechanisms like firewalls and next-generation firewalls, IPS, anti-virus (AV), and gateways...

This type of activity has given rise to a new industry dedicated to helping companies protect their data for a fee (FireEye is one such company).

But wait, there's more.

Even controls manufacturers are jumping into the frey since the attacks usually occur through the building control products and systems they build and that commercial HVAC contractors install in buildings across the country.

Technology Summit

In April, during the 2014 Niagara Summit, a bi-annual user-group meeting produced by Tridium, an independent business unit of Honeywell. The summit is attended by developers, programmers, building owners, and engineers who work with the Tridium building automation platform and cybersecurity was the topic of a panel discussion. Panelists represented many companies in the security industry.

The cyber security panel was moderated by PBS NewsHour Senior Correspondent Jeffery Brown and consisted of security experts from varied industries - including from Honeywell Automation and Control.

During Brown's intro, he said, "Unfortunately, our buildings and building networks are highly vulnerable — and the bad guys are getting better."

Brown cited these important takeaways from the panel discussion:

  • Get the cyber security conversation started
  • Make security part of the organizational and building DNA
  • Seriously budget for security
  • Send people to training, and then evaluate your first experience
  • Rotate your system around and view it as an “evil bit,” and prepare your worst case scenario answers now — so, if an attack does happen, you control the message and certainly know who is responsible to respond
  • Regulations tend to create a culture of minimum compliance
  • Effective cyber security requires good security citizenship — awareness and and concern from everyone in the chain at every level."

Good to know. HVAC contractors who do commercial building automation work should take heed.

The Good News

A recent study shows that smart HVAC controls are really the future of the HVAC industry. The study, published in March 2014 on the Research and Markets website, says that the smart HVAC controls market is expected to grow at a compound annual growth rate of 8.22% in the next six years (2014-2020). Much of this is due to regulations calling for the industry to up the ante with regard to energy efficiency and smart HVAC controls accomplish efficiencies either by having sensors that can communicate to the thermostat or with the ability to access a home HVAC system over the cloud using a smart-phone application or a web browser.

Because the number of internet users has increased so drastically in the last decade (and almost doubled in the last eight years), products like wireless thermostats, remote access controls, individual zoning are getting narrowed down to concepts like smart vent and learning thermostat. These products not only make the smart HVAC controls segment attractive in terms of ease and usability but also give the users a customized and personalized comfort.

The Bad News

This is great news from a business opportunity standpoint. It's also great news to those who like to use such devices to gain access to data, to steal it, to use access to damage or destroy businesses, and so on.

The most recent cybercrime statistics I found date from 2005. Today these numbers most likely have increased exponentially. Still, in 2005, among more than 7,800 businesses, 67% detected at least one cybercrime against them and of those companies so  victimized, 86% detected more than one attack, according to the Bureau of Justice Statistics. They also found that nearly 68% of the victims of cyber theft sustained monetary losses of $10,000 or more. By comparison, 34% of the businesses detecting cyber attacks and 31% of businesses detecting other computer security incidents lost more than $10,000.

The BJS also found that system downtime from cyber attacks o computer security incidents lasted between 1 and 24 hours for half of the businesses and more than 24 hours for a third of the businesses.

Ok, sowhy all this focus on bad news? Because it's impotant for HVAC contractors doing building controls work to make sure that THEIR internal systems are protected from cyber attacks. You don't want to become an unwitting accomplice to criminals who compromise your systems and then ride piggy-back to you customers where they can do more damage.

It’s incumbent upon everyone in the HVACR industry to make sure that their own Internet networks and systems are as secure as possible, so we can prevent a Target-like attack in the future.