Supply and Demand: The push to understand building energy use | EXPLORE→
Dallas - Internet of things

The Cyber Security Threats Lurking In Your HVAC System

Across the globe property managers and landlords are worrying about the threat of COVID-19 flowing through the air ducts. Your HVAC system may also be exposing you to a different kind of threat: cyber-security. The infamous hack of Target targeted the company’s third party HVAC systems. In a flash, 110 million credit and debit card numbers were stolen. New third party connections from IoT devices flooding the PropTech sector pose a similar risk. 

Easy Target

“I like to use the Target hack in two ways: to teach students about the complexity of modern systems and how difficult it is to get cyber security right,” Arizona State Assistant Professor of Computing and Informatics Adam Doupe said. “We have this odd case where they first got onto the network through a third party HVAC supplier.” 

It wasn’t a sophisticated hack. Target’s HVAC vendor, Fazio Mechanical, had external network access that wasn’t firewalled off by anti-malware measures from its larger network. A simple phishing scheme against Fazio hooked at least one employee, allowing a trojan horse onto the Fazio network. All the hackers had to do was wait for the right employee to give away Fazio’s login credentials to the Target network. Experts aren’t sure what the hackers did to access Target’s point of sale (POS) system once they were in the system, and Target has not released its invegations publicly, but we do know how they got in. When combined with a suspect security team that ignored warnings, you have a recipe for disaster, costing Target a reported $148M

Target’s hackers exploited third party vendor network access. The same type of access being granted to practically every IoT device filling up smart buildings. “All these new IoT devices enable new types of physical attack that haven’t existed before,” Doupe said. “Without the proper security it’s like breaking into the house and finding the keys to everything else,” he continued. 

IoT, Internet of Threats

That’s why commercial real estate owners and property managers say the biggest cybersecurity threat is exposure from third party vendors, according to a recent survey by Deloitte. Over 40 percent of respondents said vendors and third party service providers posed the biggest threat, more than double any other potential risk. It’s a fair assessment, considering what happened to Target. 

New IoT devices coming to market have more cyber security measures baked-in, allowing different third party systems to communicate, but not hack the network. Third party vendor authentication has come a long way since the Target hack in 2013, but the pace of device development and deployment is hard to keep up with in the arms race that is cybersecurity. 

In the first half of 2019, Kaspersky, a global leader in cyber security, detected 105 million attacks from 276,000 unique IP addresses aimed at IoT honeypots. More worrying, 46 percent of organizations have discovered ‘shadow’ IoT devices on their network during the past year, according to Infoblox

By 2026, IoT connections will exceed 23 billion across all major IoT markets, according to global tech market advisory firm, ABI Research. That’s 23 billion door knobs for thieves to jiggle to see if it’s unlocked. The European Telecommunications Standards Institute, a recognized European Standards Organization by the EU, recently unveiled new cyber security standards around the Internet of Things, specifically targeting third party vendors. The UK is cracking down even more. Microsoft recently paid a reported $165 million for CyberX, a developer of a platform to protect industrial third party vendor control systems. 

“You want the HVAC company and other IoT vendors to have remote access, it makes sense for maintenance, security updates, and usability,” Doupe said. “The problem is when they get access to everything, when your network isn’t segmented. The Target network was not segmented, it was a huge surface of attack. A very serious breach.” 

There’s no question that devices like occupancy sensors, air quality monitors, temperature controls, smart locks, and others offer value to office workers and owners. Smart buildings are the future, but as they get smarter, they become harder to protect. All it takes is one vulnerability, one device. 

“I like to use a castle analogy,” Doupe said. “The attacker only needs one way in. You can have the highest walls, the deepest moat, the heaviest drawbridge, the most well trained guards. They’ll get in through the sewer system, because you didn’t think about that.”

Adding third party vendor connections to your network is like adding a sewer system to your castle. The speed of IoT adoption and other forms of technology in offices means that in any given smart building, there are hundreds, sometimes thousands, of systems and subsystems operating. That’s thousands of sewers to secure from attackers. 

Complicating matters further is the fact that the internet of things is still in its infant stages with  businesses going under practically every day. The IoT startup graveyard is littered with smart speakers, could-enabled cleaning robots, intelligent lighting, and all manner of failed products. Each time one of the companies goes belly up, the cybersecurity threat to its users drastically increases. In the roller coaster world of IoT startups in the PropTech industry, a device’s security is only as good as its last update. When the company that makes a device goes out of business or abandons a product, who is left to update the security systems? From a security perspective, the best case scenario is the device stops functioning altogether. Now you have a piece of junk. Worse is when the device continues to work. Without updates to address evolving security threats, it’s only a matter of time before the device is exploited.

Practical Protection

“You need to be having conversations with manufacturers about updates. Ask how long they guarantee security updates. If you don’t like the answer, walk away,” Doupe said. Commercial real estate owners must take cyber security seriously. Start by hiring or contracting specialists that know how to protect your network from external access. Limiting vendor access could’ve prevented hackers from attacking Target’s payment system. Firewalls can only do so much, especially considering how much work is being done remotely in the time of COVID. Conditional access can help identify suspicious behavior. Limiting privileged accounts and enforcing access policies that prevent traffic to certain areas are also sound practices. 

The threat is real. It could be coming from any direction with new directions being added daily. What happened to Target serves as a stark reminder of the stakes. If it happened to one of the nation’s largest retailers, it can happen to your business. Since the Target hack, other majors businesses like eBay, Chipotle, and EquiFax have had their own data breaches, resulting in several executive-level firings. 

“Target made it personal,” Four Seasons Vice President for IT Security said at RSA Conference panel discussion on cyber security. “When you have senior executives being replaced, that makes it real for the boardroom.”

Image - Design