Cybersecurity

You have probably heard or read about "Internet of Things", or "IoT" as it is called.  The numbers of devices being connected to the Internet are staggering with some projections of over 26 billion devices connected by the end of this year.  Many of those devices are going to be HVAC products either via a connected Building Management System or as a "stand alone" device with remote monitoring and diagnostic capabilities.

AHRI recently sponsored a meeting to discuss the security implications of connected HVAC products. It has already been acknowledged that one of the major "hacks" in the last few years (Target stores) was made through the HVAC equipment.  One of the messages of the AHRI meeting was that HVAC equipment is becoming a key target for hackers (either domestic or foreign) due to the lack of rigorous "cybersecurity" protection.  In one study a building system was tested using four attack models and 54 "threat vectors" were discovered.

The need to increase HVAC cybersecurity mechanisms is obvious in the Target case but there are other scenarios that cause concern to the government and utilities.  Many products are now being connected to the electric grid for purposes of load management or to implement real time pricing strategies.  The fear is that lax security at the HVAC equipment level could allow a hacker to penetrate and disable parts, or all, of the electric grid through the same ports used for communication with the grid.  Hacking into a building system that is not isolated from the occupants' business network would obviously open the door to financial information, proprietary product information, and personnel information that could be extremely damaging to a business.  During the meeting it was noted that small businesses that have been hacked have a high probability of going through bankruptcy due to the cost of recovery.

But suppose the HVAC equipment is not connected to the Internet but only to the building management system or even as a stand alone piece of equipment?  Could such a system be hacked also?  I would suggest that, although more difficult, it is entirely possible.  Most modern HVAC equipment operates with a digital control system.  That controller will have a port used for diagnostics or software updates.  A "bad actor" with a laptop and a cable could gain total control of the unit and disrupt a business operation through temperature or ventilation control settings.  Interestingly, in the AHRI meeting, it was noted that the three most common attack pathways were WiFi, Bluetooth, and finally an Ethernet cable....so a physical connection as mentioned above is not even necessary.

The financial, legal, and reputational impact on an HVAC manufacturer whose equipment is used as the pathway for a hack can be substantial.  Unfortunately there are no current cybersecurity standards for HVAC equipment as there are for medical devices, vehicles, military applications, or financial institutions.  A key goal of the AHRI meeting was to identify which current standards might be adapted to the HVAC industry and what role AHRI would play in establishing an industry standard.  There was also discussion of whether or not this should lead to an industry certification process so that manufacturers certify their equipment and processes to serve as an affirmative defense in a case where their equipment was the doorway into a hack.

In the meantime, before an industry standard might be created, manufacturers are warned to establish their own cybersecurity policy...updated frequently...as a means to establish that they are following "best practices" with regard to cybersecurity.  There are a number of cybersecurity policies from NIST, ASHRAE, UL and others that could be modified or adapted by an individual company to create such a policy.  NIST-SP800-171 is one such document that includes a comprehensive check list of security steps that could be used as a model.

The bottom line is that no matter how an HVAC manufacturer chooses to respond to this growing concern some response is better than no response at all.