You may not think network security is a big issue with HVAC systems. After all, who would want to hack into an HVAC control system, and for what purpose? It turns out that hacking an HVAC password can be very lucrative. The infamous Target infiltration has been traced to a hack of an air conditioning contractor’s password. That’s right, the security breach involving millions of credit card purchases made at Target stores all over the country was due to hacking the password for the air conditioning controls. The building control system was connected into the same network as the cash registers. So when the thieves got past the HVACR security, they had free reign of the Target system. I feel that whoever decided it was a good idea to have the cash registers and the thermostats linked on the same network is really more to blame than the HVACR guy – but I am obviously biased.
This should be a wakeup call to any HVAC or building automation contractor doing networked controls. Insist on a separate network. Or at least, put the HVAC and building stuff behind a firewall. What you should absolutely NOT do is accept the responsibility of just tying in to the existing network. A manager or building owner might suggest that you could just tie in, not realizing how dangerous that is. I don’t know a great deal about network security, but I do know that the more people know a secret, the more likely it will become public. Similarly, the more access points and passwords you have into a network, the less secure it will be. If all that is at stake is the boiler reset schedule, then maybe that is OK. However, if the bank financial records are tied to the same network as the HVAC, the disaster potential is great. On a brighter note, there seems to be no evidence that the Target thieves messed with the thermostat setting.