You may not think network security is a big issue with HVAC systems. After all, who would want to hack into an HVAC control system, and
for what purpose? It turns out that hacking an HVAC password can be very
lucrative. The infamous Target infiltration has been traced to a hack of an air
conditioning contractor’s password. That’s right, the security breach involving
millions of credit card purchases made at Target stores all over the country was
due to hacking the password for the air conditioning controls. The building
control system was connected into the same network as the cash registers. So
when the thieves got past the HVACR security, they had free reign of the Target
system. I feel that whoever decided it was a good idea to have the cash
registers and the thermostats linked on the same network is really more to
blame than the HVACR guy – but I am obviously biased.
This should be a wakeup
call to any HVAC or building automation contractor doing networked controls.
Insist on a separate network. Or at least, put the HVAC and building stuff
behind a firewall. What you should absolutely NOT do is accept the
responsibility of just tying in to the existing network. A manager or building
owner might suggest that you could just tie in, not realizing how dangerous
that is. I don’t know a great deal about network security, but I do know that
the more people know a secret, the more likely it will become public.
Similarly, the more access points and passwords you have into a network, the
less secure it will be. If all that is at stake is the boiler reset schedule,
then maybe that is OK. However, if the bank financial records are tied to the
same network as the HVAC, the disaster potential is great. On a brighter note,
there seems to be no evidence that the Target thieves messed with the
thermostat setting.
No comments:
Post a Comment