The promise of interoperability long touted by manufacturers of HVAC control systems became a reality by use of Internet protocols, but incorrect assumptions have led to serious consequences for systems and building networks.
HVAC Control networks relying on Internet Protocols (IP) connectivity for interoperability once were viewed as too unique to be vulnerable. The thought if a HVAC network were breached, the hacker would not be able to make sense of information on the network. Thus, a philosophy of “security through obscurity” prevailed in the controls industry. The result was HVAC control networks with weak, default, or nonexistent log-in-credential requirements and limited deployment of firewalls.
For many years now, IT networks were the primary target of hackers thus the focus has been on securing these IT networks. As IT networks get harder to hack and more HVAC control systems are exposed to the internet, hackers are starting to look at HVAC control networks as an easy entry point into a network.
Why someone would want to hack an HVAC control system? In some cases, hackers are just kids and may not understand what they have access to an inadvertently cause damage. In other cases, hackers want to damage equipment or make a statement by embarrassing a company. Sometimes hackers are looking for devices to add to their botnet network. Your devices could be used in distributed-denial-of-service (DDoS) attacks against another company or a government website. But a more likely scenario is that hackers are looking for a backdoor through which to access a corporate LAN network.
Today, most HVAC control systems for all types of buildings and industries have a public IP address that can be accessed by anyone anywhere in the world. A significant number of these Internet-facing HVAC control systems are largely unpatched and easily accessible because of faulty password protections. Many of these HVAC controls systems still have the factory user name and password.
Older HAVC control systems are especially vulnerable to hackers because they were not designed to handle security measures, such as encryption. Also, HVAC controls manufacturers seldom make patches for older versions of their software. Leaving old versions of their HVAC control systems vulnerable to attack.
The simplest way to secure your HVAC controls system is with passwords. Often, contractors share a single user name/password companywide, so any technician can get into any system for any customer. In such cases, the password should be changed periodically. Unused usernames and passwords should be removed from the system especially after an employee leaves the company. Lastly, policy must dictate the creation of complex passwords and be strictly enforced. The password should be used at least eight characters long, one uppercase and one number.
Avoid usiong HTTP on web-facing HVAC control systems. When a user logs into a system using HTTP the username and password are send across the internet as unencrypted text.Snoopers on your network or you ISP can see your user name and password
Hardware Firewalls are mostly seen in broadband modems, and are the first line of defense, using Packet Filtering. The main goal of a firewall is to protect your HVAC controls network from malicious mischief. Malware, malicious software, is the primary threat to HVAC controls serrver. Viruses are often the first type of malware that comes to mind.
When possible use a virtual private network (VPN) to access your control system remotely. All the traffic that passes through your VPN connection is secure and cannot, in theory, be intercepted by anyone else, making it the safest to access your HVAC control system. Most internet providers have VPV software built into their modems/routers.