Smart HVAC systems vulnerable to being controlled by hackers through cyber attacks

Like other connected devices, smart HVAC systems could also possibly be hacked. If attackers take over controls of HVAC systems, in the worst case, cities would break down and private data would be stolen.

All connected devices are standing under the risk of cyberattacks. Smart HVAC systems are no exception, either. Although IoT devices such as smart meters and HVAC unit sensors are not designed for web browsing, they do need to connect to the internet for data gathering, remote control and analytics. Their direct access to the internet, not in purpose, rather makes them major targets of cyber attackers, posing serious security threats for smart buildings.

Cybersecurity firm ForeScout Technologies have discovered that thousands of vulnerable IoT devices in heating, ventilation, and air conditioning (HVAC) systems are vulnerable to cyberattacks. Its research showed that nearly 8,000 connected devices, mostly located in hospitals and schools, offered unauthorized access and were highly vulnerable to cyberattacks. Hacker’s manipulation from HVAC systems could possibly let them access private financial information and potentially retain unauthorized data in large companies. For special locations such as hospitals, dysfunctional smart HVAC systems could possibly harm patients who need to rest under certain temperatures and air flow. This type of attack scenario even has a codename – HVACKer.

Malware uses commands to control HVAC systems

To carry out attacks on an HVAC systems, hackers would first identify an HVAC system connected to the internet or sitting on a connected internal network. Besides looking for HVAC systems, hackers might also look for building automation software, which incorporates an HVAC component as well. Once they identify such systems, they will try to breach and take control of it. Then, they will import their custom malware to the system in order to infect other devices and computers on the same network. Malware, meanwhile, is mostly used to send commands, instead of stealing data.

Sending commands on HVAC systems, however, is still dangerous. Theoretically, hackers could break into air conditioners across a smart city and turn on all of them, to cause a power surge that could disable a city’s power grid.

A security first principle needs to be put in place

“Cybersecurity is an incredibly important issue that everybody has to deal with today,” said Sudhi Sinha, Vice President & General Manager, Digital Solutions at Johnson Controls. The first step to achieve cyber safety in a smart HVAC system, suggested Sinha, is for the supplier to have a robust product security program, which spans from product architecture, design, development, and support and data management. Next, customers need to ensure that their networks and port are safe and not exposed to any vulnerabilities.

To build a cyber-safe HVAC ecosystem requires every partner to take part in. Cybersecurity should be designed from the ground-up, with the final product being the management and data analytics software. Johnson Controls, for example, has a Security First principle in its development processes and product launch. It also provides cyber solutions tailored for the unique needs of each building, ensuring daily tracking of potential threats and provide rapid incident response.

“For cybersecurity, people need to be proactive and vigilant. It is better if companies adopt standard security frameworks,” said Sinha. For instance, buildings can ensure that they have industrial grade encryption solutions such as 128-bit AES, a running network or protocol supporting IPv6 traffic, and an IP-based security solution added on top like certificate handling or DTLS.