In the previous part of this series, which covers some of the weirder and wackier parts of your business that may nonetheless prove to be your Achilles’ heel when it comes to cyber attack, we discussed the threat posed by printers. This time, it’s the turn of something you probably even less likely to consider when assessing your level of vulnerability—your air con.
Firstly: no, this is not in the sense of an attacker crawling through your ventilation ducts in order to sneak into your offices like something out of Mission: Impossible or Die Hard—that’s an entirely different kind of network penetration. Rather, this article is about the risks posed by computer systems embedded in your building itself—in this case your Heating, Ventilation and Air Condition (HVAC).
Building automation is no recent development—development of the BACnet protocol commonly used in such applications pre-dates the World Wide Web and this year celebrates the 24th anniversary of being accepted as an industry standard. This historic pedigree, whilst impressive, does raise the issue of outdated, difficult-to-upgrade software using protocols that were designed in a time very different to our own with regard to cyber security.
This is exacerbated as HVAC suppliers rush to add Internet of Things functionality to their products, further increasing the size of this particularly vulnerable attack surface. Having compromised an HVAC system, an attacker may be able to pivot to other connected devices and into more promising areas of the company network.
These attacks can, and do, happen. 2013’s data breach of US retailer Target, in which up to 40m customer records were stolen, was identified as having been made possible via the compromise of an HVAC supplier. A subsequent Qualys report alleged that some 55,000 Internet-connected HVAC systems were insecure, with Director of Intelligence Billy Rios warning that ‘most companies have no idea HVAC systems are connected to the Internet and can serve as gateways into the corporate network and sensitive data’.
Along with these use of vulnerable HVAC systems to gain a foothold in a company’s network from which to launch further attacks, there are more extreme malicious uses of HVAC systems that have been proposed. Researchers at the Israeli Ben-Gurion University of the Negev announced in 2017 a method of transmitting information to and from air-gapped (that is, completely unconnected to any networks) devices using temperature changed, whilst other researchers had previously suggested the use of intentionally creating a power surge using HVAC systems in order to cripple the national power grid.
Now, thankfully, these last two examples are likely of little concern outside of academic and national security circles. However, this does not mean that the risk posed by HVACs of enabling more traditional attacks is similarly ignorable. All businesses should be aware of the full attack surface which they present to the outside world, as well as structuring their network to ensure that separate functions are kept separate—there is no justification for an attacker being able to hop from an air conditioning unit to a device containing your customer database, for example.