HVAC contractors in the Southeast who were unaware of the concept of ransomware learned about it quickly as they struggled to fuel their fleets following the Colonial Pipeline shutdown. A few weeks later, ransomware made headlines by halting meat production at the nation’s largest processor. Then came the Fourth of July weekend, when hundreds of mid-size firms became victims of ransomware attacks due to a flaw in software from a company called Kaseya.
Those are the high profile cases. Some estimates find there are almost 200 attacks a day. One of those attacks struck a Michigan high school at the end of last year. According to press reports, the attack came in through the HVAC system’s remote controls and shut down several critical functions, including the heat. The school was able to get everything back online before students returned and didn’t pay the ransom.
That’s how ransomware attacks work, said Parham Eftekhari, executive director of the Cybersecurity Collective and founder of the Institute for Critical Infrastructure Technology. Eftekhari said ransomware is a virus that locks down access to a system’s servers. The attackers then demand payment, usually in bitcoin, to restore that access.
“It is absolutely one of the top threats to the economy and to our national security,” Eftekhari said. “It’s not being sensationalized.”
Cryptocurrencies Help Drive Ransomware
There are a number of factors driving the increase in ransomware attacks. One is the expansion of smart technology and remote access. Another is the ability to use bitcoin as a hard-to-trace payment method. That’s why some cybersecurity experts suggest banning the cryptocurrency entirely. All experts recommend against paying the ransoms, as paying them definitely increases the incentive for more such attacks.
A successful attack requires access, and that’s another reason for their growth. More people working from home makes it more challenging to monitor employees’ online behavior. Clicking the wrong link or opening the wrong email opens the door to ransomware.
“Ransomware is just like any other malware,” Eftekhari said. “It comes into your system the same way.”
HVAC systems already have an unfortunate reputation when it comes to cybersecurity. The high-profile Target data breach in 2013 occurred via the company’s HVAC system. Although the industry has taken strong steps to enhance cybersecurity since then, the incident in Michigan shows vulnerabilities remain. It also shows the HVAC itself provides a target for hackers.
“It’s common for the maintenance firm to have remote access to the system for monitoring, troubleshooting, and ensuring maximum efficiency,” said Ken Munro, founder of Pen Test Partners, a firm of ethical hackers. “However, it’s also common for the HVAC system to be connected to the customer’s network, too.”
HVAC Attacks Can Prove Costly
Munro first started looking at HVAC system weaknesses in 2005, when a neighbor who worked in the field lent him some controllers to experiment with. Munro and his colleagues found many exploitable flaws in the controllers that exposed them to what he calls “fairly trivial hacking.” He reported them to the vendor and they were fixed.
Revisiting the technology a few years ago, Munro found the controllers were better, but not perfect. What’s more, they used certain search engines and found many HVAC control systems exposed on the public internet. While those who design and install HVAC systems know how they function, they often don’t fully understand network security, he said. This inadvertently makes the systems available to hackers.
“In many cases, one can access the control system with minimal skill and take control of the HVAC,” Munro said.
Pen Test Partners have found all sorts of systems exposed on the internet, ranging from food warehouse chillers to a funeral home’s cremation oven. Turning off the heat at a high school during a Michigan winter can be disruptive, but there are worse-case scenarios, such as turning off the a/c at a Dallas office building in the middle of July. Munro said the productivity losses could be significant. Eftekhari said an even worse example would be a hospital, and beyond that, critical facilities where a/c is mission critical, such as data centers and pharmaceutical plants.
Manufacturers, HVAC Contractors, Clients Need To Work Together
Avoiding these kinds of scenarios requires an effort from everyone involved. Manufacturers realize their role and are introducing more security features into their products all the time. For example, when Honeywell introduced the new E-Mon Class 6000 product range of multi-protocol-capable energy meters, the company made a point of its cybersecurity features. These include a lockable enclosure and encrypted communications.
Customers need to check that their business networks are separated from the HVAC system and also from the HVAC service provider, Munro said. This is a basic cybersecurity principle known as network segregation. They may want to have a third-party cybersecurity expert check over the finished project and run a penetration test.
HVAC engineers and contractors need to become more aware of cybersecurity, Munro said. Top management needs to support these efforts as well. Cybersecurity issues can prove difficult and time-consuming to resolve. It also requires an industry-wide effort.
“We think that HVAC vendors would do well to educate the installer and service provider community in network security,” Munro said.