Addressing Cybersecurity Risks in Connected HVAC Products
Connected products and capabilities offer new exciting opportunities for HVAC, but they also present new risks for manufacturers and designers to consider. Cybersecurity is a major concern for any connected product. Considerations must be made to keep individual products, and the connected ecosystem, as safe and secure as possible.
Cybersecurity impacts more than just the HVAC system or related product. Connected products can provide access to client or customer data. And issues within an HVAC system can expose other systems within a facility, such as lighting, security, audio/visual, IT, and more, to potential risks. Consider these cyber breaches with HVAC systems:
1. A smart thermometer allows users to view and/or modify climate settings remotely or to offer support remotely. However, it also could expose the network it is on, exposing data or impacting other systems.
2. Refrigeration and HVAC systems in major retailers have been compromised, putting those company’s systems at risk and potentially exposing consumer data. For example, a famous 2013 data breach where 40 million credit cards were exposed was accessed through an HVAC vendor.
3. A fish tank in a hotel/casino had a system that allowed for temperature control through a remote thermostat. Hackers accessed the system to steal 10 gigabytes of data.
In most cases, identifying issues and managing the aftermath require valuable time and resources. Brands can be damaged; data is exposed. For this reason, proactive measures are a must for any manufacturer or engineer designing, using, or maintaining a connected HVAC product or system. Cybersecurity testing and certification can help minimize risks, ensure a successful and timely product launch, and be a valuable tool in marketing products and assets.
To successfully evaluate a product for cybersecurity risk, it’s important to first understand the current cybersecurity landscape. A range of cyber threats must be considered:
• Malware: Includes executable code, scripts, active content, and other software designed to damage a computer, server, or network.
• Phishing: Fraudulent outreach designed to trick targets into sharing sensitive information via electronic communication or social media. Most attacks are followed by malware installation.
• Viruses: Malicious software that replicates itself by modifying other programs and inserting its own code, subsequently “infecting” a device or software.
• Botnets: A number of connected devices used to perform distributed attacks, steal data, or send spam, allowing attackers to access devices and connections.
• Denial of Services (DoS): A specific attack where the perpetrator seeks to make a device or network unavailable by disrupting services of a connected host.
• Ransomware: This software holds data “hostage” unless a ransom is paid. Incidents are on the rise.
• Web-Based Attacks: Committed via exploiting security holes created through outdated web browsers and compromised websites.
• Stolen Devices: Loss or theft of unencrypted devices can lead to breaches and security risks.
Secure products are a key component of combatting cybersecurity risks. Thorough testing and certification of systems helps ensure connected products and their data are as safe as possible.
There are a few options for standards to assess connected products; they vary based on product type. Selecting a standard or set of standards will depend on the product, testing objective, and goals. Products can be tested and certified to the following standards:
• The ISA/IEC62443 (formerly ISA-99) series of standards — A conformity assessment scheme for an industrial cybersecurity program that evaluates security capabilities and ensures these capabilities have been applied to either a specific product or solution.
• ANSI/UL 2900 — A family of standards for software security in IOT-oriented products used in the home. It includes requirements for assessing vulnerabilities, software weaknesses, and malware.
• Common Criteria — An international set of guidelines and specifications developed for evaluating information security products for government use. They can be applied to hardware, software, firmware, or a combination.
• ISO/IEC27000 — This family of standards provides a structure for implementing an information security management system, safeguarding information assets through confidentiality, integrity, and availability. It requires a mature understanding of security at an organizational level as well as policy and procedure-based security.
• NIST Cybersecurity Framework — This framework provides voluntary guidance based on existing industry standards, guidelines, and practices with the goal of helping organizations manage and reduce cybersecurity risks. It must be customized based on risks, situations, and needs.
Testing and Evaluations
Testing with an iterative process throughout product development is important. If security testing is only completed at the end of a project and there are failures, there may be fundamental design flaws requiring the project to begin again. This can be an expensive process in terms of both time and money and it may be difficult to recover these losses.
Whenever possible, test for cybersecurity early and often to mitigate risks along the way. This may include:
• Vulnerability Assessments: Evaluates device security using system and network testing as well as specialized considerations, like cloud-based services and communication protocols; applications, using specialized automated tools and a detailed examination of app functionality; or infrastructure, through comprehensive auditing and device testing, interpreted in the context of a product’s intended environment.
• Penetration Testing: Provides an attacker’s perspective with experts attempting to infiltrate networks, systems, products, and applications to provide a detailed report identifying exploitable vulnerabilities and recommended mitigation.
• Security Design Review: Assessing security controls or network design for effectiveness and adequacy regularly throughout the design phase to help ensure product security. This is more cost effective and efficient than trying to add security later in the process.
• Privacy Impact Assessment: Gives a detailed review of organizational or product privacy policies and controls to ensure compliance to legislation and security standards. Addresses risks to privacy or privacy-related security that have been identified and considered along with mitigation protocols.
• Threat Risk Assessment: Identifies assets that need to be protected, the value of those assets, and associated threats/vulnerabilities. It considers the impact of damage or loss and, most importantly, how to mitigate exposure or damage. A typical assessment will deliver a prioritized list of issues to be addressed.
For any connected device, best practices and industry-specific standards should be used to ensure a secure product. It’s important to include security throughout product design and development. Adding security after the fact almost never works and always costs more. A product should be built to be intrinsically secure. It is important to define all security requirements for a product, including what types of threats might exist to the product and vulnerabilities that might reside in the product. Then, consider what safeguards should be implemented. Test throughout the development process to ensure you’re not introducing security risks along the way.
Independent testing and security certification illustrate compliance with regulatory or industry requirements. This independent opinion confirms that controls are working as intended, offering a competitive advantage. It also outlines roadmaps for security improvement, improved operating processes, and identification of key business assets.
Creating a connected device can be a challenging task in a world where technology continues to evolve at a rapid pace. Illustrating that adequate measures are in place to ensure the protection, integrity, and resilience of products, systems, information, and data is critical to success and building a brand. A proactive approach to leverage existing standards, and undertake additional assurance assessments, can mean the difference between a success and a failure.