Answered by AirTight Controls & Automation Specialist Jack Floyd
What can HVAC contractors do to help avoid security data breeches in their internal and customer communicating systems?
As always education is key: If you are working with control systems that are attached to your personal, company or especially your customer’s networks, you should know a good deal about networking. Not to say “be an expert”, but understand the fundamentals of networking and their importance to information, therefore securing the information. Understanding how the overall system works will allow you to be smart in your installations with best practices such as: changing default passwords that are printed and public knowledge. Using secure encryption to transmit data and critical information. Allowing push notifications for data that is sent to cloud based systems opposed to polling the data from an external network. There are many more, but these few are commonly broken because the average HVAC and/or Controls technician is not educated on Networking and literally being unaware of hackers using a building automation system to obtain valuable data. Most controls manufacturers default settings are for minimal security at best, however, you can read the literature and educate yourself, your people, your company and maybe even your customer. You will find that many of them, the OEM’s, have documentation on how to properly set up their products for different types of applications and security levels that will fit your customer’s needs.
What actions would you suggest to an HVAC contractor faced with the situation that Fazio Mechanical has been faced with?
This is a tough position to be in as the reason for the original credentials that were hacked could have been stolen in so many different ways. It could have been stolen off of a technicians home computer used to access the Target remote network, it could have been that a technician left a log-in open after finishing work remotely that was picked up and taken over while there was still an open connection to the outside world or it could have been a weak security connection depending on what Target is using for access to its vendors that is easily attacked. The bottom line still goes back to education and creating best practices to prevent incidents like this from occurring. If I were in a similar position that Fazio Mechanical finds itself in, I would find out all of the information prior to making any statements of the events (which they have done), start educating my employees immediately with relevant information and best practices from local experts and research the interface that Target provided to see what type of security breaches have occurred previously with other locations or customers. Ultimately the responsibility falls with the Target Network Administrator to set up and protect their internal network. That is what a Network Administrator gets paid to do. However, at AirTight our first best practice is to not be a “Vendor” but a partner, which means doing what’s best for our customers and educating them as we go. General network knowledge and best practices at the technician level may have prevented this issue.
Angela D. Harris is an eMedia Development Specialist with The Air Conditioning, Heating and Refrigeration NEWS. The Air Conditioning, Heating and Refrigeration NEWS is the HVACR contractor’s weekly newsmagazine and is the industry’s most trusted and utilized direct communications link to the HVACR buyer. The NEWS assists the decision-makers from all branches of the air conditioning, heating, and refrigeration industry (residential, commercial, and industrial). In addition to contractors, these include manufacturers, distributors, parts and supply wholesalers, and service companies and their administrative, sales, engineering, production, and installation departments. With the latest information printed each week and 24/7 information on the web, The NEWS will educate you on a variety of different topics throughout the year.