Smart heating and ventilation systems at high risk of attack

"Building automation systems, in particular, are at a real risk of being targeted by such bad actors— yet we rarely talk about them.”
16 January 2019

Does your building have a smart HVAC system? Source: Shutterstock

For the wiser tech cynics among us, Internet of Things (IoT) technology and security vulnerabilities form, more often than not, part of the same sentence.

Every connection to a network carries the risk of a potential security breach. While new advances and guidelines are quelling the risks somewhat, the increasing adoption of IoT networks, as well as the number of devices connected to them, carry a rapidly-growing risk.

One of the more common and overlooked deployments of ‘smart building’ technology, Building Automation Systems are particularly vulnerable, according to new research by cybersecurity firm ForeScout.

The IoT devices in question include those which automate heating, ventilation & air conditioning (HVAC) systems which, says the report, are regularly unsecured from hackers.

Using Shodan, a search engine for IoT-connected devices, ForeScout was able to identify “thousands of vulnerable devices”, many of which were located in schools or hospitals.

HVAC systems were some of those the company could have taken control of. Besides causing disruption and potential discomfort, in worse cases, HVAC manipulation could lead to life-threatening scenarios, such as the evacuation of hospitals, or degradation of temperature-variable equipment or facilities.

Manipulation of HVAC systems could allow attackers to “take offline data centers used by large companies to store and process sensitive data”, which could include financial information, said ForeScout, “as well as harm people in facilities where these devices are vital, such as tunnels and mines”.

The vulnerabilities even extended to physical access control systems, which prohibit non-authorized users from accessing restricted areas at hospital and airports.

“In recent years, hackers have become increasingly sophisticated in their attacks,” said senior director at ForeScout, Elisa Costante, “and are nowadays well-equipped to identify and target vulnerabilities across most business and consumer technologies.

“Building automation systems, in particular, are at a real risk of being targeted by such bad actors – yet we rarely talk about them.

“By targeting industrial heating, ventilation, and air conditioning systems, bad actors can disable cooling systems in data centers and server rooms, leading to downtime and, in a worst-case scenario, to the complete loss of data.

“Hackers can also take control and manipulate or disable critical medical equipment, resulting in hospitals needing to cancel appointments and, in extreme cases, leading to the loss of human lives.

“Equally, ventilation systems in tunnels can be disabled, rendering them unusable and causing chaos on our streets.”