A few months ago, many of the leading Heating, Ventilation, Air Conditioning, and Refrigeration companies exhibited at the world’s largest, annual HVAC and industrial/commercial equipment event 2019 AHR Expo.
As expected, there were multiple new product launches and news announcements released during the show. These included the introduction of new equipment and product lines that are more energy-efficient or more powerful. And they also included the introduction of new devices and equipment that are far more connected than ever before.
Mark D’Agostino, Vice President of Sales for the Hunter Fan Company’s Industrial Division, recently said,
“…we will see an increasing trend towards [a] ‘system’ focus as opposed to the historic ‘component’ focus…that is, how multiple HVAC components can be integrated to provide an efficient system as opposed to efficient components operating as standalone pieces of a system.”
This future trend and shift in focus towards HVAC systems is only possible if those individual components can be connected to a centralized controller or system. And that’s only possible if they each, individually, connect to a network.
This trend extends well beyond HVAC and into all areas of industrial and commercial equipment manufacturing. Commercial and industrial equipment manufacturers are looking for ways to enable equipment owners to more easily control and harvest data from their equipment. They’re also looking to cloud-enable this equipment so that they, themselves, can access that data, and even manage and control devices remotely.
Although the benefits of connecting these devices together and to the cloud are immense, it comes with concerns. The largest of which being something that many OEMs have never had to really worry about before – cybersecurity.
The cyber threat facing industrial equipment
As devices become more connected to each other, IT networks, and the cloud, the potential for attack from hackers and other malicious actors increases. When they were completely detached from IT networks, there was virtually no risk or vulnerability.
Many OEMs may not be concerned about this. It makes sense that the owner of a cooling tower installed in a power plant would be concerned about cybersecurity, but how many people would want to hack a hot water heater? And that’s a good question. Unfortunately, the answer is actually, “More than you’d think!”
Industrial and commercial equipment and devices have become increasingly important and mission-critical for their owners. This means that any time that they’re inoperable or compromised, there are real-world consequences, including the potential for lost income or productivity. For instance, if that hot water heater is instrumental in the sanitation of medical devices in a hospital, it would have legitimate consequences if it was inoperable.
Verizon’s 2018 Data Breach Investigations Report (DBIR) – analyzed 2,216 confirmed data breaches – and found that 39 percent of the cyberattack cases they analyzed involved ransomware. Ransomware is often a form of malware that intentionally blocks access to data – or threatens to publish sensitive data – if a ransom isn’t paid. This can debilitate an organization that relies on its IT systems to operate. The large WannaCry attack in May of 2017 was an example of a VERY effective ransomware attack – impacting an estimated 200,000 computers across the globe.
So, if hackers using a ransomware attack would hold IT and data systems hostage for a ransom, why wouldn’t they hold a company’s industrial or commercial equipment hostage as well?
In the same way that a malicious actor can come in and lock-down all of the data in a company, it’s certainly feasible that they could lock-down an entire building’s equipment – from elevators to HVAC equipment – and hold the whole building hostage.
This is a viable concern for equipment owners. And it’s exacerbated the OEMs making the equipment.
Why are OEMs particularly vulnerable?
There is a relatively simple and unscientific answer to this question – they’re not IT or cybersecurity experts.
Let’s imagine a hypothetical product manager responsible for designing or building boilers. Many times, these devices sell for upwards of a million dollars and they need to perform their designated task as effectively and efficiently as possible. The product manager is most likely not focused on cybersecurity. They’re looking at the boiler’s exhaust and the amount of unused fuel – analyzing whether the boiler is releasing the maximum amount of heat possible.
That’s what they’re focused on, because that’s what they should be focused on. They’re not thinking about cybersecurity, or where their DNS server lives.
This is a problem because cybersecurity isn’t something that can just be layered on top of a device. It’s not a band-aid that can be slapped on later. It’s something that needs to be baked into a system from the beginning.
Connected devices come with an almost inconceivable number of benefits – but they also bring security risks and increased vulnerability. As security threats become more sophisticated, as devices become more connected and as equipment becomes increasingly essential to a company’s operations, it’s important for OEMs and equipment owners to get more serious about security.