Cybersecurity Considerations for HVAC

Mitigating Risk for Connected Products

09 July 2019

More HVAC products than ever are connected and IoT-enabled, meaning manufacturers and engineers need to consider cyber security risks and mitigation for these popular items. All connected products and users face risks such as malware, botnets, ransomware, denial of services and phishing, the effort to address these risks can cost organizations millions of dollars and countless hours. In part, this is because connected products are still in its infancy, so few connected products have been designed with cyber security in mind and fewer tested for cyber security considerations.  Additionally, there are few cyber security standards that are have been developed with connected products in mind. The few that do exist often fall short and often only consider the devices in isolation and fail to consider the impact of security threats on the cloud services leveraged by connected products device. The very nature of connected products means exposure to other devices and networks that may be unknown or uncontrollable.

Within the HVAC industry items like smart thermostats, connected heating systems, service providers, remote monitoring, cooling systems and more.  These products are often connected to clients networks and can potentially provide access to these networks, systems and other devices or be compromised from other points in an ecosystem. Hackers could compromise systems, steal data, and threaten the security of other systems.

There are several ways to mitigate risk, including good practices, applicable standards and testing options. A secure ecosystem and well-designed products are key, as are ongoing security assessments and employee training. There are also several standards that can be employed to assess connected HVAC products: IEC 62443 series, ANSI/UL 2900 family, NIST framework and the California IoT Bill.  No one standard is a clear winner for HVAC products, it often depends on the objective for testing, the needs to be met, the market you're entering and the product itself.

To ensure the cyber security of connected HVAC products and devices, manufacturers should bake security into the design, making considerations through the R&D phase to ensure an intrinsically safe product. Testing a product throughout the development process will also help to ensure you are not making fundamental mistakes along the way.  It will allow you to review designs and adjust  before it is too late or costly to do so. 

Creating a connected device can be a daunting task in a world where technology continues to evolve at a rapid pace. Cyber security in any connected device is important, including HVAC products. By following the standards in place and industry best practices, manufacturers can take steps to ensure the safety, performance and security of their devices. For more insights on cyber security for connected HVAC product, download our complimentary webinar recording.

 

Joe Dawson,
Principal Software Security Analyst

Joe Dawson is a Principal Software Security Analyst for Intertek EWA-Canada based in St. John's, Newfoundland. Joe has over 30 years' experience in Software Development, Data Communications and Information Security, in both the public and private sectors. He currently sits on the Standards Technical Panels for all of the UL 2900 family of standards and sits on one of the IEC 62443 standards committees.