Bringing The HVAC Industry Into The 21st Century

In the continuing wake following the Target breach that occurred well over seven years ago, the industry responsible for that massive credit card breach is still dragging behind when it comes to even basic cyber security. The reasons are many, but the root cause is overall lack of knowledge and valuable information about cyber security fundamentals. It’s not for lack of trying since many industry groups have offered continuing education courses and supplemental training to improve the industry’s posture, so what’s going on?

The problem is a combination of many factors, but let’s look at three big ones:

1. Industrial controls/IoT: The hardware and software that runs these systems is often outdated, but the real kicker is it is often expensive to replace with newer, more secure controls. Even when the hardware is newer, poor security measures are taken such as: weak passwords, usernames that cannot be changed, inability to integrate to authentication directories, default SNMP communities enabled, and no logging to name but a few. Unfortunately, there is very little that can be done to affect the industry that makes these industrial controls by an individual managed services provider, so we must design around these limitations.
2. HVAC professionals making IT decisions: By the time an IT professional is called into the situation, it is to clean up a mess left behind by someone who, frankly, does not know what they were doing when it comes to IT. Yes, they are likely a highly-competent HVAC professional, but that does not qualify them to make IT decisions. This leaves behind wide-open wireless networks, switches that are unmanaged and exposed to exploitation, defaults remaining, and sometimes even switch configurations and cabling that interfere with normal network operations.
3. No formal framework/plan for installation: Since HVAC companies don’t have any kind of a sensible, best practices framework that is customized for the type of equipment they install, it leaves their technicians with carte-blanche authority to essentially make it up as they go along. By implementing a basic installation plan that begins by including a client’s IT company — and if they do not have one, insisting that one be brought in to consult — an HVAC contractor can dramatically lower its liability and better protect its clients. In the complete absence of an IT company, the HVAC contractor may choose to have an attorney draft a limitation of liability to have the client acknowledged they were advised about the risks of installing industrial controls without IT participation.

So, what can we, as MSPs do to help this industry? There are some great ways to capitalize on this opportunity! Here are three:

1. Learn the devices and develop a plan: Find out what controls your HVAC clients are using and the security pros and cons. You can then develop a standard design or designs for securely installing HVAC controls. You could present this as a “Secure HVAC Controls Blueprint” to your clients and they could even sell it as a part of their offering. This is a fantastic way to get a referral!
2. Educate your HVAC contractor clients: Demonstrate to them some of the exposure that exists when installing hardware on a network. Encourage them to ask you questions when in doubt. Work with them so they know what questions to ask one of their clients when scoping out a job. I guarantee you their competition (and yours) is not doing that!
3. Be persistent: Most are not quite awake yet. The Target breach is distant and the general consensus is, “It will never happen to me”. Don’t give up. The stakes are way too high and the upside is tremendous!

As you can see, an outstanding opportunity lies before us. The suggestions above are just the tip of the iceberg but are great ways to open up doors and generate new client opportunities that could very well save someone’s business from a disastrous cyberattack.