Smart heating, ventilation, and air conditioning (HVAC) systems are key components in connected buildings. The ability to readily monitor the temperature of a physical space has numerous applications, including ensuring worker comfort and maintaining the environment for temperature-sensitive equipment and materials. Pharmaceutical companies and medical research firms use these systems to keep chemical compounds in the appropriate temperature ranges. 

The smart HVAC controls market is expected to reach $25.5 billion in value by 2032, partially on the back of a push toward more environmentally friendly temperature control in homes and businesses. In a corporate setting, smart HVAC systems can keep buildings clear of pollutants and allergens as well as temperature monitoring. The ability to finely control these Internet of Things (IoT) devices empowers building managers with power over the physical environment and insight into things like energy usage throughout the space. 

As with other IoT systems, however, smart HVAC systems create an opening for cyberattacks. When compromised, these systems might be able to be used for lateral movement or for causing issues with temperature or environmental controls. Regardless, security teams need to understand the risks with smart HVAC systems. 

Smart HVAC Systems Make an Attractive Target

HVAC systems and the control devices attached to them can be an attractive target for cyberattacks. Any connected device that’s accessible over the open internet is a realistic target for threat actors seeking a foothold for lateral movement or other goals. Technicians charged with monitoring these systems could also see their systems breached as a way for threat actors to compromise their customers. The Target data breach happened because cybercriminals successfully attacked an HVAC vendor, for example. 

These connected systems are the definition of feature-limited. They’re designed to control temperature and airflow through space, as well as monitor for air quality, but little else. Smart HVAC systems nevertheless play a crucial role in building automation control. However, they often don’t communicate using encrypted protocols or provide any sort of complexity of access. Along with readily available default passwords, these systems ultimately make attractive targets for compromise. 

A smart HVAC system under nefarious control could be used to ruin chemicals, flood a space with possible allergens or pollutants, or ruin sensitive machinery that needs to be kept within specific temperature ranges. Threat actors could also use these systems as a way to move laterally to monitoring devices and then through the rest of the network. 

A few recent examples of attacks include: 

• Johnson Controls, September 2023 – Johnson Controls is a manufacturer of industrial control systems, air conditioners, security systems, and other building automation equipment. In September 2023, the Dark Angels ransomware gang stole what it claims was 27 terabytes of data from the company after breaching its operations in Asia. The company said in an SEC filing in January 2024 that the attack cost $27 million in damages. 
• ENE Systems, August 2021 – ENE Systems is an HVAC vendor based in Canton, Mass. The company services multiple hospitals in the Boston area, including Boston Children’s, Massachusetts General Hospital, and Brigham & Women’s. There appears to have been no impact on the customers of ENE Systems, but the company did receive a ransom demand according to the attacker. 
• Richmond Community Schools, January 2020 – Winter break was extended at Richmond Community Schools in Richmond, Michigan, between the end of December 2019 and January 2020 because of a cyberattack that originated with the district’s HVAC services provider. Several of the district’s tools, including heating, telephones, copiers, and classroom technology lost function as a result of the incident. The district had to re-image and reconnect systems one by one to ensure they were clear. 

These attacks on HVAC manufacturers and vendors are indicative of ransomware gangs’ interest in these systems. It’s worthwhile for defenders to look at their building control systems and ensure that they’re secured against compromise as best as possible. 

Security Tips for Smart HVAC Systems 

Smart HVAC systems suffer from the same weaknesses that make other IoT systems easy targets. Their traffic often isn’t encrypted, access passwords tend to be easily discoverable, and the systems aren’t always designed with security in mind. A case in point is the KNX vulnerability that was first discovered in 2021. KNX is an open standard for building automation systems. This weakness isn’t as complicated as Stuxnet or other major cyberattacks; what attackers were able to do instead was purge the devices and set a new control password that rendered them inoperable. 

When devices that use KNX are discoverable on the open internet, attackers can compromise them and potentially render an entire commercial building’s systems inoperable. Compromises of the open KNX standard present a major risk for HVAC systems and other building automation systems. 

To secure smart HVAC systems, security teams should: 

• Inventory all network-accessible HVAC systems – This is always the first step with any security program. Creating an accurate inventory of all network-accessible smart HVAC systems enables security teams with insight into which systems are potentially discoverable, as well as information necessary to identify software or hardware vulnerabilities. This HVAC system inventory should include hardware information like make and model, software information such as operating system and firmware revisions, and any known vulnerabilities. 
• Limit connections between HVAC systems and critical IT – Building control systems like HVAC devices shouldn’t offer a direct line into IT systems. If you’re able to segment smart HVAC systems and their controllers from business-critical data, it’s possible to limit the risk of threat actors gaining access to sensitive data stored on IT systems. 
• Monitor smart HVAC systems for anomalous traffic or behavior – Connected HVAC systems should only communicate with well-known IP addresses in well-understood ways. Monitoring for anomalous behavior, such as shifting beyond prescribed temperature ranges or communicating with an unfamiliar IP address, would help security teams determine whether or not there could be an attack in progress. 
• Enhance detection and investigation – An attack can start from anywhere in a network, including HVAC systems. Tying connected devices like HVAC systems into your monitoring tools can make attack detection and investigation more robust, allowing security teams to detect attacks in progress faster and make better decisions. 

How Asimily Helps Defend Connected HVAC Systems

The Asimily platform is designed expressly with IoT devices in mind. It’s built to monitor traffic to and from IoT equipment, such as HVAC systems, and surface anomalous behavior that might indicate an attack in progress. 

Asimily also provides vulnerability information on high-risk weaknesses with our proprietary algorithm that leverages vast amounts of data from resources like EPSS (Exploit Prediction Scoring System), Software Bills of Material (SBOMs), Common Vulnerability and Exposure (CVE) lists, the MITRE ATT&CK Framework, and NIST Guidelines. This insight empowers security teams to make efficient prioritization decisions and resolve the riskiest vulnerabilities quickly. 

Asimily customers also receive peace of mind from knowing what systems are attached to their networks and which ones need the most mitigations. With this insight, as well as improved monitoring, Asimily customers can better defend their IoT systems and critical information from threat actors. 

To learn more about Asimily, download our IoT Device Security in 2024: The High Cost of Doing Nothing whitepaper or contact us today.