logoShaping Tomorrow's Built Environment Today

Protecting HVAC Systems From Cybersecurity Threats

Protecting HVAC Systems From Cybersecurity Threats

From ASHRAE Journal Newsletter, September 14, 2021

The average cost of an insider-related cyber incident exceeds $7.5 million, and more than half of companies go out of busines within six months following a security breach.

Due to the inherent risks that come with using internet-based technologies, all HVAC engineers and designers need to incorporate cybersecurity into their business practices. The cost of not doing so is too high.

“As recent attacks of ransomware and cybersecurity incidents have shown, victims are not only government entities, but almost any internet-connected organization can be prime targets of opportunity,” said Ecton English, Member ASHRAE. “The cost and effort for generating and distributing attacks for ransomware are extremely low with very profitable payoffs. Building management systems and other infrastructure control systems have become prime targets of opportunity due to the lack of cybersecurity inherent in many designs and operational practices.”

But have no fear—ASHRAE’s Multidisciplinary Task Group, Cybersecurity for HVAC Systems and Related Infrastructure, (MTG.CYB) is here to help. The MTG launched a new cybersecurity column series in ASHRAE Journal, which provides focus on the security-related areas of awareness, training and planning, said MTG.CYB Chair Mike Galler, Member ASHRAE.

“Cybersecurity is an area that everyone needs to have some level of knowledge in, and I hope that this column helps to increase interest in gaining competency in cybersecurity,” he said.

The series debuted in the July Journal with a column focused on cybersecurity and the Industrial Internet of Things (IIoT). A second column, published in the September Journal, gives basic cybersecurity recommendations for HVAC professionals who are unfamiliar with cybersecurity.

“Future columns will provide brief overviews of different areas, new developments such as BACnet/SC and Managed BACnet, current issues and other new technology related to cybersecurity,” said Galler.

Common Challenges

The cybersecurity column will also address common challenges and solutions. Some mistakes engineers tend to make regarding cybersecurity range from lack of knowledge of proper measures to improve security, to the cost of designing, implementing, and maintaining an effective level of protection.

Galler said the cost of cybersecurity systems is analogous to that of physical security. If a facility is in a high-traffic area, it requires a higher budget to secure. And, he says, the internet is a high-traffic area.

“The cost of securing a building automation system mostly isn't found in the hardware,” said Galler. “The expenses are mostly in the time and effort by employees or contractors to design, implement and maintain the operational procedures and policies related to cybersecurity. “There will also be an ongoing cost for training employees.”

Galler said these expenses will probably be less than the cost of falling victim to a successful attack.

“According to a recent report, the average cost of insider-related cyber incidents was $7.68 million, and 60% of companies go out of business six months after a security breach,” he said.

One of these common challenges is the belief that cybersecurity does not apply to the HVAC or control systems field of expertise, said English, a member of the Multidisciplinary Task Group. Another is that small or medium-sized systems are too small to be targets for “hackers.”

“I don't know how many small business owners think this way, but none should. In 2019, 43% of online attacks were aimed at small businesses,” said Galler. “A computer virus doesn't know how big a company is, and it doesn't care. Small businesses are still a big target.”

Solutions to these challenges include education, partnerships and cybersecurity-informed implementations, he said. English recommended using free government resources from the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) to improve systems’ cybersecurity as well as helping to develop standard specifications that implement cybersecurity best practices in the design and installation of control systems.

Stay tuned to learn more about how HVAC engineers and designers can implement cybersecurity best practices in forthcoming installments of ASHRAE Journal’s cybersecurity column.