Cyber attack

Hackers target HVAC

Forescout Research Labs has released a report that uncovers the 10 riskiest Internet of Things (IoT) devices in 2020 – and number two on the list is HVAC systems.

The Enterprise of Things Security Report explores the top device attack vectors for hackers to gain access to enterprise networks.

Forescout Research Labs analysed data from one of the world’s largest repositories of connected device data, the Device Cloud. The data was collected from over 8 million devices used in the financial services, government, healthcare, manufacturing and retail sectors.

Forescout has identified points of risk inherent to device type, industry sector and cybersecurity policies. These findings have been translated into data-informed recommendations to help cybersecurity and risk stakeholders mitigate and remediate these identified points of risk. 

Forescout’s regional director of Australia and New Zealand, Rohan Langdon, says organisational leaders are starting to understand the inherent cyber risks that IoT devices pose.

“Knowing the potential risk is critical in helping organisations identify which devices to proactively take action on or potentially block from the network,” he says.

One of the key devices identified as a threat in smart buildings includes heating, ventilation, air conditioning (HVAC) systems. As building management systems (BMS) have evolved into “smart” building systems, the threat of security breaches has increased.

iBMS (the “i” standing for integration) can now perform more complex functions, but also have multiple entry points for cyber attacks.

For example, in 2016, the residents in two apartment buildings were left without heat in Finland during a distributed denial of service (DDoS) attack.

Researchers who worked on the report successfully demonstrated how to use a HVAC system to reach isolated networks via a covert thermal channel. The report states that “an attack on an HVAC controller could be a simple temperature set-point change”.

For a business like a data centre, a small temperature change could result in equipment damage and safety mechanisms shutting down.

Langdon says the number and diversity of connected devices in virtually every industry has presented new challenges for all organisations.

“Part of reducing this risk is applying security controls and tools that can help identify and automate controls,” he says.

The riskiest device groups include smart buildings, medical devices, networking equipment and Voice over Internet Protocol (VoIP) phones. Windows workstations also represent a major risk to organisations, because up to 35 per cent of devices in different industries are running unsupported versions of Windows.

Langdon says the following steps can help reduce risk:

  • Having device visibility across the network
  • Accelerating the design, planning and deployment of dynamic network segmentation
  • Enhancing endpoint manageability
  • Automating and enforcing policy-based control
  • Highlighting operational technology IoT exposure by continuously and passively discovering, classifying, and monitoring network-connected OT and IoT devices.

The full report is available to download here.

Leave a Reply

Your email address will not be published.