< Browse more articles

Supposing you had a large company as a regular HVAC client and they gave you access to their computer network to collect your payment for contracts. What if criminals hacked your system, and from there got into the client’s system and stole employee pension money, passwords, or sensitive corporate information. Think your customer would be impressed?


What if you installed HVAC equipment that could be commissioned or monitored via the internet with out of date cyber security, and thieves used your channel to hack into your customer’s banking and credit card data and stole millions of dollars? Or they froze your customer’s computer system for weeks and demanded a ransom?

If you think these scenarios are unlikely, think again. They’re all too real and becoming commonplace. Smallbiztrends.com has been surveying companies for a few years on this topic and reports some alarming statistics, which if true, should give every reader pause for thought about your business.

The company reports that:

  • 55% of respondents say their companies have experienced a cyber attack in the past 12 months (May 2015 -May 2016)
  • 50% report they had data breaches involving customer and employee information in the past 12 months (May 2015 -May 2016).


  • 43%of all cyber attacks target small business, and only 14% of small businesses rate their ability to mitigate cyber risks, vulnerabilities and attacks as highly effective.
  • 60%of small companies go out of business within six months of a cyber attack.

The costs of these attacks are often in the hundreds of thousands of dollars and many companies have no insurance protection.

For larger companies the threat is simply too big to ignore. In March the Ninth Annual Cost of Cybercrime Study was released by Accenture and the Ponemon Institute. Based on interviews with 2,647 senior leaders from 11 countries, the study said the average cost of cybercrime for an organization has increased $1.4 million over the past year, to about $13 million.

Information theft is the most expensive consequence, but data is not the only target. “Core systems such as industrial controls are being hacked in a dangerous trend to disrupt and destroy,” says the report. Cyber criminals are stealing data or destroying or changing data to breed distrust, or extract ransoms.

In Canada the numbers are only slightly less alarming. CIRA says 40% of companies have been hacked in the past year and 71% do not have a software patching policy, exposing them to serious vulnerabilities. Only 54% provide cyber crime training, despite the reality that employees are the weak link, with most hacks starting as phishing attempts.

Another common occurrence in the HVAC world is a sales scam involving counterfeit branded equipment. HRAI brings you a terrific presentation on this topic and other cyber threats at our Annual Conference on August 26 in Niagara Falls.


An infamous HVAC example was in 2013 when Target stores were hacked and customer credit card data was stolen. Fazio Mechanical, an HVAC company, was the route through which the hackers got in. Fazio supplied HVAC equipment to Target and used its computerized payment system.

In 2017 Target was fined $18.5 million because the hackers stole money, full names, phone numbers, email addresses, payment card numbers, credit card verification codes, and other sensitive data from 41 million retail customers; and sold it on the black market.

One observer estimated that in addition to the fine, Target’s total losses from the incident could reach $420 million in reimbursements to banks recovering the costs of reissuing millions of cards; fines from the card brands for PCI non-compliance, Target customer service costs, legal fees, credit monitoring, and payments as part of a class action lawsuit.

HVAC vulnerabilities have also come under the microscope because the equipment is increasingly vulnerable along with general construction industry habits, such as relying on mobile communication and file and data sharing among parties.

A few years ago cyber crime consultants discovered a simple HVAC hack that got them into the main systems of Google Australia (Google should have known better). A building management system using the Tridium Niagara AX platform, a platform known to have security vulnerabilities, had not been patched. Researchers obtained the administrative password and accessed control panels offering "active overrides," "active alarms," "alarm console," "LAN Diagram," "schedule," and a button marked "BMS key" for Building Management System key. They found blueprints for everything and reported the whole incident to Google.

The same platform is used for numerous military, hospitals and others to control electronic door locks, lighting systems, elevators, electricity and boiler systems, video surveillance cameras, alarms and other critical building facilities. Hackers could easily create a fake emergency in a secure government facility by dramatically increasing or decreasing temperatures.

Building automation systems, smart controls and many other emerging HVAC products often create surprising vulnerabilities too. About 60% of BAS systems are 20 years old and haven’t been patched. If it’s your client, recommend a short shutdown to install security updates.

Companies like Honeywell, Emerson, Schneider Electric and other majors are partnering through organizations like the ISA on creating standards and making HVAC systems more secure. In the meantime small HVAC companies could lose a great deal if they ignore this threat.


Guard against cyber crime:

• Invest in training for your team. In Canada you could try Idaptive Academy, Magnet Forensics, Spark Technical Academy, Terranova Security, and others.

• Check with your insurer to ensure you are covered for losses associated with cyber crime.

• Keep up with advances, including the latest patches for software. Many cybercrimes, including the massive 2017 Equifax data breach, could be prevented by adding a simple software patch.

• Back up your data, so that ransom attacks can be ignored and a clean operating system installed instead.

• Get serious about password security and two-factor authentication.

• Provide external users access only to the information they need to do their job.

• Beyond computers and software -- HVAC, fire suppression and waterflow systems now often have chips with factory-set controls and passwords that must be changed.

• Consider hiring consultants as “ethical hackers” to attempt to find their way into your system, then make adjustments.

• Install anti-virus software on all of your computers.

• Don’t permit browsing on suspect web sites, use of unknown USBs, DVDs or open email attachments from parties you don’t know and trust.