< Browse more articles

Unfortunately, we are compelled to run items frequently on cybercrime and how to protect yourself, because reports of compromised systems and increasing cybercrime seem to be emerging every day. One development that might be relevant to an average HVAC or refrigeration company is a vulnerability in a control system that is frequently used in popular building management systems (BAS).


Researchers have discovered a hack (now known as CVE-2019-9569), that affects enteliBUS Manager or eBMGR, a control system used to manage I/O switches connected to devices such as sensors, alarms, motors, locks, and valves. It is also used as a router for linking multiple Building Automation Control Network (BACnet) segments.

The eBMGR was developed by Delta Controls in Surrey, British Columbia, and is sold around the world. The issue is a buffer overflow fault located in the BACnet stack that results in remote code execution when attackers send maliciously crafted packets to devices, which don’t require authentication.

As with many cybersecurity threats, Delta was alerted and created a patch immediately. Progressive customers would have updated to the latest version of the affected software, and are thus not at risk. However, numerous smaller HVAC operators or their building management customers might be unaware of the problem, and may not have implemented the update containing the patch.

The other tragic irony about cybersecurity is that the correction is sometimes not a matter of cost. Education and quick action can often prevent a potentially expensive bad news story. Although Delta’s handling of this issue was praised in most reports, some developers, presumably to avoid liability, do not publicly disclose their mistakes or their fixes, instead just including them in new versions.


Recent research from Kaspersky, an international cybersecurity service provider, found that almost four in ten (37.8%) computers used to control smart building automation systems were affected by malicious attacks in the first half of 2019.

Smart building systems usually include sensors and controllers to monitor and operate HVAC systems, building access, power, water and elevators. Workstations are generally connected to the internet. The research showed that most of this year’s threats came via the web, others through email, some were introduced by flash drives and other removable media. Some of the malware used is aimed at stealing account credentials and other valuable data. Worms, phishing, and ransomware are also employed.


Forescout Technologies Inc., a cyber-security consultant in California, describes the field as a ‘game of cat and mouse,’ because developers must continuously create innovations that keep their systems ahead of new tricks by cybercriminals. Forescout uses artificial intelligence to run future potential scenarios and recommends developer priorities that might prevent anticipated vulnerabilities.

Their researchers looked at building automation systems, and report that in some cases a remote attacker could execute arbitrary code on a target device and gain complete control of it. This is due to an encryption function using a hardcoded secret to store user passwords that allows an attacker to obtain the credentials of valid users. They also found a buffer overflow leading to remote code execution on the PLC, again allowing an attacker to take full control of a device.

The company warns that resulting scenarios could include an attacker changing temperature set points or crashing HVAC devices used in facilities where they are vital for protecting people, such as tunnels and mines, or, for example, cooling systems for data centres and their financial information. An attacker might also be able to control the doors to gain access to forbidden areas or deny access to others during the commission of a crime.


Regular readers of the HRAI eNewsletter may remember that we published the tips below earlier this year. We’re repeating them now for anyone who missed them earlier and might find them helpful.

  • Invest in training for your team. In Canada, you could try Idaptive Academy, Magnet Forensics, Spark Technical Academy, Terranova Security, and others.
  • Check with your insurer to ensure you are covered for losses associated with cybercrime.
  • Keep up with advances, including the latest patches for software. Many cybercrimes, including the massive 2017 Equifax data breach, could be prevented by adding a simple software patch.
  • Back up your data, so that ransom attacks can be ignored and a clean operating system installed instead.
  • Get serious about password security and two-factor authentication.
  • Provide external users access only to the information they need to do their job.
  • Beyond computers and software -- HVAC, fire suppression and water flow systems now often have chips with factory-set controls and passwords that must be changed.
  • Consider hiring consultants as “ethical hackers” to attempt to find their way into your system, then make adjustments.
  • Install anti-virus software on all of your computers.
  • Don’t permit browsing on suspect web sites, use of unknown USBs, DVDs or open email attachments from parties you don’t know and trust.