Security Breach Exposes HVAC Concerns
Third-Party Security Breach at Target via Mechanical Contractor Raises Concerns
The latest was First American Bank, which lodged a complaint with the city of Chicago, noting that customers’ banking information was compromised following debit card use in local taxis. This is one of many examples plaguing the nation; and, as the details of the stories unfold, a common theme has emerged — hackers can strike at any time, any where.
HVAC Hacking Victims
Fazio Mechanical Services Inc., Sharpsburg, Pa., was invaded by hackers late last year. The mechanical contracting company was identified during a federal investigation as a third-party access point of the Target security breach between Nov. 27 and Dec. 15, 2013.
“Like Target, we are a victim of a sophisticated cyber-attack operation,” said Ross Fazio, president and owner. “We are fully cooperating with the Secret Service and Target to identify the possible cause of the breach and to help create proactive initiatives that will further enhance the security of client-vendor connections, making them less vulnerable to future breaches.”
Fazio Mechanical is not the only HVAC company victimized by cyber criminals.
“A few years ago, our phone system was compromised and calls were made to foreign countries listed on a U.S. terror threat list,” explained Corey Hickman, president of Comfort Matters Heating and Cooling Inc., Hanover, Md. “Our phone company believed it happened because some of our voicemail boxes had simple passwords like 1-2-3-4.”
The company now has its phone lines blocked against international calls, and has taken a hard look at its password policies for phones and computers. Hickman noted that he is making sure no one on staff has simple passwords and that they aren’t saved somewhere in a Word file.
“Since the Target incident, I’ve informed all of our workers that if they leave the office, even for a short period, they must log out of our operating software,” said Hickman. “I am also working to find a way to make sure each office PC is set up to automatically logoff after a period of time without activity, and will then require a password to log back in.”
Despite numerous precautions an HVAC company may persue, data security remains a constant concern. Advances in systems, connectivity, and the sophistication of programmers could prove a conundrum as data sourcing and technology evolves. According to a study done by KnowBe4, a security awareness training firm based in Clearwater, Fla., and research firm ITIC, 80 percent of companies report that end-user carelessness is the biggest security threat to systems and networks. To help mitigate these problems, KnowBe4 recommends companies conduct regular risk-assessment reviews as part of their security plan, adopt defense-in-depth strategies, and create a strong first-layer security policy, including employee training. Even with precautions, however, impervious data security does not really exist, stated the study.
“Many experts have questioned the relevance of standards like PCI DSS [Payment Card Industry Data Security Standard] since the Target and Neiman Marcus breaches in 2013,” said Stu Sjouwerman, founder and CEO, KnowBe4. “Being compliant is no guarantee of being secure, as seen by the epic security failures of these companies, despite being PCI-compliant. According to Gartner analyst Avivah Litan, nothing in the PCI standard would have helped Target detect and block the intrusion before it happened.”
Mitigating Security Breaches
Data security is not an exact science. Even the best security can be vulnerable. To help mitigate potential risks, Ann Kahn, president of Kahn Mechanical Contractors, Dallas, brings in professionals and advises that other contractors do the same.
“In order to protect ourselves, our business, and our customers from a hacking incident, it’s best to engage the services of the most knowledgeable and trustworthy information technology (IT) provider we can find,” she explained. “Trying to install firewalls and such on your own is an exercise in futility. We are HVAC experts, not IT experts.”
In the aftermath of the Fazio Mechanical news, Fred Kobie, president, CEO, and COO of Kobie Kooling Inc., Fort Myers, Fla., made a phone call.
“I have liability coverage for the normal company issues, but this is one business aspect I spoke with my agent about to be sure we were protected in the event of a breach,” he said. “You should be sure you have coverage to handle all liabilities, including this one.”
Kobie went on to suggest that access to data needs to be locked up and that redundant password roadblocks should be in place. He also suggested that companies consider stepped access to data.
“Information such as credit cards and personal data should be destroyed in routine intervals,” he said. “Have a routine purge set up of credit information and paper documents with credit card numbers, and keep records of the purge.”
According to Jack Floyd, controls and automation specialist at AirTight Mechanical Inc., Charlotte, N.C., most controls manufacturers’ default settings offer minimal security.
“You can read the literature and educate yourself and your company,” he said. “You will find many OEMs have documentation on how to properly set up products for different types of applications and security levels, designed to fit all customers’ needs.”
Floyd advised that technicians working with control systems that are attached to the company network or a customer’s network should know a good deal about networking.
“You don’t have to be an expert, but you should understand networking fundamentals,” he explained. “Understanding how the overall system works will allow you to be smart in your installations and keep yourself and your customers safe.”
Publication date: 3/31/2014