In many ways, the market outlook for ductless heating and cooling systems is rosy.
Just this month, Global Ductless announced a projected growth in the market of almost 8 percent, making the industry worth over $42 billion by the end of the next financial year.
That's big news for the industry, but is also big news for those looking to take advantage of HVAC companies. As the size – and profits – of these companies continues to grow, they are likely to come under increasing levels of cyberattack. One of the major threats in this regard is ransomware, the "industry" of which is also growing rapidly.
For HVAC companies, cybersecurity has not been a huge concern. The data they work with has not traditionally been seen as personally or commercially sensitive, and so the risk of ransomware has historically been regarded as quite low. However, as HVAC businesses seek to integrate their systems, running ads on Google and using chat tools to connect with customers, the risk of hackers compromising their systems has grown.
In this article, we'll take a look at how ransomware works, why HVAC companies need to take it seriously, and what they can do to mitigate the risks it presents.
The Growth of the Ransomware “Economy”
The basic principle behind ransomware is simple enough. In this kind of cyberattack, a hacker illegally gains access to a computer system, and infects it with malware. This malware can then lock users out of the system, or encrypt data so that it cannot be accessed. They will then demand a “ransom” be paid in order to restore access to this data.
This simple explanation, however, belies the complexity of the ransomware economy, and the scale of the problem it poses. Ransomware attacks offer huge profit margins for criminals, are often under-reported by companies who fear the reputational damage of admitting to a major attack, and are now quite professional operations.
As the American economy has grown rapidly in recent years, with gross domestic product growing by 2.1 percent and personal income increasing to $101.7 billion by November of 2019. The rise of ransomware as a service is particularly worrying in this regard, because it offers almost anyone – even those with little technical skill – the ability to contract a ransomware attack from a third-party.
When it comes to the scale of ransomware, the numbers are equally worrying. A recent report suggests that a major international ransomware attack could cost the United States $89 billion, accounting for nearly half of the $193 billion global price tag for such an attack.
On the level of individual businesses, it’s also estimated that ransomware damages could cost $5 billion across the globe in 2019, a fifteen-fold increase from the $325 million they cited in 2015. That represents a new attack every fourteen seconds.
Why HVAC is At Risk
Traditionally, HVAC and BAS companies have not been that conscious of the risk of cyberattacks, including ransomware. A series of recent attacks, though, combined with recent advances in this sector, have led some to conclude that these businesses might become a major new target group for hackers, causing both significant damage to HVAC companies both fiscally and reputationally.
This is significant when you consider that 90 percent of consumers will always research a business before buying from them. The last thing any HVAC company needs is for potential customers to see that they were recently the victims of a major ransomware attack.
The ever-more-connected nature of HVAC systems, and in particular the growing importance of Internet of Things (IoT) devices, is giving hackers more opportunities to gain illegal access to corporate systems. An attack in 2013 was one of the first that specifically targeted HVAC systems, during which Target found that 40 million customers had their credit card information stolen.
The increased profitability of HVAC companies, whilst certainly good news for shareholders in them, also means that they are becoming lucrative targets. Nowadays, any company regularly posting millions of dollars in profits is likely to draw the attention of ransomware criminals, and the HVAC sector is no different.
The third issue is that security for HVAC vendors has too often been dealt with through obscurity. Because the data held in HVAC systems is not obviously sensitive, vendors have tended to overlook the necessity of implementing strong threat security and mitigation systems, and have instead left cybersecurity to more tightly focused network engineers to look after.
The long-term outcome of this is that there are still no cross-cutting industry standards for HVAC devices: the IEC 62443 series, ANSI/UL 2900 family, NIST framework, and the California IoT Bill all attempt to put these in place, but are often contradictory.
There are many steps that HVAC companies can – and should – take to mitigate the risk of a ransomware attack. An encyclopedic list of these would run to many pages, but the frameworks above are a good place to start.
On a broader level, however, what is needed is that HVAC companies begin to take the risk of ransomware seriously. With ransomware easily being one of the biggest cybersecurity threats but with 23 percent of all businesses not having a strategy to restore the data that falls victim to it, HVAC businesses in particular need to take ransomware very seriously both in terms of financial resources and managerial processes.
The core principle for securing HVAC systems is to recognize that any connected device is a potential threat vector for a company’s system. Reducing the risk of getting hacked therefore requires a full-spectrum response. The connections between HVAC smart devices and servers should be secured, as should the connection between HVAC vendors and their clients.
Going further, HVAC companies should take steps to secure their websites, which have emerged as a major gateway for ransomware criminals. Similarly, professionals need to be aware that all devices connected to HVAC systems, including smartphones, can be a source of infection.
The Bottom Line
Ultimately, the risk of ransomware for HVAC companies is not just a financial one. Most successful HVAC companies now do business with – and hold data on behalf of – dozens of third-party companies. This centralization of data storage represents a huge risk, and a huge opportunity for hackers.
HVAC companies should therefore take a pragmatic approach, and keep security in mind at all stages of the business cycle. Cybersecurity should be a major component in your choice of HVAC software, but it should also inform the design of HVAC systems from the ground up.
It's great news, of course, that the market size for HVAC is growing so rapidly. But we need to take security seriously in order to avoid becoming victims of our success.