Concerns around Security

Increased connectivity and data collection capabilities of smart HVAC systems provide homeowners with energy efficiency, comfort, and lower bills each month. However, in some homeowners’ minds, it’s a double-edged sword; these increased capabilities introduce opportunities for security risks.

“Some common concerns around cybersecurity in the context of smart HVAC systems include unauthorized access to personal data, potential breaches of sensitive information, and the risk of malicious actors gaining control over HVAC systems for harmful purposes,” said Rina Basholli, information security lead at Kode Labs, which provides software solutions for optimizing energy usage and overall operations in the real estate industry with the goal to enable sustainability, operational efficiencies, and comfort.

Paul Williams, chief product officer, Nice North America, said, “The biggest concern is around the consumer’s personal contact and whether the company is sharing that data with others without their consent or knowledge.”

The concerns are not surprisingly. With any piece of smart technology, consumers are expected to provide ample amounts of personal information that, in the event of a data breach, could leave them vulnerable.

PROTECT: Best practices during setup will help protect the customer’s security and privacy. (Courtesy of Kode Labs)

Easing Concerns

To address these concerns, there have been industry-wide efforts by most, if not all, major manufacturers of smart HVAC technology in order to protect user data. That being said, there are numerous steps contractors themselves can take to ease these concerns around the security of their customers’ smart home devices.

“Contractors can ease customer concerns by relaying that when it comes to data and personal information, smart thermostats leverage trusted industry standards and proven encryption and security techniques to ensure customer data is safe,” said Brendan O’Toole, vice president, Sensi product platform at Copeland.

Another step HVAC contractors can make is recommending products from companies who care deeply about data privacy and security, according to Alex Dougherty, director of security at ecobee. In particular, Williams said contractors should avoid manufacturers who are concerned about monetizing the customer’s data.

“This opens up the customer to the possibility of that data getting exposed to a wider audience or being used without their consent,” he said. “Those manufacturers [that a contractor recommends] should also have a commitment and track record of protecting consumer privacy.”

In addition to partnering with reputable companies, Basholli said HVAC contractors can also provide transparency and education around the security features of the installed smart devices and software. A couple key steps here include:

• Explaining how personal data is protected;
• Emphasizing the importance of regularly updating the software installed on the smart HVAC systems, which often include security patches that address security concerns, whether new or existing; and
• Implementing multi-factor authentication in order to add an extra layer of security by making it harder for unauthorized individuals to access the system through requiring additional verification beyond passwords.

Who’s Worried?

Concerns around cybersecurity will vary depending on the type of customer, their investment in data privacy, and their level to exposure of cyber risks.

Williams said, “High-net-worth individuals (HNWIs) are often high-value targets for cyber criminals, as they have substantial assets, personal information, and public profiles that can be exploited for financial or reputational gain.” Since HNWIs have demonstrated more concerns than the average customer, they should be approached with full transparency about the risks and also the mitigations that can be put in place to secure their privacy, he said.

Basholli said customers within industries that deal with sensitive information or individuals with heightened cybersecurity awareness tend to be among the more concerned.

“To approach the conversation with these customers, it is essential to highlight the advanced security measures implemented in [smart HVAC] products,” said Basholli. Showing customers that their specific concerns around cybersecurity are deeply understood, by addressing them with tailored solutions, will help build trust and confidence in the contractor’s commitment to protecting customer data.

While many smart device users are already concerned about the possibility of their data being compromised or shared, a lot of them don’t necessarily understand what kind of data is being shared with the manufacturer.

“In our Smart Home Data Privacy Survey, only 13% of smart thermostat owners researched their manufacturers’ data privacy policy before purchase,” said O’Toole. “Additionally, around 1 in 5 respondents (19% smart thermostat owners, 23% non-owners) admit that they’re not sure what kind of information is shared. However, after learning the truth about how certain smart thermostat manufacturers use their data, 2 in 3 smart thermostat owners were at least ‘somewhat more concerned’ about using their smart thermostats.”

Nor do they necessarily have a full understanding of what data to be concerned about. HVAC data collected by smart home devices (e.g. when the HVAC system powers on, temperature recovery time, indoor air quality, etc.) is valuable for energy efficiency, demand response, and grid management purposes, it’s data that, when standing alone, doesn’t expose the customer to many privacy concerns.

The real concern revolves around the customer’s personal information: name, address, phone number, email, etc.

“Which can be linked to the HVAC usage data and potentially reveal personal habits, preferences, or behaviors,” explained Williams. “Customers should be aware of how their contact information is collected, stored, and shared by the device manufacturer or service provider, and what options they have to opt out or delete their information if they wish.”

While privacy is important, there’s another thing that customer’s should be equally concerned about: the potential risks of cyberattacks on their smart devices.

“Unauthorized access to HVAC systems, for example, can lead to inefficient operation, increased energy consumption, or even physical damage,” said Basholli. “It is crucial to raise awareness among users that security encompasses not only the protection of personal data but also the overall operational safety of their smart devices.”

Another less nefarious concern is data collection for marketing.

“While most thermostat manufacturers follow these best practices, many customers don’t understand that their data could also be leveraged in other ways by these companies for targeting or marketing purposes, so it’s important for consumers to be informed when they are selecting the right thermostat for them,” said O’Toole.

Practices that Protect

Fortunately, there are already HVAC systems out there that protect against cyberattacks or security risks through steps like encryption, requiring passwords, updates, and not sharing personal information with anyone but the customer.

Ecobee starts its customer protection by ensuring their physical devices themselves are tamper-proof. In addition, passwords are required for the web portal and mobile app associated with their products, communications to and from the thermostat are encrypted, each device is designed with a unique security key only able to access their backend systems with an authenticated security key (called a PKI), and all systems have protections in place to block and detect anomalous activity.

“All data at rest in storage is also encrypted, meaning that it’s useless to someone that may have gained access to it, including our own internal staff,” said Andrew Gaichuk, senior director of technical operations at ecobee. “We can push out new security patches to our thermostats using over-the-air technology to address any weaknesses, even if the device is in the field. Firmware updates are cryptographically signed to prevent tampering with images.”

When it comes to the actual install of smart devices, there are a few best practices to follow to protect the customer’s security and privacy.

“As with any home network, ensure you are not using default login information/password and for added security hide your SSID name,” said Williams. “This will prevent unauthorized access to your network and devices.”

Kode Labs recommends the following to ensure robust cybersecurity when it comes to smart HVAC installations:

• Conduct thorough risk assessments;
• Implement strong access controls;
• Regularly update software and firmware; and
• Enable system monitoring and logging.

However, perhaps the important step revolves around educating customers on what they can do themselves when using their smart home systems on a daily basis.

“Contractors should educate end users on cybersecurity best practices, such as using strong passwords, being cautious of suspicious emails or links, and regularly reviewing access permissions,” said Basholli. “User awareness is critical in maintaining a secure environment.”