While chillers aren’t inherently more prone to intrusion than any other piece of HVAC equipment that utilizes connectivity, their role within critical infrastructure warrants heightened security measures to shield them from ever-evolving cyber threats.

How Vulnerable are Chillers?

Like almost every other modern piece of HVAC equipment, chillers are integrating more automated systems that are increasingly connected to the internet, creating a potentially huge vulnerability if proper safeguards are not in place.

While most chiller operators are well-trained to address and mitigate physical threats and other safety issues, cybersecurity is an entirely different animal.

“Bad actors are getting more sophisticated in how they use hacking, malware attacks, phishing, and ransomware to attack,” said Lowell Randel, senior vice president, Government and Legal Affairs, Global Cold Chain Alliance. “The consequences of a successful cyberattack on a chiller can result in product loss, leading to economic damage and food waste, safety hazards, negative impacts to company reputation, and compromising sensitive personal and company information.”

While there’s nothing that makes them more, or less, susceptible to cyber attacks, Ali Saidi, vice president of engineering, Daikin Applied, noted they are considered critical infrastructure, meaning there is an additional level of care and diligence needed when deployed, integrated, configured, and commissioned.

“The most common security-related failures are often due to environmental and operational vulnerabilities such as unsecured networks, misconfiguration, outdated firmware, and deficient security practices. Physical access to systems, as well as outdated or unsecured industrial control system protocols, may also present cyber risks that require additional security controls and mitigation strategies,” Saidi said. “Some of the potential impacts of a successful cyberattack include operational inefficiencies, stoppages, leaks of system data, mechanical damage, or even impacts to other connected subsystems.”

SETTING UP A DEFENSE: Cybersecurity starts before building automation systems are installed. Experts recommend that the BAS system be physically isolated, with access strictly limited only to authorized employees and service providers. (Courtesy of Trane)

Brian Meyers, system controls portfolio leader, Trane, said today’s increased connectivity, including everything from lighting to sensors, also means there are risks of infiltration through central building automation systems (BAS).

“While entry through a BAS or similar infrastructure is not a common occurrence, it remains a potential risk that should be considered, and robust security measures should be put in place to prevent such incidents from happening,” Meyers said. “Cybercriminals may target chillers or other components of the BAS as a pathway to access other connected systems within the building. If they are successful, they can infiltrate databases or systems and may potentially steal lucrative information.”

Because of these inherent risks, Kaitlin Logan, strategy manager for Digitalization & Service Enablement, Johnson Controls, said protecting chiller integrity and business continuity is an essential feature that should be available to all facilities — not a premium one only accessible for some.

TARGET ACQUIRED: Cybercriminals may target chillers or other components of the BAS as a pathway to access other connected systems within the building. If they are successful, they can infiltrate databases or systems and may potentially steal lucrative information. (Courtesy of Trane)

“Unfortunately, cyberattacks are on the rise, and hackers are changing their tactics. Some are expanding their range to target operational technology (OT), which includes connected building equipment like chillers, in addition to information technology,” Logan said. “This can make chillers vulnerable to cyberattack if proper precautions are not taken. If a threat actor gains access to chiller equipment, they can damage the chiller as well as other pieces of equipment within the broader HVAC system. This could bring the whole system offline, which could have severe consequences in a hospital or other mission-critical settings.”

An Ounce of Prevention

At Trane, Meyers said they frequently collaborate with building owners and IT departments to take action before chillers are even installed, and one of the biggest focuses again lands on BAS.

“We recommend that the BAS system be physically isolated, with access strictly limited only to authorized employees and service providers,” Meyers said. “It should also be independent of internal networks and only allow essential communications with other systems. Lastly, it should be shielded from the internet by using firewalls to block incoming internet access.”

Once installed, Meyers said they then move toward formalizing a process for operators and service providers to access the system securely. Building owners can use an internal network via a URL or an IP for on-site access, and if the system needs to be remotely accessed, a secured remote access portal is vital.

“Credentials are another major concern,” Meyers said. “Authorized employees and service providers should avoid sharing passwords and each should have their own credentials to track who and when they have logged into the system. Sharing passwords, or not deactivating accounts for people who leave the company or team, is still a common way for unauthorized users to access building systems.”

While news of a cyberattack cyberattacks on building and industrial infrastructure is rare, it’s not unprecedented. Saidi pointed to an incident from 2021, where hackers took advantage of SCADA vulnerabilities to gain access to the control systems of a Florida water treatment plant.

“However, the dearth of HVAC-specific examples doesn’t mean a dearth of analysis and learning opportunities,” Saidi said. “Since all systems are subject to security risk, there is knowledge to be gained every time a system is breached, from the most high-profile attack on down.

“Every security incident, even when it doesn’t specifically involve a chiller or control technology, helps security professionals and system designers evolve their methods,” Saidi continued. “Additionally, manufacturers that are proactive leverage these cases and the resulting knowledge to advance and continually improve their technologies through collaboration and information sharing.”

Looking Toward the Future

The threat of cybersecurity attacks isn’t going to diminish, and they are likely to get more sophisticated, meaning the industry has to continue to evolve.

“The future looks bright with what can be accomplished through connected technologies, including virtual monitoring with real-time notifications, predictive diagnostics, the infusion of AI, and machine learning insights from chiller data, leading to reduced downtime and more,” Logan said. “However, taking precautions and learning how to keep assets safe is key. It’s critical to work with a provider that makes system cybersecurity a top priority. When connected assets are well-protected, smart technology can open the door to innovation, greater efficiency, and much more.”

As chiller technology also continues to advance, Saidi predicts that every new layer of complexity, like IoT devices, machine learning, and AI, presents malicious actors with new methods and opportunities for attacks.

“The industry must maintain situational awareness and continue to improve its practices and activities relating to security,” Saidi said. “It’s critical to align to appropriate cybersecurity frameworks and standards and make strategic investments in security.

“Supply chain security is another concern,” Saidi added. “Ensure that vendors meet security requirements and standards, and leverage appropriate cybersecurity processes, controls, testing, and support. The industry should require that the products and systems they are selecting are secure by design and supported by security professionals at all phases of the lifecycle.”

Nation-states and other nefarious private sector actors will likely continue deploying ransomware, remote access trojans, phishing, business e-mail compromised (BEC), insider threats, and distributed denial-of-service (DDoS), Randel said, and these are also likely to step up their games.

“The level of sophistication of attacks will to grow, making them harder to detect and defend against, meaning that companies will need to remain vigilant,” Randel said. “Staying updated on the latest threats and technologies, establishing cybersecurity plans, updating and hardening information systems, backing up data, and training employees are some ways that companies can prepare to meet cyber threats.”

Other Best Practices

Randel said after covering step one, which is to get operators aware of the risks and vulnerabilities, the next step is to get other employees up to speed and arm them with any necessary tools to guard against an attack.

“The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has a large number of free resources available,” Randel said. “In addition, the National Institute of Standards and Technology (NIST) has developed the Cybersecurity Framework (CSF) 2.0, which provides guidance to industry, government agencies, and other organizations to manage cybersecurity risks.”

Randel also laid out a list of eight other practices to have in place:

• Establishing a plan for responding to cyber incidents
• Training employees on cybersecurity risks, best practices, and policies
• Having an inventory of all people, processes, and technology
• Conducting periodic internal audits and cyber assessments
• Backing up regularly, with critical data having offline, encrypted backups
• Evaluating cybersecurity insurance options
• Implementing strong identity and authentication management practices
• Checking whether there are any regulatory compliance requirements chiller operators need to be aware of

Regulatory Wrap-Up

Aside from arming a chiller operation with proven best practices, owners and operators need to stay up-to-date with the latest regulations and familiarize themselves with other tools offered by third parties.

In March 2023, the Biden Administration released its National Cybersecurity Strategy, which addresses regulations related to cybersecurity.

“In an industrial refrigeration context, the Chemical Facilities Anti-Terrorism Standards (CFATS) program applies to facilities with more than 10,000 pounds of ammonia,” Randel said. “There is a cybersecurity compliance component to facilities that are designated as higher risk and are required to develop site security plans. However, authority for the CFATS program lapsed in 2023 and has yet to be reauthorized. As cybersecurity threats continue to increase, the government may look to develop additional regulations that could impact chiller operators.”

In addition, Randel said companies can also choose to follow other standards and certification programs.

“An example of an applicable standard for chillers is the International Electrotechnical Commission (IEC) 62443 standards for cybersecurity within industrial automation and control systems,” Randel said. “ISASecure Component Security Assurance (CSA) offers certification for cybersecurity in chiller automation. Other frameworks include NIST 800- 53, IEC 62443, ISO 27001, SOC 2, and Purdue Enterprise Reference Architecture.”

Logan also noted manufacturers can seek third-party certifications, like ISASecure, which Johnson Controls utilizes on several of its York models.

“And all Johnson Controls global development locations comply with the ISASecure Security Development Lifecycle Assurance (SDLA) certification,” Logan said. “In fact, the YK and YZ were the first smart building products in the world to earn the ISASecure CSA certification. These certifications reinforce our commitment to provide cyber-resilient solutions that follow best-in-class industry practices.”