Why facilities staff should worry about HVAC security
If you’re in charge of facilities, you’re used to thinking about the physical security of your workplace. But if you’re not an IT guy, you probably never thought it was your job to worry about the security of your data. However, if you’re using an automated building management system that interacts with your HVAC system, or remotely monitoring your comfort conditions, you do have to worry about HVAC security.
Why? Not so long ago, Target had a major data security breach that happened after network login credentials were stolen from Target’s third-party HVACR vendor.
Lax HVAC security opens up big financial risks
Large facilities, especially retailers, often hire HVAC companies to remotely monitor store temperatures and energy usage. This monitoring practice helps reduce energy costs. It’s also a way to find out if store temperatures fluctuate outside an acceptable range that might drive customers to a more comfortable shopping experience elsewhere.
In the Target incident, allowing that remote network access resulted in hackers gaining access to the company’s payment system.
Target learned a hard and expensive lesson about HVAC security and security for building automation systems. The breach affected millions of customers: 40 million debit and credit card numbers were stolen. It cost the company upwards of 400 million dollars. Costs included PCI non-compliance fines, reimbursement of financial institutions for replacing payment cards, and credit monitoring and legal fees for customers.
Tightening HVAC security means properly vetting your service provider
In the wake of the Target incident, Facilities Managers do need to be concerned about HVAC security. That must be top-of-mind when providing remote access to your building automation system, and even when allowing onsite access to your facility. Be sure to use service providers that have the right procedures and staff to keep your data safe.
When you hire an outside service contractor to take care of your HVAC system, recognize that you’re giving that company and its employees access to your company’s physical property and its data.
How do you know if you can trust them? Not only to service your heating and air conditioning equipment competently and professionally, but also to treat your facility and your sensitive information with the same care? Any contractor you hire must:
- thoroughly screen employees
- maintain secure data systems and practices
- promote a culture of honesty and trustworthiness
Find out about new technology top HVAC service providers use that takes trust out of the equation. Instead, you get PROOF. Find out more: The Evidence-Based Approach to Choosing an HVAC Company.
HVAC security considerations for contractor oversight
Of course you want to avoid what happened to Target. And we don’t need to tell you to check credentials and references for every vendor. But there are additional steps that can help you breathe easier about your company’s HVAC security and the competence and trustworthiness of your vendors.
1. Develop an HVAC security plan
Does your organization have a security plan for your building automation system? Does it include monitoring procedures and rules for access?
Your plan should specify whether and when air conditioning companies can have access to your building automation system for performing HVAC installation, programming, system updates, troubleshooting, maintenance or remote monitoring.
Will you allow the vendor to access the system directly? Or will you have internal support staff make system updates for HVAC work?
2. Limit physical access
In your HVAC security plan, consider the access an HVAC vendor should have to your facility. It’s wise to restrict physical access to only the areas where workers need to be. Consider whether you should allow only escorted access to mechanical rooms and HVAC equipment locations.
It’s also smart to think about limiting physical access to HVAC equipment with the use of HVAC security systems such as HVAC security cages.
3. Properly secure access to data
It’s absolutely essential that you take measures to make sure building automation systems are cordoned off from payment data and other sensitive information. Don’t allow any vendor to access your network without taking this step!
According to Automated Building, if you do allow vendors access to a properly-secured building automation system, your HVAC security plan must specify procedures for creating user accounts, granting privileges, terminating accounts as well as monitoring account activity.
4. Screen people
To ensure HVAC security, ask about who will be working on-site at your facility. How does your HVAC company screen employees before hiring? Does the provider bring in independent contractors for some services, or will every worker be on the company’s own payroll?
5. Ask vendors about HVAC security practices
Even some HVAC companies fail to understand the security risk to sensitive corporate networks when they remotely access a customer’s building automation system. That’s why they are not vigilant about implementing and following good security measures.
For example, they might use the same password to access multiple customer systems.
Ask about security policies and procedures that keep your data safe. Also ask about how the company monitors employees to be sure they are in compliance.
If just the thought of a data breach or other security emergency is enough to keep you up at night, use these vetting tips to make sure your HVAC security is tight and reliable. In addition, we recommend reviewing all of your current practices and service vendors. After doing so, you might find that it’s time to make a change in the interest of staying safe.