HVAC Contractors and Building Automation Security
If you’re in charge of facilities management, you’re certainly accustomed to thinking about the physical security of your workplace, as well as the physical comfort of employees and customers. But if you’re not an IT guy, you probably never thought it was your job to worry about data security, much less worry about vetting reputable air conditioning companies.
You may have never considered the importance of seeking reputable air conditioning companies. All that changed last year when Target reported a major data security breach that happened after network login credentials were stolen from Target’s third-party HVACR vendor.
Large facilities, especially retailers, often hire reputable air conditioning companies to remotely monitor energy usage and store temperatures. This monitoring practice allows businesses to reduce energy costs and also to be alerted if store temperatures fluctuate outside an acceptable range that might drive customers to seek a more comfortable shopping experience elsewhere. But in this case, allowing that remote network access resulted in hackers gaining access to the company’s payment system.
Target learned a hard and expensive lesson about looking for reputable air conditioning companies, as well as cyber security for building automation systems. The breach resulted in the theft of 40 million debit and credit card numbers and cost the company upwards of 400 million dollars, including PCI non-compliance fines, reimbursement of financial institutions for the replacement of payment cards, and credit monitoring and legal fees for the millions of potentially affected consumers.
In the wake of the Target incident, Facilities Managers do need to be concerned about data security. When providing remote access to your building automation system, and even when allowing onsite access to your facility, you must be sure to use only reputable air conditioning companies that have the right procedures and staff to keep your data safe.
When you hire an outside service contractor to take care of your HVAC system, recognize that you’re giving that company and its employees a high level of access to your company’s physical property and its data. How do you know if you can trust even reputable air conditioning companies, not only to service your heating and air conditioning equipment competently and professionally, but also to treat your facility and your sensitive information with the same care? You need to be sure any contractor you hire is thoroughly screening employees, maintaining secure data systems and practices of their own, and promoting a culture of honesty and trustworthiness.
Related article: A Good Heating and Air Conditioning Company is Hard to Find.
Security considerations for HVAC contractor oversight
Of course you want to avoid what happened to Target. And we don’t need to tell you to check credentials and references for every vendor. But there are additional steps and vetting points that can help you breathe easier about your company’s security and the competence and trustworthiness of the vendors who have access to your systems.
1. SECURITY PLAN: Does your organization have a security plan for your building automation system that specifies how it is protected and monitored, as well as rules for access? Your plan should specify whether and when reputable air conditioning companies are allowed access to your building automation system for performing work such as equipment and control installation, programming, system updates, troubleshooting, maintenance or remote monitoring. Will you allow the vendor to directly access the system or will you have internal support staff make needed system updates for HVAC work?
2. PHYSICAL ACCESS: When vetting reputable air conditioning companies, consider what access the vendor needs to enter your company’s facility? It’s wise to restrict physical access to only the areas where workers need to be. Consider whether you should only allow escorted access to mechanical rooms and HVAC equipment locations.
3. DATA ACCESS: It’s absolutely essential that you take measures to make sure building automation systems are cordoned off from payment data and other sensitive information. Don’t allow any vendor, even the most reputable air conditioning companies, to access your network without taking this step! If you do allow vendors access to a properly secured building automation system, your security plan must specify procedures for creating user accounts, granting privileges, terminating accounts as well as monitoring account activity.
Automated Building’s article: A Systems Approach to HVAC Security is a great resource for detailed advice about data security.
4. PEOPLE: To vet reputable air conditioning companies, ask about who will be working onsite at your facility. How do reputable air conditioning companies screen employees before hiring? Does the provider bring in independent contractors for some services, or will every worker be on the company’s own payroll?
5. SECURITY PRACTICES: Even some reputable air conditioning companies fail to understand the security risk to sensitive corporate networks when they remotely access a customer’s building automation system, so they are not vigilant about implementing and following good security measures. For example, they might use the same password to access multiple customer systems. Ask about policies and procedures that keep your data safe. Also ask about how the company monitors employees to be sure they are in compliance.
If just the thought of a data breach or other security emergency is enough to keep you up at night, use these vetting tips to find reputable air conditioning companies. In addition, we recommend reviewing all of your current practices and service vendors. After doing so, you might find that it’s time to make a change in the interest of staying safe. If find yourself reluctant to go through the hassle of making the switch to a new HVAC service provider, take a look at our helpful guide to Contract Confidence: Transitioning to a New HVAC Service Provider.