Cybersecurity of HVAC Systems in the Era of Connected Devices
CIOReview
CIOREVIEW >> Cyber Security >>

Cybersecurity of HVAC Systems in the Era of Connected Devices

Matthew T. Goss, PE, PMP, CEM, CEA, CDSM, LEED® AP(BD+C), MEP/Energy Practice Leader, CDM Smith
Matthew T. Goss, PE, PMP, CEM, CEA, CDSM, LEED® AP(BD+C), MEP/Energy Practice Leader, CDM Smith

Matthew T. Goss, PE, PMP, CEM, CEA, CDSM, LEED® AP(BD+C), MEP/Energy Practice Leader, CDM Smith

When I work on HVAC-related projects, I often predominantly focus on identifying solutions that best meet client needs and objectives. Over the last several years, much of this work has been driven by implementing energy efficiency, sustainability, or resiliency-related measures. Although it’s always considered, I rarely specifically focus on cybersecurity-related to HVAC systems; however, I have developed a new appreciation for the practice.

I recently served on the Technical Planning Team for the U.S. Department of Energy’s “Energy Exchange” virtual training event, where I supported a technical training track focused on cybersecurity by developing two technical discussions. One discussion described the importance of implementing cybersecurity for microgrids and distributed energy resources, and the other covered how cybersecurity can be applied to operational technology systems. Operational technology is the hardware and software that detects or causes a change through the direct monitoring and/ or control of industrial equipment, assets, processes, and events(Source: Gartner Inc. “Definition of Operational Technology (OT) - Gartner Information Technology Glossary.”Gartner, https://www.gartner. com/en/information-technology/glossary/ operational-technology-ot). HVAC control systems, building management systems, and systems serving similar functions are considered operational technology. Engineers, owners, and operators of these systems need to understand how technologies at their facilities are connected as equipment controls become more advanced to provide additional functionality, more devices become internet-enabled, and everything becomes more “connected” in general.

I’ve had the opportunity to interact with several thought-leaders in the cybersecurity industry, and there are several suggestions I’d like to pass along to engineers, designers, and owners/ operators of connected systems.

- Don’t connect external devices such as hard drives or USB flash drives to your systems.

- Immediately change default usernames/ passwords as soon as the equipment is put online.

- Do not share configuration files.

- Continually train all equipment users.

- Disconnect remote access.

- Don’t use these systems to search and access the internet.

In retrospect, all of these seem easily achievable, pragmatic, and commonsense. However, the challenge appears to be implementing and enforcing these guidelines. The question is no longer “if” we are hacked but “when.” Therefore, a plan must be in place as a proactive approach to security. I recommend conducting regular check-ins and reviews to ensure that all equipment users are following the rules.

Individuals need to recognize this is a continuous and ever-changing process – it’s not static. Additionally, owners and operators need to prepare for the worst-case – the “what if” scenario. Again, while it may appear to be commonsense, owners and operators should also plan for disaster recovery. They should be prepared with a backup in case of an emergency like data breaches, malware attacks, or data loss. This is especially important as information provided by peers and colleagues indicates that most facilities not only don’t have a disaster recovery plan but don’t even change their systems’ default access information.

As technology and connectivity advance, and as we use technology to make more informed decisions, we as designers and engineers need to broaden our knowledge and ensure we’re appropriately educating our clients, owners, and operators. It’s our job to give them the knowledge they need to appropriately and securely monitor their environment.

Read Also

Basic And Applied Research In Aerospace Sciences At The Office Of Naval Research

Basic And Applied Research In Aerospace Sciences At The Office Of...

Knox T. Millsaps, Ph.D., SES Director, Division of Aerospace Sciences Office of Naval Research
CRM: The New Center of the Marketing Universe

CRM: The New Center of the Marketing Universe

Ryan Malone, Founder and CEO of SmartBug Media™
Insurance Market is in Full Swing in Tune with the Digital Transformation

Insurance Market is in Full Swing in Tune with the Digital...

Adilson Lavrador, Executive Director of Operations, Technology and Claims, Tokio Marine Seguradora
A Pro-Active Risk Management Approach Guides Pg&E's Supplier Quality Assurance Team

A Pro-Active Risk Management Approach Guides Pg&E's Supplier Quality...

Jamie Martin, Vice President of Supply Chain and Chief Procurement Officer, Pacific Gas and Electric Company
The Future Of Oil And Gas Industry With Digital Solution

The Future Of Oil And Gas Industry With Digital Solution

Azfar Mahmood, Product Manager, Jeremy Angelle Vice President Digital Solutions at Frank’s International
Epc Oil And Gas Companies’ Role In Scaling Up In Energy Transition

Epc Oil And Gas Companies’ Role In Scaling Up In Energy Transition

Matthew Harwood, GVP Strategy and Sustainability, McDermott International