Hacking Building Controls: The Target breach – 5 years later

Article Cybersecurity
Building Controls Breach


Does your organization have a security plan for your HVAC (Heating, Ventilation, and Cooling) system(s)? What about your temperature control system? Are those systems included as part of your annual security assessment?

For those within your organization in charge of facilities or security, the need to spend time worrying about the security of HVAC systems has been minimal due to the way they are typically installed. However, HVAC and other environmental support systems are now being connected into corporate networks to automate building controls. Organizations using Internet-connected systems without proper security controls in place can provide hackers an opportunity to gain access to other critical organizational systems and networks.

Organizations may focus their attention on securing payment card systems and other critical applications, and accidentally overlook other, less obvious, applications that may be connected via the network. Cyber criminals are continuing to adopt more innovative methods to hack organizations and avoid being detected while doing so. Rather than launching an attack against infrastructure they know is protected and routinely monitored, criminals may look for an alternate route in. If they can find a point of entry that has potentially been neglected, they may be able to use the data found there to access other systems. In the initial stages of what has been termed a “pivot attack”, hackers will search organizational systems (or other third-party applications) to find a gap in security. Once they have control of a connected device or application, they then use the information found on those systems to “pivot” or move to systems hosting more critical data.

Networked systems of every kind are vulnerable and at risk for attack. A networked HVAC system at Target was the entry point for the massive data breach in 2014. Hackers were able to successfully gain access to the corporation’s financial data systems by stealing the login credentials of the third-party contractor. Once they had access to the credentials, they were able to exploit weaknesses in Target’s internal network security, access a customer service database, and install malware that captured payment card numbers and other sensitive personal information. The third-party HVAC vendor was given access to the network in order to monitor energy consumption and temperatures at various stores, not access payment card or customer information. Target failed to properly segment their systems that handled payment card data from the rest of the network. This mistake cost the retailer over $200 million in investigation costs, fines, legal fees, customer notifications, credit monitoring, etc.

Large organizations will often hire third-party companies to remotely monitor various components of their infrastructure – whether it is an HVAC vendor monitoring location temperatures and energy usage to help reduce energy costs or a security vendor keeping watch over the multitudes of security cameras. Providing this remote access to your organization can increase your overall risk, just as we saw with Target, therefore it is important to ask your vendors about their security practices. As mentioned above, information security may not be their regular focus, so they may fail to understand the potential security risk they bring when remotely accessing your environment. You should ask about their security policies and procedures, and find out important details, like if they are using the same password to access all of their customer systems.

If it can happen to Target, this type of attack can happen anywhere. In 2013, Google’s Australia Office was hacked by a team of researchers through their industrial control systems.

And just this month, a major security breach in temperature control systems was found in hospital and supermarket refrigeration systems. Systems manufactured by Resource Data Management were exposed to remote attacks because they were using known usernames and default passwords and failed in implementing other security measures. An unauthorized attacker could change user and alarm settings and could activate the defrost function remotely. For hospitals, this should be a major concern as their systems are used to store blood and drugs.

Below is a quick checklist to review as you assess the security of connected, yet unrelated, systems that may be at risk:

1) Access Control
Review all accounts for which you have provisioned access. Verify if the accounts of former employees or contract employees are still active, or if employees have changed roles and no longer need access. Access control policies should state whether third-parties can access your systems directly to provide any programming, system updates, troubleshooting, maintenance, or remote monitoring, or if internal support staff will be responsible for installing any system updates. Ensure that you are enforcing policies for creating user accounts, granting privileges, and terminating accounts. And make sure you have changed all default accounts and passwords!

You may also want to verify how your vendor screens potential employees before hiring and ask if they ever bring in independent contractors so you know who will be accessing your systems.

2) Remote Access
Control and monitor remote access from third-party vendors for the duration of their time connected to your environment. Require that they use multi-factor authentication when remotely accessing your systems.

3) Monitor Access
Logging, file integrity monitoring, and behavior analytics can play a huge role in detecting unauthorized users on your systems. By reviewing logs and looking for abnormalities, you can detect potential attacks before any significant damage is done. For example, why would a user from Human Resources be trying to remotely access your HVAC system at 4:00am? This may be a hacker using the HR employee’s stolen login credentials to penetrate other systems.

4) Physical Access
Even when allowing onsite access to your facility, it is important that third-party service providers have signed off on your policies and procedures, and understand (and have acknowledged) their responsibilities for keeping your data safe. Restrict physical access to only the areas where they need to be and consider requiring escorted access to locations housing sensitive data. Consider installing cameras and/or door alarms in order to prevent unauthorized access.

5) System Inventory
Keep an up to date inventory of all systems.

6) Network Diagrams
It is important to maintain up to date network diagrams that will help you identify any potential weaknesses and illustrate how other less-critical systems and applications may be providing a path to your data. Each time a new connection is made or the firewall configuration is changed, follow a formal change management process to prevent security problems created by an accidental misconfiguration.

7) Segmentation
Effectively segment/separate sensitive systems from the general network. It’s absolutely essential that you take measures to make sure general use systems are segmented away from payment card data and other sensitive information.

8) Penetration Testing
Perform periodic penetration testing to confirm segmentation controls are effective, identify any potential gaps or weaknesses, and patch any discovered gaps before attackers can find them.

Oakland University recently worked with CampusGuard to assess their HVAC environment, and included the environment in their annual network penetration test as well. “We felt it was important to validate that the necessary security controls for segmenting the HVAC system from Oakland’s network and for closely monitoring third-party access were in place in order to prevent system compromise. Information security is a never-ending job, and just when you aren’t looking, a criminal will find a new way into your systems,” shared Dennis Bolton, Information Security Officer at Oakland University.

If you are not including your vendor-managed systems in your annual security assessment, you may want to make this a priority this year.

Some additional guidance from the CampusGuard Security Advisor team and Offensive Security Team:

[Burt]: Yet another attack vector. HVAC (Heating, Ventilation, and Cooling) system hacks are becoming more popular. Although if anyone is familiar with the fourth installment of the Die Hard series, “Live Free or Die Hard,” then we know that the concept is not necessarily new. More than likely in the Higher Education industry this method of attack would be used to access other networks containing sensitive data (e.g. HIPAA, GLBA, PCI, etc.), as opposed to shutting down critical resources. But, one never really knows this as cyber criminals appear to have plenty of time and ideas at hand.

Realistically, much of the concern can be alleviated by just ensuring some of the more basic security practices are in place. Although not an all-inclusive list, some of these basics include,

  1. making sure the HVAC system networks are physically and/or logically separate from University/College networks where sensitive data resides (i.e. network segmentation),
  2. ensure all systems being used are updated with the most recent security patches, etc.,
  3. confirm that all users of systems have their own unique username with preferably some type of password complexity rule,
  4. keep tight control of remote access by requiring VPN with some sort of multifactor authentication and most ideally these accounts would not be “active” indefinitely (e.g.
    only enabled when needed/used) and
  5. monitoring is always crucial. There should be methods of log aggregation, correlation, and alerting that can assist organizations in ensuring no “rogue”
    access is taking place.

If HVAC or other environmental systems are not currently on your institutions radar for risk analysis, it may be time to considering spending some time and effort in this aspect of protecting information security. Please feel free to contact your customer relationship manager and security advisor if any questions arise or assistance is needed.

[Roell]: These devices are no longer “thermostats” or “sensors”, they are fully featured computing devices and need to be treated as such. Every additional feature provided is analyzed by white and black hat security researchers. We need to ensure that we are not doing an attacker’s work for them and installing what can essentially become a privileged botnet on our own network. IoT and embedded devices often required increased vigilance due to the use of specialized programs and firmware that may not be rigorously updated and scrutinized from a security standpoint. A skilled attacker will analyze the ENTIRE network, ensure you do the same.


About the Author
Katie Johnson

Katie Johnson


Manager, Operations Support

As the manager of Operations Support, Katie leads the team responsible for supporting and delivering CampusGuard services including online training, vulnerability scanning, and the CampusGuard Central® portal. With over 15 years of experience in information security awareness training, Katie is also the Product Lead for CampusGuard’s online training services. As a Senior Customer Relationship Manager for a limited number of customers, Katie assists organizations with their information security and compliance programs and is responsible for coordinating the various teams involved.