Cyber Security Propels the Future of HVAC

The HVAC (Heating, Ventilation, Air Conditioning) industry — together with kitchen appliances — is an industry that is rapidly changing and developing. Like other industries, HVAC is no stranger to today’s cyber security challenges. The risks are multifaceted, from unsecured IoT (Internet of Things) devices in homes to potential threats to HVAC companies' production sites.

Bart Scholten, Commercial Manager Cyber Security at Kiwa Apeldoorn, tells us about the importance of cyber security when it comes to HVAC: “The HVAC industry can indeed be vulnerable to cyber threats; I think it is important to distinguish between three different levels of this threat,” states Bart.

“Firstly, HVAC products themselves (for example, unsecured heat pumps, thermostats, central heating systems, etc.) can be vulnerable; secondly, the installation of HVAC products in buildings (insecure installation and configuration of HVAC products may lead to vulnerable systems); and thirdly, HVAC companies selling these products can be prone to ransomware and supply chain attacks, on production sites, for example.”

“This translates to three levels where an attack can occur,” furthers Bart. “An attack can happen at a consumer level — thieves can use unsecured devices to see whether someone is home and then break in, for example. An attack can also happen at a business level — HVAC products can be the access point for hackers to enter a building network and capture important company data. Moreover, an attack can occur at the manufacturing level, thereby stopping production, and ransomware may be involved. So, ensuring all levels are as secure as possible is fundamental.”

Real-Life Lessons in the HVAC Industry

At Kiwa, Bart specifically focuses on cyber security, guiding his team in testing and certification, emphasizing compliance, legislation, and risk. His primary role involves connecting organizations with Kiwa and introducing Kiwa’s cyber security services to them.

“Kiwa’s ethical hackers identify system vulnerabilities, aiming to exploit weaknesses. We often conduct demos to simulate cyber security attacks, emphasizing the most common vulnerabilities,” informs Bart. “Doing this preemptively is so fundamental in today’s hacker-prone world. Look at the infamous casino incident whereby hackers exploited a thermometer of a high-tech fish tank with internet connectivity. Darktrace, a British cyber security company, detected the unusual activity. They noticed suspicious data being sent to a remote server in Finland using protocols for streaming audio or video. This incident underscores the vulnerabilities in connected devices and the evolving nature of cyber threats. The risk of such an incident happening can be mitigated.”

Another recent example is when an HVAC vendor, ENE Systems, based in Canton, MA, was hacked, and the company was requested to pay a ransom. In communication with Dissent of DataBreaches.net, the hacker claimed to have access to the systems of ENE Systems and subsequently gained entry to its clients' networks, including Boston Children’s Hospital. According to databreaches.net, the ransom was not paid despite attempts to extort money from ENE Systems. The hacker asserted ongoing access to the company's network and that of its clients, emphasizing no intention to harm the hospital.

The Path to HVAC Security — Measures, Regulations, and Directives

“Since there are so many possibilities for weaknesses in these systems, you might ask yourself, where do you begin?” continues Bart. “A good starting point can be looking into (potential) regulations and directives that apply to your products and services.”

“At Kiwa, we actively align with evolving cyber security directives and legislation – for example, the RED, NIS II, CRA, and GDPR — to enhance your cyber resilience and meet baseline security standards. For example, the RED mandates cyber security requirements for products with wireless communication technology.

Many HVAC products now include wireless communication technology, which are essential for selling HVAC products in the EU (from August 1, 2025). The UK will adopt similar requirements by April 2024. Compliance with these regulations establishes a solid foundation for manufacturers to boost cyber resilience as a company and set a basis from where manufacturers can enhance product cyber security, marking the initial step toward a more secure HVAC system,” stresses Bart.

“And in terms of measures or initiatives that can be employed to ensure the digital resilience and security of the sector, it comes down to taking measures and building multiple defensive walls,” states Bart. “Measures can be taken on different levels: organizational, technical, and operational levels (also referred to as people, process, and technology). More specifically, the organizational level includes the security training of personnel; the operational level refers to implementing processes on how to install HVAC systems into building automation securely, and lastly, the technology level refers to the implementation of, for example, strong passwords or multifactor authentication as well as the use of encryption.”

Kiwa’s Comprehensive Approach to Cyber Security and Compliance

Kiwa brings a one-stop-shop service for testing and certification by combining cyber security, extensive HVAC industry expertise, and compliance services. This ensures global compliance, covering energy efficiency, safety, performance, and IoT integration. Additionally, Kiwa's labs support on-demand testing and ethical hacking.

Furthermore, security training for personnel is considered crucial, leading to the provision of guidance services and custom workshops designed for manufacturers in the HVAC industry. What is more, is that an e-learning program is currently in development and is expected to be launched in the first half of 2024.

“Looking ahead, trends in technology, digitalization, and the further integration of wireless communication technology and smart features will shape the future of HVAC products,” adds Bart. “With increasing legislation in the cyber security domain, companies must prioritize the security of their products. Our role at Kiwa is to guide them through this process, ensuring compliance and enhancing the cyber security of their offerings.”

“At Kiwa, we believe the energy transition and digitalization will continue and fuel these developments. The smart grid and efficient energy use will become more important, and the Internet of Things network will keep expanding. This will lead to more and more cyber security challenges and risks. The fact is that a 100% cyber-secure product, environment, or organization does not exist. Technology is evolving rapidly, introducing new vulnerabilities, and humans will always make mistakes. It is, however, up to us to make it as difficult as possible for malicious attackers and protect consumers and companies against cyber incidents. It all comes down to achieving an acceptable risk level for you and your customers.”