We spent last Thanksgiving in the Philadelphia area with my wife’s family, as we typically do every year. Though it’s not our usual habit, on Black Friday we ventured out to the local Target Store to do some shopping. As I recall, our purpose was to stock up on snacks for our toddler for the trip back to Vermont--it definitely was not to do holiday shopping on the most notoriously crazy shopping day of the year! While the trip to Target was fairly mundane, unbeknownst to us, as we swiped our bank debit cards to pay at checkout, our card information became unsecure in a complex data breach orchestrated from half a world away, reportedly in Eastern Europe and Russia.
By the end of the year, our bank card and other personal information would be listed for sale on black market websites along with the information of up to 70 million other unsuspecting shoppers. As far as we can tell, none of our banking information was exploited, and we now have new debit cards. While the incident was a minor inconvenience to us, it represents a huge problem for Target Corp, and its shareholders--and this general type of problem represents an increasing threat to businesses of all kinds.
The HVAC link
So, you may wonder, what does this event have to do with buildings, energy and other topics covered by our blog? Simple. How did these attackers scale the digital walls of a large multinational corporation such as Target? Well, they attacked a Target vendor and large mechanical HVAC contractor, then used their access to breach Targets corporate firewall.
According to reporting by Brian Krebs, a respected security blogger at krebsonsecurity.com, the HVAC contractor was attacked, likely at random, by an email phishing attack that unleashes keystroke-logging software on network computers. The contractor did have minimal malware protection installed on their computers, but it was the free version of a popular program that only scans computers when the user runs the program. If, like most users, the contractor never ran the program, an undetected virus invaded their system.
The ripple effect
Attackers eventually found username and password credentials on the HVAC firm’s PCs that allowed them to log into a Target Corp billing, payment, and project management server system. Via this access, they eventually worked their way into the company’s Point-of-Sale (POS) terminals (the machines at check out) and installed the programs that ultimately vacuumed up millions of holiday shopper credit card numbers.
When I first heard the exploit was via an HVAC contractor, I somewhat excitedly believed that this was the smoking gun of improper HVAC Server remote access configuration which I have written about in a past blog. While this was not the case--and the breech was related to vendor management systems--it still provides a useful reminder about network security. Whether your systems connected to the internet are HVAC servers, simple office file sharing machines, or enterprise class datacenters--paying attention to IT security best practices is increasingly important.
An overlooked vulnerability
HVAC servers, because they are often not on the “radar” of IT staff at facilities, are often overlooked in terms of routine maintenance, virus protection updates and updates to software to patch known vulnerabilities. Further, HVAC server platforms often require old versions of highly vulnerable Java software, and even worse, often are connected to the internet with open firewall network ports to allow easy access by HVAC contractors. For some specific steps your organization can take to improve security of HVAC Servers, you can refer to IT industry best-practices or start by looking at some basic pointers in my prior blog post.
HVAC and Windows XP
One final note of caution regarding HVAC server security: many, many HVAC servers are older, and may operate legacy versions of Microsoft Windows, such as Windows XP. Even if you have the most competent IT professionals making sure your Windows XP HVAC server is up-to-date, Microsoft is discontinuing all support and updates for XP starting on April 6th, 2014. For even fully patched machines, they will immediately become more vulnerable to remote exploits, which hackers are purportedly stockpiling in anticipation for the end of support of XP. If you’re a facilities owner with one of these machines, now may be the time to contact you HVAC vendor for an upgrade….or perhaps just remove the ethernet cable from the network!
Krebs on Security
Prior Blog Post