Attacked by HVAC! The Verdict: Insufficient Paranoia

by Charles Leaver

June 1, 2017

access_time 6 min read

Cybersecurity hackers are cleverer than most people can imagine. Even the most paranoid “normal” person wouldn’t worry about a source of data breaches being stolen credentials from its heating, ventilation and air conditioning (HVAC) contractor. Yet that’s what happened at Target in November 2013. Hackers broke into Target’s network using credentials given to the contractor, presumably so they could monitor the heating, ventilation and air conditioning system. (For a good analysis, see Krebs on Security). And then hackers were able to leverage the breach to inject malware into point-of-sale (POS) systems, and then offload payment card information.

A number of ludicrous mistakes were made here. Why was the HVAC contractor given access to the business network? Why wasn’t the HVAC system on a separate, completely isolated network? Why wasn’t the POS system on a separate network? Et cetera, et cetera.

The point here is that in a very complex network, there are uncounted potential vulnerabilities that could be exploited through carelessness, unpatched software, default passwords, social engineering, spear phishing, or insider actions. You get the point.

Whose job is it to find and fix those vulnerabilities? The security team. The CISO’s office. Security professionals aren’t “normal” people. They are paid to be paranoid. Make no mistake, no matter the specific technical vulnerability that was exploited, this was a CISO failure to anticipate the worst and prepare accordingly.

I can’t speak to the Target HVAC breach specifically, but there is one overwhelming reason why breaches like this occur: A lack of budgetary priority for cybersecurity. I’m not sure how often companies fail to fund security simply because they’re cheap and would rather do a share buy-back. Or maybe the CISO is too timid to ask for what’s required, or has been told that she gets a 5% increase, no matter the need. Maybe the CEO is concerned that disclosures of large allocations for security will spook shareholders. Maybe the CEO is simply naïve enough to believe that the business won’t be targeted by hackers. Bad news: Every business is targeted by hackers.

There are huge competitions over budgets. The IT department wants to fund upgrades and enhancements, and attack the backlog of demand for new and improved applications. On the other side, you have line-of-business managers who see IT projects as directly helping the bottom line. They are optimists, and have lots of CEO attention.

By contrast, the security department too often has to fight for crumbs. They are seen as an cost center. Security reduces business risk in a way that matters to the CFO, the CRO (chief risk officer, if there is one), the general counsel, and other pessimists who care about compliance and reputation. These green-eyeshade people think about the worst case scenarios. That doesn’t make friends, and budget dollars are allocated grudgingly at too many organizations (until the company gets burned).

Call it naivety, call it entrenched hostility, but it’s a real challenge. You can’t have IT given great tools to drive the business forward, while security is starved and making do with second-best.

Worse, you don’t want to end up in situations where the rightfully paranoid security teams are working with tools that don’t mesh well with their IT counterpart’s tools.

If IT and security tools don’t mesh well, IT may not be able to quickly act to respond to risky situations that the security teams are monitoring or are concerned about – things like reports from threat intelligence, discoveries of unpatched vulnerabilities, nasty zero-day exploits, or user behavior that indicates risky or suspicious activity.

One suggestion: Find tools for both departments that are designed with both IT and security in mind, right from the beginning, rather than IT tools that are patched to provide some minimal security capability. One budget item (take it out of IT, they have more money), but two workflows, one designed for the IT professional, one for the CISO team. Everyone wins – and next time someone wants to give the HVAC contractor access to the network, perhaps security will notice what IT is doing, and head that disaster off at the pass.