Target hack: attack came through HVAC

Yesterday, we learned thieves used the HVAC system to penetrate Target Store’s network and steal personal information for more than 70 million customers. You shouldn’t be surprised.

We’ve known heating and ventilation systems are a major security risk since a rag-tag band of rebels destroyed “the ultimate power in the universe” through a thermal exhaust port. Like the Death Star, Target was brought down through their HVAC system.

Of course, Target is nothing like the Empire. I’ve seen Star Wars more times than I can count and I always cheer when the Death Star explodes. When I heard about the breach at Target, I nearly cried. My wife was one of the 40 million who used a credit or debit card at Target in November. I had been compromised. There was Darth Vader, squeezing the breath right out of me.

You don’t need to be Star Wars fan to understand the Target security breach. Over the past couple of years there has been a steady drumbeat of warnings about poor security in building systems and industrial controls.  Security analysts have posted warnings about our HVAC systems, white-hat hackers have demonstrated exploits into industrial control systems, and President Obama highlighted the cyber security threat to our critical infrastructure in his 2013 State of the Union address and in a November 2013 proclamation.

Now you might not consider Target “critical national infrastructure;” as the father of two young children in suburban America, I can assure you it is. Target may be in the news today, but this type of cyber-crime could happen to anyone. I hate to make such a gruesome prediction, but we’ll be seeing more of this type of hack in the months to come.

So, what can we do to stop it? How can we prevent hackers from breaking into our networks through our building systems? Netop has a unique perspective on this particular topic. We provide PCI–DSS compliant remote access solutions for Point of Sale (POS) environments and we designed a secure remote access solution specifically for use in Building Automation & Energy Management systems in partnership with Lynxspring.

Providing secure remote access to point of sale systems, building automation systems and energy management systems is where Netop lives and breathes. Over the next several weeks we’ll be talking about this subject in depth. Starting next week, we’ll take a look at this subject from the perspective of the building owner or facilities manager. Next we’ll consider the perspective of third party vendors and external service providers and we’ll finish things off by addressing the issue from the perspective of the IT department.

In the meantime, if you want to learn more about providing secure remote access to your building automation and energy management systems, check out LYNX CyberPRO  from our friends at Lynxspring. You can learn more about Netop’s PCI-DSS compliant remote control tools for point of sale systems here.

Of course, you can also drop me a note with questions or comments. I’m always happy to talk network security or remote access challenges.

Leave a Reply