ENTOUCH Smart Building Solutions

Energy Management System Cybersecurity: 5 Ways to Avoid Another Target-Like Hack

In 2013, Target suffered one of the largest hacks of consumer data in history via third-party vendor of the retail giant’s HVAC system, reports Jai Kumar Vijayan of Computer World. Unfortunately, this event that called into question energy management system cybersecurity has led many companies to grow increasingly critical of outsourcing facilities management operations.

While the hack was a horrible event for Target, it highlighted the vulnerabilities within energy management solutions (EMS). Consequently, today’s systems have become more advanced and secure than ever before, and you need to know what steps to take to leverage EMS systems while protecting your data simultaneously.

Eliminate Ambiguity Over EMS Cybersecurity Responsibility

Part of the problem that led to the vulnerability of Target was a failure to understand who was responsible for securing the connection into the HVAC system. In other words, Target thought the vendor would assume cybersecurity responsibility and vice versa. Unfortunately, this left the system vulnerable to attacks. So, you can eliminate this concern by clarifying any ambiguity between responsibility. In other words, make sure your EMS vendor has its obligations to protect data clearly defined in your contracts.


Use Two-Layer Verification For Data Access

Google, Facebook, Apple and other major companies have already taken steps to create two-layer verification processes for gaining access to user accounts, and this concept can be applied to EMS cybersecurity as well.

For example, accessing your EMS system should require more than just a username and password. It might involve proving that your IP address has accessed server data and controls in the past. This can be accomplished on the EMS-vendor’s side of the equation, or you might use fingerprints to allow any access to internal networks or terminals. A quick means of achieving this feat is using the computer with fingerprint scanner access, not just those that require a password.

Make Usernames and Password Strong

Do you know the password to your most sensitive information off the top of your head? If so, it is probably not secure. Knowing your password is more than putting names and favorite places together. It should be a combination of letters, number, and symbols, and it should not be a logical phrase. Putting your name, a symbol and a number afterward do not create a strong password.

You need to create completely randomized passwords that do not follow mathematic or logic equations, and it should take some work to commit the password to your memory. Similarly, usernames should be strong as well. Do not use “admin, owner, mybusiness or letmein” as usernames in your company, explains Sabrina Korber of CNBC. Consider using randomized usernames that follow the same criteria of strong passwords.

Eliminate Unnecessary Access Points to Aid in Energy Management System Cybersecurity

Does every person company need access to your EMS? No! Only authorized personnel should have the credentials and ability to access your EMS system, and this includes more than just login information. In other words, create physical lockboxes around every physical access point, such as a thermostat, in your facility, explains Mark Petock. Entrust only supervisors to access these devices, and continue to require a two-fold authorization when accessing systems remotely as well.

Separate Networks With Connected Devices From Customers’ LANs

Separating networks is key to preventing another Target-like attack. Devices that store customers’ information should be separate networks from connected devices. While this would seem to contradict EMS goals, it works as the systems communicated through encrypted, proper channels within the cloud. Thus, the systems strengthen one another, reducing risk and proactively managing access points. Additional measures include using VPNs that are behind firewalls in your company for these separate networks. So, EMS cybersecurity can be enhanced even further.

Take Responsibility in Preventing Hacks Even When It Does Not Seem to Be Your Burden

The Target hack exposed the vulnerabilities that can exist in a company’s EMS cybersecurity measures, but it did more than just give customers’ information to the hands of nefarious individuals. It provided a beacon to companies and catalyzed business-owners to enhance their cybersecurity standards. Moreover, the hack highlighted the need to assume responsibility for cybersecurity when it is not clearly defined.

By following the simple steps in this blog post, you can boost your profit margins and eliminate wasted energy consumption costs through EMS solutions and maintain a strong EMS cybersecurity plan.