HVAC Integrator’s ‘Billing’ Connection Led to Target Breach

The HVAC contractor linked to the Target breach says the only data connection between the two companies was a billing system. ICS experts, meanwhile, decry the security of bridges between IT and facilities systems.

The heating, ventilation and air conditioning contractor linked to the Target breach said its data connection to the giant retailer was “exclusively for electronic billing, contract submission and project management,” the company’s president and owner said yesterday.

Ross E. Fazio said in a statement that his company, Fazio Mechanical Services, was also compromised and that it is cooperating with Target and the Secret Service in the investigation of the breach that spanned most of the Christmas shopping season and resulted in the loss of 40 million payment cards and the personal information of 70 million individuals.

Fazio also squashed initial speculation that his company remotely monitors and manages Target’s environmental controls such as heating, cooling and refrigeration.

“Like Target, we are a victim of a sophisticated cyber attack operation,” Fazio said. “Target is the only customer for whom we manage these processes on a remote basis. No other customers have been affected by the breach.”

Fazio Mechanical Services is based in Sharpsburg, Pa., and specializes in supermarket refrigeration systems. Legitimate credentials providing access to the Target corporate network were stolen from Fazio Mechanical Services, sources told Krebs on Security.

Fazio’s declaration that it does not remotely monitor energy consumption and remotely manage temperatures for Target debunks theories that the hackers had bridged the HVAC system and pivoted from there to the corporate network. Hackers were able to upload RAM scraping malware to point of sale systems and exfiltrate stolen payment card data via a server inside the Target firewall to the attackers’ remote server.

While some security experts questioned why there wasn’t better segmentation between the two networks if this were the case, industrial control system security experts on the SCADASEC mailing list said that many building automation networks often are integrated with corporate networks. One post describes a typical environment where a workstation is tasked with managing a building automation system and a DSL line connects it to the Internet.

“It happens all the time,” said Billy Rios, director of vulnerability research and threat intelligence at Qualys. “We’ve done assessments where we exploit an Internet-facing HVAC system and pivot to the corporate network. Pivoting from the HVAC system to the corporate network is really trivial; it’s designed to be a bridge like that.”

Large retailers such as Target are perfect examples of this scenario where a third-party integrator is hired for environmental control, which is generally done remotely over the Internet rather than sending technicians on-site, said Rios, a long time SCADA and ICS pen-tester who has reported dozens of building management system vulnerabilities to the Industrial Control System Computer Emergency Response Team (ICS-CERT).

An integrator’s job is to install equipment, and often it’s done without much consideration for cybersecurity. Rios said there are no centralized security standards they are required to adhere to with regard to remote access.

“Every HVAC integrator is doing their own thing; there’s no control,” Rios said. “They put in remote access the way they want to put it in. Sometimes these guys just bring in a cable modem and the organization doesn’t realize the bridge to the Internet exists. Pivoting becomes trivial at that point. Some of the stuff we’ve seen is appalling.”

One such example Rios said was the reuse of common passwords by an integrator for all its customers.

“This way, the technician knows one set of credentials that gets them into all their customers,” Rios said. “If one organization gets compromised, the chances are all of them are going to get compromised. These are super common problems and it’s totally crazy.”

Another issue plaguing building management systems is that often they don’t fall under the auspices of IT management, rather facilities or operations. Many of these systems are embedded and are running Windows or Linux and they’re hardly ever monitored by security tools such as antimalware or egress filtering.

“When you see some of these systems taken out of facilities and turned over into IT, they turn on the security stuff and see they’ve been compromised, that a system is reaching out to different IP addresses or stuff is out of date,” Rios said.

“We’ve seen this coming for a long time, and there’s still a long way to go,” Rios said. “Integrators have to get their act together; vendors have to get their act together; and end users have to understand the threat. It’s a three-legged stool and until we get all three legs working together, we’re going to have a lot of problems.”

Suggested articles