Laura Élan, P.E., RAC, Senior Manager Cybersecurity, CSA Group

With increased connectivity, commercial and residential home management has improved leaps and bounds, especially for HVACR systems. The benefits provided by the Internet of Things (IoT), including boosted performance and autonomy, is why the Continental Automated Buildings Association (CABA) predicts that there will be more than 70 billion IoT-connected devices by 2025, with an estimated 18 billion devices shipped each year.1

The challenge with the increased adoption of connected HVACR systems is mitigating the higher risk of a cyber-attack. Symantec reports that from 2016 to 2017 there was a 600% increase in cyber-attacks against IoT-connected devices.2

Owners, operators, and service providers of IoT-enabled HVACR solutions need to be concerned about the possible consequences of a cyber-attack on these devices. These include exposure of secure data, interrupted operations, loss of revenue, unplanned recovery expenses, and liability or legal action. To help ensure cybersecurity of connected HVACR systems, it is important to recognize that a cybersecurity breach can pose the same level of safety risks to people, property, and the environment as a product safety incident. Customers of these connected products and systems are aware of this too. As a result, manufacturers of devices should consider both safety and security in the very early stages of product design.

The principles of product security which all IoT product manufacturers should embrace include Secure Organization, Secure Development Lifecycle, and Product Security by Design. These three principles provide for a holistic approach that protects all assets and recognizes the interconnections and dependencies between the developing organization, its processes, and their IoT products and solutions offered to the market. These overarching principles of security are incorporated into various global standards and best practice frameworks. For example, the National Institute of Standards and Technology (NIST) Cybersecurity Framework, International Electrotechnical Commission (IEC) standards, and other private and national standards addressing cybersecurity for products and organizations recommend the following strategies:

  • Developing security policies, procedures, training, and educational material for all organization team members, contractors, and partners
  • Addressing security throughout the entire lifecycle of product development
  • Achieving “Security by Design” by identifying the security architecture, components, and technologies, their respective security risks, and risk mitigation strategies for products and solutions
  • Establishing processes to evaluate and audit the entire product supply chain so that security vulnerabilities are not introduced from third party software and hardware components, product development partners, manufacturing sites and partners, or distribution, installation, and maintenance services.

For an in-depth look at the three key principles of product security, practical insights on how to incorporate these principles into product design, and where third-party testing & certification providers like CSA Group can help, contact us today to receive our upcoming white paper on HVACR system cybersecurity.

[1] CABA (2016), Intelligent Buildings and the Impact of the Internet of Things. Retrieved from:

[2] Symantec (2018), 2018 Internet Security Threat Report. Retrieved from: