HVAC System Exploit Renews Ongoing Supply Chain, Industrial Control System Risk

Why HVAC and Industrial Control Systems Pose Cyber Risk to Healthcare

A reported ‘cybersecurity incident’ levied against Johnson Controls International has encrypted devices and impacted the business operations both internally and for some connected partners, according to a recent company filing with the Securities and Exchange Commission.

Johnson Controls is a building automation vendor that develops and manufactures security equipment, fire safety tools, air conditioners, and industrial control systems across a wide range of global industries, including healthcare.

Filed late last week, the SEC form shows Johnson Controls International is facing disruptions in some of its IT infrastructure and applications. Customers and subsidiaries have also reported disruptions to their manufacturing processes and other technical outages.

Company leaders are continuing to investigate, as they coordinate with their insurers and work to remediate the fallout from the attack. And while, a ransomware group known as Dark Angels has taken responsibility for the cyberattack, the company has not confirmed that detail.

Johnson Controls is working to determine just “what information was impacted” and is adhering to its incident management and protection plan, according to the SEC filing. For now, the forensics show that many of the company’s applications remain unaffected and operational.

To address current operational disruptions, the company is relying on workarounds established in its business continuity plans. The company is continuing to provide services to customers, despite ongoing operational disruptions. It’s currently unclear what the final impact will be on customer data and finances.

HVAC Security: Why it Matters to Overall Healthcare Infrastructure

In 2021, a group of 2,400 individuals ranked building systems, like HVAC or electrical systems and imaging machines, as the riskiest devices in healthcare due to ongoing vulnerabilities. The survey from Armis sought to understand the cybersecurity perspectives of health IT leaders.

Given sensationalized headlines around infusion pumps and medical devices, the risks posed by HVAC systems may sound implausible. But it’s not just conjecture: the 2014 Target breach was brought on after the attackers gained a foothold in the HVAC system. These concerns are routed in the numerous vulnerabilities held within these tools and their connection to healthcare infrastructure, overall.

For healthcare, the attack on Johnson Controls holds several concerns. In particular, the sheer volume of devices and endpoints, as well the complexity of device types, from IoT and imaging devices and HVAC and security cameras that all operate on the same network.

Once an attacker finds a foothold onto the network, they can pivot to other connected systems through system or access control vulnerabilities. If they find access onto an IoT device, the actor can persist on the network, often without detection.

CNN has already reported that one federal agency is investigating the possible impacts to its data, as Johnson Controls holds highly sensitive details from the department tied to physical security.

The full impact is yet to be seen but aligns with the continued targeting of supply chain vendors and industrial controls systems by threat actors, seeking to gain access to critical infrastructure entities. These attacks should serve as a remind for all provider organizations to ensure visibility across the infrastructure, especially vendor endpoints.