Penetration of Target's HVAC Controls

[John Young]

Good to see the report on Target's penetration through its remote
heating and cooling controls. These and a slew of other building
automation systems are often run on central computers along with
data processing. Data processing may be protected but the other
systems often are not, for IT sec tends to focus on the data of
businesses housed in a structure but not the systems running or
monitoring the structure with its operating systems most often
overseen by maintenance and operation staff seldom skilled
in cybersec.

We have seen quite a few buildings with decent data protection and
building physical and electronic security systems, but lacking oversight
of the security of building automation systems often remote from
the facilities with 24x7 access, and from there who knows where
else -- central automation firms may link up to hundreds of other
buildings in a batch of countries. Critical infrastructure protection
seldom covers the great variety of buildings.

Some use the same Internet connection, separated only
by software and folders, with folders of the automation system in
obscure locations seldom seen by principal IT data admins.
Different duties, contracts, staff, budgets. Much interest in
data security, hardly any for automation security.

This is not the case for experienced designers, constructors
and operators of buildings. Although compartmentalization
among them continues to erect easy to penetrate "firewalls"
and gaps of responsibility.

Spies very much like the porosity and attention to data
protection.