search.noResults

search.searching

saml.title
dataCollection.invalidEmail
note.createNoteMessage

search.noResults

search.searching

orderForm.title

orderForm.productCode
orderForm.description
orderForm.quantity
orderForm.itemPrice
orderForm.price
orderForm.totalPrice
orderForm.deliveryDetails.billingAddress
orderForm.deliveryDetails.deliveryAddress
orderForm.noItems
www.heatingandventilating.net


INDUSTRY INSIGHT


How heating and ventilation could be the weak link in cyber security


As buildings become ever more connected, from homes to football stadiums, the risk of cyber sabotage impacting the physical world grows exponentially. Heating and ventilation might not seem like an obvious target for attackers, but the impact of disruption is significant. Michael Downs, VP at SecurEnvoy elaborates and explains the value of multi-factor authentication (MFA)


I


n extreme weather, heating and air conditioning is absolutely crucial to human safety and business continuity. Imagine the air conditioning failing in a


mall in Dubai - I don’t think people would be sticking around to complete their shopping. HVAC engineers regularly access building


systems remotely. It’s a key part of the job; a fault develops overnight, a client calls about a temperature complaint, a scheduled adjustment needs to happen before a building opens. Remote access makes all of this possible without


rolling a van. But the same connection that lets an engineer tweak airflow setting from a laptop also represents a way in for anyone who gets hold of their credentials.


The credential problem


Stolen login details are cheap and easy to come by. Infostealers, phishing, data breaches from unrelated services: there are plenty of ways an attacker ends up with a valid username and password. If that’s all they need to log into a BMS or HVAC control platform, the account is effectively open. This is a particular problem in the trades where a single set of credentials can be shared across a team so any engineer can log in when needed, accounts from jobs completed months ago never get revoked, and personal devices get used because they’re convenient. None of this is unusual but all of it creates exposure. Attackers know that contractor accounts are worth targeting precisely because they’re managed with less scrutiny and care than internal staff accounts. The 2021 Colonial Pipeline attack is an example. Attackers accessed the network through a VPN account, without MFA enabled. The pipeline shut down for six days, causing fuel shortages across the US east coast. The attack prompted a US executive order mandating MFA across critical infrastructure, demonstrating the significance of the attack.


Subsequently, UK legislation and official guidance has included MFA as a best practice, with the recent Cyber Essentials update making MFA mandatory for all cloud services where it is available.


What MFA actually fixes


MFA means that a stolen password doesn’t pose the same level of risk. To log in, you also need


Left: Michael Downs, VP at SecurEnvoy


the second factor, whether that’s a code from an authenticator app, a biometric, a hardware token. An attacker with valid credentials but no access to the engineer’s phone, can’t get in. The objection that comes up most frequently is


friction. Engineers are in the field, under pressure, accessing systems from different devices. An extra step feels like an obstacle. MFA is incredibly simple to implement and need not hinder productivity; authenticator apps take seconds and biometrics require no codes at all. Phishing-resistant MFA authenticates automatically and cryptographically between the user’s device and the legitimate service, so attackers can’t overwhelm users with prompts or trick them into tapping “approve.” Risk-based authentication, which only prompts


for a second factor when a login looks unusual, such as from an unfamiliar device or location, means that a contractor logging in from their usual setup barely notices it’s there. Conditional access, whereby you only grant access to systems to those who need, is another control to limit unwanted access. If MFA is set up to be as straightforward as possible, with clear guidance for contractors on how to use it, then it tends to stick and be used with confidence.


Making it standard practice


The most straightforward way to get MFA consistently applied across contractor access is to make it a condition of doing the work. If a supplier or subcontractor needs remote access to a client’s building systems, that access comes with security requirements attached. This is increasingly the direction public sector contracts are going: the NCSC’s Cyber Essentials scheme, which is becoming a baseline requirement across regulated industries, mandates MFA as standard. Alongside MFA, it’s worth revisiting what remote


access actually grants. An engineer maintaining air handling units doesn’t need administrative rights across the whole BMS. Scoping access to what’s required for the job, and removing it when the job ends, limits what an attacker can reach even if credentials do get compromised. The practical starting point is a straightforward audit: which accounts currently have remote access to building systems, what level of access each one carries, and which of them have MFA switched on. Most organisations find the answer to that last question more uncomfortable than they expected. Remote access is too useful to give up. The question is whether the accounts enabling it are secured well enough to justify the exposure they create.


DOWNLOAD THE HVR APP NOW June 2026 19


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32