Table of Contents
Advertisement
1 - INTRODUCTION
Security requirement
System Environmental Considerations
An Internet firewall is required to isolate the Thermostat. Unprotected Internet
connections can expose and damage the thermostat system and facility
components to cyber-attacks from third parties. This may cause the thermostat to
malfunction and can also be misused for illegal purposes for which the operator may
then be held liable.
Deployments and Maintenance Considerations
• Always keep the local server up to date on the latest security patches via a regular system
update. This applies not only to workstations or servers running on Windows, Linux, Mac,
or any devices that run as part of information infrastructure or operations workstation.
• Always keep the thermostat firmware with the latest released firmware to have maximum
protection by built-in security features.
• Do not use default passwords for any devices (if exists). This includes, but not limited, to
all server workstations, storage servers, firewall devices, routers, and mobile devices.
• Do not use weak passwords for server administrators or operators. Different user roles (for
example administrator, user, guest, etc.) shall have a different password, and the user
should not share common passwords.
• In case of wireless communication, malicious wireless devices can easily scan the wireless
channel and inject malicious packets or mass data flow to perform Denial-of-Service
attacks. Honeywell has taken steps to prevent the TC300 Commercial Thermostat device
from being injected, but the mass data flow will result in the loss of wireless
communication bandwidth within the whole system. A regular check of the
communication failure rate or response rate of the thermostat is helpful to discover and
isolate devices being attacked and stop the physical attacks in the daily operation
Network Communication Notice
• To keep maximum integration compatibility with third-party devices and Fast-pack
communications are un-encrypted as open protocol. Improper security protection may
lead to data leakage, spoofing, and/or tampered by malicious devices and denial-of-
service attacks.
• To keep maximum integration compatibility with legacy devices, in-room wired devices are
less secure from data confidentiality and authentication thus not-recommended for a
new design. It is always highly recommended to use deep mesh wireless network
communication to gain maximum protection and the latest updates.
• In case of Denial-of-Service attacks, all communication channels will inevitably have a
loss of bandwidth due to malicious data flow.
• Connected devices may contain legacy technology, which is less secure under modern
cyber-security attacks. Honeywell strongly recommends using a secured deep mesh
wireless network communication. In case of legacy technology, the user needs to be aware
of the risk of being tampered with or attacked. To reduce the attack surface, the user is
advised to physically secure the wired communication signals or provide necessary shield
on wires, or place necessary access control on accessing such communication wires.
24
Security requirement
Advertisement
Table of Contents
