Cybersecurity in Connected HVAC Systems

Handling Cybersecurity in Connected HVAC Systems

Reading time: 8 Min

The Internet of Things (IoT) is predicted to grow exponentially in the coming years, as users increasingly recognize the potential of pairing everyday devices with interconnected, internet-enabled functionality. Many different industries benefit from IoT implementation. For example, heating, ventilation, and air conditioning (HVAC) systems have undergone a dramatic transformation as a result of IoT. Such systems now form part of the smart energy market.

In fact, HVAC systems are actually being propelled into the forefront of tech development around the globe thanks to the development of IoT-enabled products. Experts predict that by 2026 the global smart thermostat market will grow to $2.58 billion [1]. But with the growing demand for IoT systems comes a huge number of security concerns and vulnerabilities. HVAC providers need to think about cybersecurity like never before.

IoT Security in HVAC Systems

The Internet of Things is an interconnected network of sensors and devices that can collect and exchange data with other systems and devices, usually through the internet. In the case of HVAC, IoT allows smart heating and cooling systems to learn and adapt to their settings while communicating with other devices around them. The effects are already proving to be substantial, improving energy conservation and efficiency for many homes and businesses. But the proliferation of smart HVAC systems also means that these systems are potentially open to unauthorized access through the internet. How exactly does IoT security work for HVAC
systems in 2022?

IoT devices have sensors that gather data. An HVAC system gathers temperature data, then sends that data either to be processed in a database or directly to a client device like a smartphone. The problem with sending data to a third-party database is you then have to worry about data security.

This is where regulation comes in. For example, in the European Union, the General Data Protection Regulation (GDPR) is a data security standard that applies to all client data you transfer to a third party. It’s considered one of the strictest standards to date, and the fines for non-compliance can be tens of millions of dollars [2]. Similar standards exist for the U.S. and other
countries, but the GDPR applies to any international companies doing business with clients in the EU. Sometimes you have no choice but to use a database management system to help you analyze data, so GDPR compliance headaches are often unavoidable.

On the other hand, data gathered by some devices, like a smart thermometer, doesn’t always need much analysis. Sometimes you just need to be able to see the data so you can adjust the system settings to get the temperature you want. In these cases, companies have the option of bypassing a database and sending data directly to the receiving device, called Peer-to-Peer (P2P) connectivity.

Infobox: What does P2P mean?

A P2P (peer to peer) connection is a direct communication infrastructure between two peers: a client device (such as a smartphone or a laptop) and an IoT device (such as a surveillance camera, smart door lock, alarm system, heat controller, or anything else that can connect to the internet).



All data is stored on the device, nothing is stored in the cloud. This gives the end user full control over the data as there is no third-party server involved.


P2P technology creates a direct connection between end user client and IoT device, which ensures the lowest possible latency for interactive scenarios.


The cost to run a P2P infrastructure is much lower than traditional solutions: it only mediates connections. The total cost of all-inclusive connectivity is down to a few USD per device.


There is no critical cloud application to develop or configure with our P2P-based IoT platform. The developer only has to focus on the client application and the IoT device application.


With a P2P-based IoT platform the connectivity between end-user client and IoT device is end-to-end encrypted to ensure very high security.


P2P-based IoT creates a direct connection from end-user client to IoT device without any trouble with the firewall. After the connection is established, no central servers are involved, and all interaction is directly between the two peers.


P2P works best when devices don’t need to collect or analyze large volumes of data. Establishing a connection directly between the sensor device and the client device, like a smartphone or computer, means the data is end-to-end encrypted. It’s secure from any outside access, so the data never ends up in the hands of a third party for processing. In such a case, the GDPR [3] wouldn’t even apply, and you could expect extremely high levels of security and privacy.


Many of the big players like Amazon AWS or Microsoft Azure use relaying of data, where data travels from client to IoT device through the cloud server. In this scenario, the data isn’t stored on the server, but passes through the relay in cleartext, which means it is not encrypted end-to-end.


End-to-end encryption is like shipping a package in an armored truck, protecting the package during transit. No third party is involved along the way.

The Benefits of Secure IoT Connectivity for HVAC

As a result of IoT and HVAC advancements, businesses can now remotely manage commercial buildings, offices and even residential systems securely and at scale. And most systems can be controlled with the click of a button on a tablet or smartphone with little delay. Let’s go into some more detail on what secure IoT connectivity can do for your HVAC systems.

Example: °CALEON App for monitoring and remote control of underfloor heating systems

1. In-depth data analysis and reduced latency

If an IoT system requires in-depth analysis, smart sensors can monitor conditions in real-time and then send data to a centralized management system, which can then simulate future conditions using predictive analytics. Then the system can adjust settings according to the analysis. In a business setting, this can contribute to a more comfortable environment for employees. This smart functionality provides cost savings to the business itself. Data analytics provide property and estate managers with complete oversight of how much energy is being used in each part of a building. This helps them make building maintenance decisions that cut HVAC running costs. Where in-depth analysis isn’t as important, you can use secure P2P connectivity to reduce latency by sending commands directly from a controlling device to the HVAC system. You’ll get quicker response times from your devices.

2. Energy efficiency

According to the U.S. Energy Information Administration, in 2020 around 12% of the energy consumption of commercial buildings [4] was spent on cooling. However, smart HVAC developments can help to drive these costs down by saving energy and enhancing efficiency.Many smart HVAC systems can now analyze both internal factors as well as external influences such as the weather when it comes to regulating a building’s heating systems. IoT-connected HVAC systems now have the ability to switch off systems automatically, monitor areas of heat loss, and assess the quality of air in certain rooms. Plus, you can make changes to system settings in real-time through the highly-responsive user interfaces through direct P2P connections. Interconnectivity of IoT systems also means that HVAC devices can connect to other building features: smart shades and lighting systems can also be adjusted based on the analysis of HVAC data.

3. Safety

Covid-19 propelled the importance of better ventilation into the forefront of building management. Many smart HVAC systems have been reengineered to ensure optimal ventilation in line with relevant health authority guidance. Some systems go one step further in the quest to protect lives by accounting for every single person in the building in the event of a fire. A smart HVAC system recently developed by Boston University uses heat sensors to monitor the number of people within each room and regulate the airflow accordingly.

4. Rapid maintenance

The constant monitoring of HVAC systems through smart sensors means that managers and workers receive alerts about maintenance before work needs to be done. Smart systems can use P2P connectivity to instantly send alerts to the right personnel. What’s more, some smart systems will even provide diagnostic data that helps the repair team assess what needs to be fixed. This type of foresight also means that maintenance can be carried out outside of normal work hours and before there are any serious issues.

The future of the HVAC revolution


HVAC developments have come a long way since Google’s Nest Learning Thermostat was released over a decade ago. Gone are the days of ceiling fans and air conditioning units that can only be managed with a single remote. From smart thermometers to smart air quality monitoring systems and connected controls, there is a growing demand for forward-thinking HVAC systems in both residential and commercial buildings. And we are now witnessing a revolution in the HVAC sphere as a result of IoT developments. Commercial office spaces and modern homes are now more connected and efficient than ever. This is just the beginning when it comes to the potential of smart HVAC systems. As with many industries recognizing the benefits of IoT and direct P2P connectivity, further growth in this sector is certain.

Carsten Rhod Gregersen

About the Author

Carsten Rhod Gregersen is Computer Scientist, IT entrepreneur and international IoT expert. With his IoT platform Nabto, he has been a development partner of SOREL since 2014.

Related Posts