Building automation systems — HVAC, access control, elevators, fire suppression, energy management, and lighting controls — were designed as isolated operational technology networks, not as internet-connected systems subject to adversarial attack. Over the past two decades, facilities management has driven these systems onto IP networks and into cloud-managed platforms to enable remote monitoring, centralized dashboards, and integration with smart building analytics. The resulting convergence of operational technology (OT) and information technology (IT) has created attack surfaces that building owners have been systematically slow to recognize and address. The OT systems that run the physical building are now reachable from networks that are also reachable from the internet.
Attack vectors specific to commercial building systems exploit protocols that were never designed with security in mind. BACnet, the dominant protocol for building automation, was standardized in 1995 and has no built-in authentication — any device on the network that speaks BACnet can issue commands to any other device. Modbus, used for industrial equipment, has the same problem. A threat actor who gains access to a building's BAS network can enumerate every connected device, read sensor data, and issue commands to HVAC, access control, and other systems without any credential requirement. Documented attack scenarios include remote manipulation of HVAC to create uninhabitable temperatures, disabling surveillance cameras or unlocking access-controlled doors to support physical intrusions, and lateral movement from the building OT network into the tenant IT network — or from a compromised tenant endpoint into the building systems — depending on the network topology.
Tenant data and tenant privacy create a second exposure category. Smart buildings collect behavioral data about occupants — access badge events, desk utilization from occupancy sensors, meeting room booking patterns, energy use per floor. This data is typically controlled by the landlord but pertains to the tenants' employees. Most commercial leases have no provisions governing what data is collected, how it is stored, how long it is retained, or whether the landlord can share it with third parties. PIPEDA in Canada and an increasing number of US state privacy laws treat this type of workplace behavioral tracking as personal data subject to consent and disclosure requirements. A landlord who deploys occupancy analytics across a multi-tenant building without informed tenant consent and a documented data governance program carries regulatory and litigation exposure that the lease does not address.
Risk management for smart building cyber requires treating the OT network as a distinct security domain. Network segmentation — firewalling the BAS network from the corporate IT network and from the internet — is the foundational countermeasure and is consistently the first recommendation of every building cyber assessment framework. Beyond segmentation, standard practice includes a firmware update program for BAS devices (most run firmware versions that are years out of date and contain known vulnerabilities), penetration testing specific to building systems at least annually, documented incident response procedures for building OT events, and contractual provisions in commercial leases that govern data collection practices and require notification to tenants in the event of a building system breach. The first significant regulatory actions against commercial building owners for OT incidents have already begun in the EU; North American regulators are watching the same set of issues.
Open a learning-mode session biased toward this topic and closely related concepts. No timer, instant feedback after each answer, and a deeper explanation on any question you want to explore further.
Start the quiz →