Picture a modern commercial high-rise: floors of glass and steel where every system—from HVAC and lighting to elevators and access control—operates in seamless coordination. Sensors anticipate occupancy patterns, algorithms optimize energy use in real time, and remote dashboards give facility teams unprecedented visibility and control. These connected buildings represent years of investment in efficiency, tenant comfort and sustainability. Yet the very networks that make them intelligent also expose them to threats that can halt operations in seconds, endanger occupants and erode the value owners have worked to create. In my more than 25 years leading cybersecurity for complex smart environments—including commissioning tens of thousands of devices in one of the world’s most ambitious commercial developments and guiding nationwide portfolios through risk assessments—I have seen the same pattern repeatedly: connectivity without deliberate protection turns an asset into a liability. Cybersecurity for connected buildings is no longer an optional IT add-on; it is a core requirement for safeguarding what you have built and ensuring operational resilience in an era of accelerating threats.

Understanding the Threats to Connected Buildings

Connected buildings face threats that differ from traditional IT environments because they involve cyber-physical systems. A compromise here can have immediate physical consequences.

Common attack vectors include:

• Ransomware and Operational Disruption — Attackers increasingly target BAS to encrypt controllers or disrupt critical functions. Recent trends show ransomware surging against industrial and OT environments, with groups exploiting remote access, valid credentials, or unpatched vulnerabilities to gain access to building systems. Incidents have caused multiday outages in HVAC, access control and lighting, forcing manual operations or partial closures. In critical infrastructure cases, such as water utilities or municipal facilities, disruptions have escalated to public safety issues.
• Unauthorized Access via Exposed Devices — Many BAS controllers remain internet-facing or accessible via default credentials, vendor tunnels or misconfigured remote access. Tools like Censys and Shodan reveal thousands of exposed building systems daily. Once inside, attackers can manipulate setpoints, disable alarms, or use the building as a foothold for lateral movement.
• Supply Chain and Third-Party Risks — IoT devices, firmware updates, and integration partners introduce vulnerabilities. A compromised vendor account or unvetted software can provide initial access.
• Credential Abuse and Insider Threats — Shared or default accounts, lack of least privilege access, and “tribal knowledge” reliance create single points of failure.

These threats are not hypothetical. Reports from 2025–2026 highlight ransomware’s evolution into OT environments, with affiliates using commodity tools to target control system head-ends, equipment and engineering workstations. The result: operational downtime that costs far more than data loss alone.

Core Responsibilities: Who Owns What in Building Cybersecurity?

A frequent misunderstanding is that cybersecurity responsibility can be outsourced entirely to vendors or IT teams. Per standards like BCS/ISA 62443 (particularly the OT Services domain), asset owners hold ultimate accountability for risk, policy and outcomes. Service providers and system integrators execute controls but do not own the risk.

This boundary is essential for defensible practices:

• Asset Owners — Define policy, conduct risk assessments, establish governance, and ensure compliance.
• Service Providers/System Integrators — Provide and advise on execution: secure access, exposure reduction, patching, and verification.

Blurring these lines leads to gaps. Owners must treat BAS as critical infrastructure, not “just another network.”
For more resources, explore BuildingCyberSecurity.org—a non-profit advancing cyber-physical security for intelligent buildings through its BCS Framework, which adapts global standards like ISA/IEC 62443 (the leading series for securing automation and control systems, including BAS in smart buildings) into practical, market-driven guidance.

Foundational Practices to Protect What You’ve Built

Effective protection starts with basics—often overlooked in favor of advanced tools.

1. Inventory and Documentation: The Foundation of Clarity
You cannot protect what you do not know exists. Many organizations rely on tribal knowledge or outdated drawings. Start with a comprehensive, living inventory of all connected devices: controllers, sensors, gateways, protocols (BACnet, Modbus, etc.). Document network architecture, including zones and conduits. Treat this as a control—embed it in workflows, not a one-time project. Clarity replaces guesswork and accelerates incident response.

2. Exposure Reduction: A Professional Obligation
If a device is on the internet, it has already been seen. Conduct regular exposure checks (internal and external). Segment networks using zones/conduits per BCS/ISA 62443. Disable unnecessary remote access; use secure, audited methods (named accounts, multifactor, no shared credentials). Validate configurations at every integration or change.

3. Risk Informed Change Management
Patching without context creates operational risk. Prioritize vulnerabilities based on exploitability, asset criticality and business impact. Test changes in staging environments that mirror production. Balance security with uptime—use compensating controls (e.g., monitoring, segmentation) when immediate patching isn’t feasible.

4. Cyber Commissioning: Verify Security at Handoff
Traditional commissioning confirms systems function as designed. Cyber commissioning verifies they are secure at turnover. Review configurations, access controls, firmware, and exposure before acceptance. Document baselines for future comparison. In major high-rise projects, this step has identified persistent vulnerabilities that could have remained undetected.

5. Ongoing Assessment and Remediation
Perform periodic OT site assessments focusing on access paths, segmentation, and anomalies. Remediate without downtime where possible—prioritize high impact fixes. Monitor for unusual activity (e.g., setpoint changes, failed logins).

6. Collaboration and Training
Bridge IT/OT silos. Train facility teams on cyber hygiene. Engage cross functional incident response plans that include physical recovery steps.

Building Resilience: Beyond Prevention

Prevention is ideal, but resilience ensures continuity when incidents occur. Develop playbooks for OT specific recovery: isolate affected segments, restore from known good backups, and verify integrity before reconnection. Invest in redundancy (e.g., manual overrides, segmented networks) and test failover regularly.

Standards like NIST 800-53, CIS Controls, and the BCS Framework provide roadmaps. Start small—focus on high value assets—and scale.

A Call to Action for Building Owners and Managers

Protecting what you’ve built requires shifting from reactive fixes to proactive, defensible practices. The path begins with honest self-assessment—ask yourself these three fundamental questions:

Do you know what you have?

Without a current, comprehensive inventory of every controller, sensor, gateway, and connected device (including protocols like BACnet and Modbus), you’re operating in the dark. Tribal knowledge and outdated drawings are not enough; clarity is a control that replaces guesswork and speeds recovery.

Do you know how your systems are connected?

Mapping network architecture—including zones, conduits, and any internet-facing paths—is essential. If a device is exposed, it has already been seen. Regular exposure checks and segmentation reveal hidden risks that could allow lateral movement from IT to OT.

Do you know have who has access?

Identify every account, credential, and remote pathway (vendor tunnels, shared logins, or legacy defaults). Lack of least-privilege and audited access creates single points of failure—common in assessments where over 60% of systems had uncontrolled vendor or ex-employee access.

If the answer to any of these is “no” or “I’m not sure,” start there this quarter. Inventory your systems, assess exposure and boundaries, and define clear responsibilities with partners. These foundational steps reduce risk without massive overhauls and position you to build resilience.

Cybersecurity for connected buildings is about operational resilience—ensuring efficiency, safety, and value endure amid evolving threats. As owners and managers, you steward significant investments. Defensible cybersecurity safeguards them.

For more resources, explore BuildingCyberSecurity.org, BCS/ISA 62443 guidelines, or reach out to experts focused on secure connected solutions.

To stay up to date on news and resources such as this and other topics of importance to the real estate industry, subscribe to the free CRE Insight Journal Newsletter using this link.