Contributors: Steve Carroll and Dan Vogt

Most organizations prioritize securing their networks against cyber threats with robust protocols. But increasingly, they also have to consider alternative attack vectors through building systems.

Building systems, which are frequently less secure than IT networks, can be intentionally manipulated or disabled through connections that exist outside of an organization’s network. For example, if a bad actor gains access to an HVAC system’s digital control, air conditioning to a server room (or data center) can be disabled, causing systems to overheat and leading to a disruption as severe as a network attack.

This article explores the challenges buildings face and what building owners should be aware of in terms of cybersecurity for building systems.


What makes buildings vulnerable to cyberattacks?

Digital innovation has significantly enhanced the efficiency of building operations. Integrated and interconnected building control systems have become indispensable for ensuring a comfortable, safe, and highly efficient indoor environment. However, the expanded accessibility and control over critical aspects like physical security systems, HVAC, fire alarms, lighting systems, and electrical power also introduce vulnerabilities that need to be addressed.

Building systems used to be hard-wired with mechanical controllers, but the shift towards interconnected building control systems means that more devices and systems are now connected to the internet—whether or not they are on an internal network. This connectivity expands the size of the system open to attack and provides new and different types of entry points for cybercriminals to exploit.

Standardized protocols are another issue. Many building control systems rely on technologies which were designed with a focus on functionality rather than robust security. These protocols often lack built-in security features, making it easier for attackers to gain unauthorized access.

Another challenge is that the Operations Team who manage the building automation systems are not part of IT or cybersecurities teams which creates a gap in the cybersecurity and an opportunity for bad actors.  For example, most of today’s building automation controllers come with an option to be hardwired or have WiFi capability.  If the controller is installed and the WiFi is not deactivated a bad actor can access through the WiFi to create havoc.  Salas O’Brien’s Cybersecurity Commissioning Services can close these loopholes and provide an extra layer of security during the design and construction phases and throughout the lifetime of the building.

To address these vulnerabilities, organizations must prioritize cybersecurity in their building management practices. This includes creating the same level of proactive measures as implemented on computer network systems to mitigate risks.


Common types of cyberattacks on building systems

The following are some current prevalent vulnerabilities:

Unauthorized access and control

Unsecured communication channels or vulnerabilities in networked building systems can provide avenues for attackers to gain unauthorized access and control over critical infrastructure. Once inside, cybercriminals can alter settings and tamper with control mechanisms, sensors, or other critical elements to disrupt building operations, compromise safety protocols, or cause physical damage.

Denial-of-Service (DoS) attacks

In a DoS attack, cybercriminals overload building systems with excessive requests or malicious traffic, rendering them incapable of functioning properly. By overwhelming system resources or exploiting vulnerabilities in network infrastructure, attackers can disrupt building operations, leading to service outages, compromised safety measures, or financial losses.

Malware and ransomware threats

Building systems are not immune to malware infections, which can have severe consequences. Malicious software can infiltrate building control systems, surveillance networks, or management software, enabling attackers to disrupt operations, manipulate data, or even demand ransoms for restoring control. Ransomware attacks specifically target building systems to encrypt critical data or lock out administrators, holding the functionality hostage until a ransom is paid.

Data breaches and privacy concerns

Building systems often handle sensitive data, such as surveillance footage, access control logs, or environmental monitoring data. A successful breach of these systems can result in the compromise of personal information, unauthorized access to secure areas, or violations of privacy regulations. Cybercriminals may exploit vulnerabilities in data storage, weak encryption, or unpatched software to gain unauthorized access to sensitive information.

Challenges for multi-tenant buildings

There is a gap for building owners who have multi-tenant situations. While the building may provide internet to their tenants, they often rely on the tenant to lock it down.


What can organizations do to improve the cybersecurity of their building?

Cybersecurity for building systems is about risk management and employs many of the same strategies used to protect IT systems. Here are some key considerations to reduce risk:

Implement strong protocols for building management systems (BMS)

Weak authentication mechanisms, such as simple passwords or shared credentials, make it easier for cybercriminals to exploit system vulnerabilities. Additionally, if the BMS software or firmware is not regularly updated with security patches, it may contain known vulnerabilities. Implementing strong security protocols for authentication, patches, and updates can help protect the systems.

Create segmentation in the network

If the BMS is connected to the network without adequate security measures, it becomes susceptible to attacks from within the network. Even if the BMS is on its own network, there have been instances where cybercriminals have access the IT Network by “jumping the gap” between the two.  It is important that your system have the proper firewalls or network segmentations to prevent cybercriminals from accessing the IT network through the BMS.

Educate employees about malware and phishing attacks

BMS can be compromised by targeting the personnel responsible for managing or operating the system. If an unsuspecting user opens a malicious email attachment or clicks on a phishing link, it could lead to the installation of malware on the BMS network, allowing unauthorized access. Many employees participate in malware and phishing training, so adding a section on how BMS systems are also vulnerable to these attacks is a straightforward risk mitigation strategy.

Be aware of integration with third-party systems

Some building systems connect to their manufacturer for updates and ease of troubleshooting, but these connections expose your building to any vulnerabilities in those systems. It is essential to ensure that all integrated systems maintain robust security measures. Continuous commissioning can protect firms by going through the systems on a continuous basis to alert to vulnerabilities.

Schedule regular security assessments and audits

Conduct periodic audits and security assessments of building systems to identify vulnerabilities and weaknesses. Penetration testing exercises can simulate real-world attack scenarios, helping organizations identify and address potential security gaps.

Salas O’Brien helps organizations develop robust cybersecurity programs for building systems. We provide assessments, audits, and testing; systems design and implementation; commissioning and continuous monitoring services. We can help you close security gaps in your building systems and protect your organization from cyberattacks. Want to talk about cybersecurity for your operational technologies? Reach out to [email protected]

For media inquiries on this article, reach out to Stacy Lake.

Get our Insights Report
Get our Insights Report

Solutions in Industrial Cybersecurity

While cyberattacks on information technology (IT) cause damage to companies and organizations through data and communication disruption, attacks on operational technologies (OT) cause damage to physical systems in the real world.

Our report covers:

  • What makes OT vulnerable to cyberattacks.
  • Security audits and vulnerability assessments
  • Zero trust architecture frameworks
  • Firewall applications and endpoint security
Access report
Steve Carroll, MBA, CxA, LEED AP

Steve Carroll, MBA, CxA, LEED AP

Steve Carroll is a Principal and the Director of Commissioning at Salas O’Brien. As a Commissioning Authority, Steve identifies potential issues before they become problems and increases value for his clients. He also specializes in cybersecurity for building systems, providing systems monitoring to keep alternate attack vectors secure. As a leader, Steve is focused on mentoring, coaching, and developing his team to achieve continuous improvement. He holds a Master of Business Administration and a Bachelor of Science in Engineering. Contact him at [email protected].

All Posts

Dan Vogt, MBA, TEC

Dan Vogt, MBA, TEC

Dan Vogt has over 30 years’ experience working in Information Technology (IT), mostly in top IT leadership positions for international companies with multiple lines of business. His experience is diverse and includes various industries, acquisitions & mergers, compliance, security, data centers, and creation of proprietary, innovative software and hardware. Dan stays abreast of trends and security practices within the IT field through participation in regional, national, and international associations. Contact him at [email protected].

All Posts