Is Your Smart Building an Easy Target for Hackers?

Spring 2023 Issue
By: Coleman Wolf
Modern commercial real estate buildings are packed with internet of things (IoT) devices that gather a wide variety of data.

IoT sensors can provide unprecedented amounts of useful data for building owners, but they also require extensive security.

Modern buildings are increasingly connected to the rest of the world through new technology and a series of internet of things (IoT) devices. This brings many benefits to these facilities, but it also increases their vulnerability to cyberattacks. Intelligent buildings, with their integrated control systems and data-collection capabilities, represent the future of facilities management, but they also create an increasingly tempting target for hackers.

The Rise of Intelligent Buildings

Advancements in smart building technology have revolutionized the day-to-day management of buildings. Almost every aspect of a facility can now be controlled remotely through interconnected sensors and computers, from heating, ventilation and air conditioning (HVAC) to air filtration, fire protection, elevators, building security and more. Proactive, protective and energy-efficient property management are just some of the features owners, operators and tenants now expect.

As the world emerges to an evolving, post-pandemic workplace, smart buildings are fulfilling new demands such as greater control and monitoring of indoor air quality, detailed awareness of occupancy as people move through the space, and greater control over access to the facility. The increased data collection, analysis and control made possible by modern intelligent building systems also helps position properties to address new health threats as well as future environmental sustainability requirements.

Where to Look for Unexpected Vulnerabilities

Early building control systems were not traditionally built with system security in mind. They were self-contained, nearly impervious to external access, and it would take a physical breach to compromise them. Thanks to the proliferation of IoT devices connecting modern buildings with the outside world, the danger of cyberattacks is growing exponentially.


Motion sensors are among the internet-connected devices that can be found in modern commercial buildings of all kinds.

But what does a connected lobby monitor displaying a welcome message to visitors have to do with securing payroll records? Think of it this way: If car keys are left in an unattended, unlocked vehicle often enough, it shouldn’t be surprising if it is eventually stolen. And if that automobile also has an automatic garage door opener, the enterprising thief could possibly gain access to a home. The same holds true for unprotected devices connected to building systems. Easily guessed passwords or unchanged, easily found default passwords set by the equipment manufacturer can make a hacker’s job effortless.

The sheer amount of IoT devices makes them uniquely vulnerable. According to IOT Analytics, the number of connected IoT gadgets was expected to grow 18% in 2022 to 14.4 billion devices globally. The trend also spotlights the increased dangers property owners and cybersecurity professionals will face. And it’s not just the business aspects that are worrisome; the health, safety and well-being of anyone — staff, customers, the public — who might be in an environment could be affected by compromised systems.

Limiting Access and Opportunity

While data theft often gets the most attention, other threats can be just as costly and potentially more dangerous. Protecting systems that control and monitor facility operations is also needed. Reliability and integrity are important, but these systems also have the potential to impact occupants’ health and safety. Everything from major power stations to personal medical devices could be at risk. The nonstop collection of information by IoT devices about individual environments and circumstances could also seriously impact how business and personal decisions are made. Fortunately, better protection measures are being developed, although there is still a long way to go.

Here are some IoT security tips to better protect buildings and operations:

IoT devices should have unique passwords for each unit.

Follow a mandatory best practice of always changing the default username and password for any device connecting to the internet.

Follow a regular routine of software and firmware patches and updates to reduce risk exposure.

Document your systems thoroughly. Too often a company doesn’t have accurate system information, and you can’t manage what you don’t know.

Perform cybersecurity testing of systems on a routine basis. The systems themselves are not static and new vulnerabilities are discovered every day, so it is important to stay current.

If a device cannot support password, software or firmware updates, do not connect it to a system; at a minimum, those less-secure devices should be segregated from more critical systems.

Creating a Cybersecurity Action Plan

Between information technology (IT), operational technology (OT) and the internet of things (IoT), there are many T’s to cross to keep a company safe from cyberattacks. As IT and OT systems become increasingly intertwined, it is clear a unified approach to security is needed. But who should take charge? According to a survey by ASIS, an association for security professionals, the biggest obstacles keeping organizations from adapting to combined systems revolve around staffing issues. Physical security departments often operate amid siloed traditions and functions. Personnel are often hesitant to give up or share control of what they consider to be core competencies, including people management, intelligence and investigations. IT professionals can be equally rooted in their own routines built around the latest technology, system innovations and cyberthreats. Loss of authority, status, control or staff are equally feared by both groups.

Despite these hesitations, companies are beginning to understand that both OT and IT systems need to be managed holistically under the umbrella of risk management. Communication is key to successful convergence.

In many instances, IT is the gatekeeper to what IoT devices are allowed on a company’s network. Bringing IT and OT stakeholders together early in the project design development process — preferably during the master planning phases — can help avoid conflicts and eliminate delays in implementation schedules. While it is common for organizations to put their intelligent building systems and individual IoT components on the company’s enterprise network, it comes with inherent cybersecurity risk. If devices are not thoroughly vetted, tested and approved by IT, chances are they will not be allowed to connect, potentially leading to missed expectations and lost operational opportunities.

Finally, being more integrated and interconnected does not necessarily mean a facility is more vulnerable. Having more IoT can actually make building automation systems safer if the integration of these devices and systems drives more and better engagement about cybersecurity between risk-management and facility-management stakeholders. Creating and following best practices can lead to better security, improved operations, reduced utility consumption and increased occupant comfort, delivering on the promise of the intelligent building.

Coleman Wolf, CPP, CISSP, is the security services studio leader at global engineering and technology firm ESD.

Cybersecurity is a Journey, Not a Destination

Implementing a successful cybersecurity risk-management plan is a cycle that begins with awareness and works through implementation before starting over again. While engaging a qualified third-party expert to help guide you along the way as well as conduct follow-up inspections, there are specific steps every company should take now:

  • Get the IT and OT teams together now
  • Obtain support from top down to address organizational risks
  • Work jointly to identify gaps in security measures
  • Develop a unified cybersecurity policy
  • Develop mitigation strategies
  • Know the company’s security posture
  • Document your systems (“You can’t manage what you don’t know”)
  • Assess vulnerabilities and risk
  • Run vulnerability scans
  • Conduct blackbox assessment
  • Do a whitebox assessment
  • Conduct penetration testing
  • Test social engineering
  • Conduct regular checkups to reassess posture and assess corrective measure