• MAGAZINE
  • eBOOKSHELF
  • PODCAST
  • WHITE PAPERS
  • WEBINARS
  • ENEWSLETTER
  • CONTINUING ED
  • AWARDS
    • ID 326182054 © Wave Break Media Ltd | Dreamstime.com
    How connected is your building? Today’s facilities are more vulnerable to cybercrimes due to their increasingly digitized and connected nature.
    1. Safety & Security
    2. Cybersecurity

    Don’t Let Your Building Be an Easy Target for Cyberattacks

    Feb. 17, 2025
    In today’s digital age, cybercriminals may be lurking in a building’s HVAC system or elevator controls, seeking to exploit vulnerabilities in building management systems to disrupt operations and steal sensitive data. How can facility managers partner with IT to boost cybersecurity?

    As building management systems are increasingly digitized and connected to the internet—including HVAC, fire alarms, access card readers, security cameras, and energy management—facilities are more vulnerable to cybercrimes.

    Hackers are targeting buildings and their online facilities-related devices to wreak havoc. The more devices connected to a network, the bigger the cyberthreat. It takes just one device or one vulnerability to cause mayhem. 

    “As technology has grown and our digital footprint has expanded, we've just opened more back doors and even front doors into our infrastructure,” said Ray Spangler, chief technology officer at engineering and architecture firm Barge Design Solutions. “Whether it's coming in through an IoT device that’s maybe unmanaged sitting out there, or some legacy system, the cyberthreat landscape has expanded so much.”

    Consequences of Cyberattacks

    If bad actors gain access to a building’s control system, they can hijack elevators, disable the power supply, and tamper with lighting systems. This could result in evacuation, substantial downtime, and significant financial losses. Hackers can also endanger occupants by manipulating temperatures in extreme weather conditions or disabling fire alarms.

    However, cyberattackers might not be interested in the building system at all but see it as a viable entry point into the corporate network. Cybercriminals recognize that building systems are often less secure than IT networks, so once they infiltrate the operational technology (OT) system, they likely can access the enterprise network, causing data breaches and large monetary losses.

    “They maybe want the IT asset, but finding a way through the typical doorways has proven difficult for the hacker,” explained Fred Gordy, national practice lead, building cybersecurity, for Michael Baker International. “Whereas the OT is so open and exposed that a hacker may be able to get into that system and then basically pivot and move into the IT system.”

    Malicious actors are using advanced strategies to exploit gaps in OT security, and they’re relentless.

    “We have to think in terms of warfare, because that's what this is,” said Gordy. “The bad guys are the laziest, most persistent people you will ever meet. They’re looking for the path of least resistance, but they don't quit.”

    Reduce the Threat of Cyberattacks with These Five Steps

    1. Collaborate with IT to ensure networks are secure.

    “This is no longer just an IT issue,” said Spangler. “This is a business issue, and those policies need to start from the top down.”

    Promote open communication and transparency with IT when planning to roll out new systems. Both facility managers and IT, Spangler noted, must remain alert to the latest cyberthreats and work together.

    2. Check what systems are exposed on the web.

    Facility managers should look for anything that may be unprotected, Gordy pointed out. For example, Wi-Fi extending outside of the building can pose increased risks of unauthorized access and data breaches. Gordy said know what your system is showing the world.

    3. Audit and update device inventory.

    “Ask yourself, do you know what you have and how it’s connected,” said Gordy. “If you know what's on your network and you're monitoring it, you're going to notice anomalies.” If you’re not, there are consequences.

    For example, Gordy’s firm was hired by a large Australian financial company to do an assessment of its facilities. Gordy was informed that there were only four devices on the network.

    “When I did my scan, it turned out there were 32 devices connected,” Gordy said. One was a tiny Raspberry Pi, an inexpensive personal computer that has been used by hackers internationally. 

    “It took me two weeks to find it,” said Gordy. “We don't know if somebody had infiltrated information out of the network or not. That's the thing. A bad guy doesn't necessarily want you to know they're there because they can do things like that—get in there and get data.”

    Gordy noted that a Raspberry Pi was used to steal 500 MB of data from a NASA laboratory in 2019. That data breach went undetected for nearly 10 months.

    4. Control remote access.

    For efficiency, oftentimes service technicians and vendors will log into a building’s systems remotely to diagnose and make adjustments. Gordy said many of these technicians may share one username and password, and that’s a problem. It’s essentially impossible to know exactly who’s accessing the network. Facility managers need to take back that access control, Gordy noted. Also, if an employee is terminated, immediately revoke their username and password.

    “I've got stories where former employees have done damage to systems,” Gordy said.

    5. Train staff to recognize red flags and respond to cyberthreats.

    Provide ongoing cybersecurity awareness training for employees, which should include possible threats and how to prevent them. For example, facility managers should educate staff on social engineering tactics, phishing scams, and malware protection.

    “Right now, social engineering and phishing are my biggest concerns,” noted Spangler.

    An example is the 2023 MGM Resorts ransomware attack that cost the company $100 million and allowed the cybercriminals to steal customers' personal information. The attack started with a help desk call and ended with outages of the company’s internal networks, slot machines, ATMs, digital room key cards, and electronic payment systems.

    “That was a simple call to their help desk by someone masquerading as an employee to convince the help desk to reset their password. That’s how they got in,” Spangler explained. “It's about training your staff so that they don't get fooled by these social engineering tactics.”

    However, no matter how strong a facility manager’s cybersecurity measures are, an incident could occur. Spangler recommends developing a continuity business plan if a cyberattack happens. It should provide a contact list of first responders and a step-by-step incident response plan.

    About the Author

    Liz Wolf

    Liz Wolf is a Twin Cities, Minnesota-based freelance business writer specializing in commercial real estate.

    Voice your opinion!

    To join the conversation, and become an exclusive member of Buildings, create an account today!

    Continue Reading

    Sponsored Recommendations