Continue your mission
Smart buildings connect HVAC, lighting, physical access control, elevators, and life safety systems to IP networks for remote management and efficiency. These building automation systems were designed by facilities vendors with no security expertise, procured outside IT governance, and connected to the internet for convenience. The result is a large, underdefended attack surface adjacent to the corporate network.
# Smart Building Cybersecurity
A smart building is a facility in which physical systems are managed through networked, IP-connected controllers rather than isolated, manually operated equipment. The systems that fall under this definition are broad: HVAC (heating, ventilation, and air conditioning), lighting control, physical access control (badge readers, door locks, turnstiles), elevator and escalator management, fire detection and suppression, security camera systems, digital signage, and metering and energy management systems. In modern commercial construction, all of these systems are typically connected to a building automation system (BAS), a centralized software platform that monitors and controls them from a single interface.
The appeal of this architecture is real: centralized management reduces operating cost, energy efficiency algorithms improve through data collection, remote access allows facilities teams to respond to issues without dispatching technicians, and building performance data feeds sustainability reporting. These are legitimate business benefits that explain why BAS adoption has expanded across commercial real estate, hospitals, universities, government facilities, and industrial campuses.
The cybersecurity problem is structural. Building systems were designed, procured, and operated by facilities management teams whose expertise is in building operations, not information security. The vendors who build BAS controllers and field devices (Honeywell, Johnson Controls, Siemens Building Technologies, Schneider Electric, Distech Controls, Trane) have historically operated in a market where security was not a purchasing criterion and compliance requirements did not reach building systems. The result: equipment deployed at scale running outdated embedded operating systems, configured with default credentials, connected to IP networks without firewall protection, and receiving no security monitoring.
Within CDA's Planetary Defense Model, smart building security is owned by SPH (Security Posture and Hygiene), the terrain layer. The terrain is what an organization controls: its own physical and logical environment. APC (Autonomous Posture Command) applies here because the threat is not primarily external adversaries with novel capabilities. It is an organization's own environment drifting out of a secure configuration because no one is watching it. Smart building systems are one of the most common examples of this drift.
A modern BAS typically follows a three-tier hierarchy. At the bottom are field-level devices: sensors measuring temperature, humidity, occupancy, and CO2; actuators controlling dampers, valves, and variable speed drives; and controllers managing individual pieces of equipment (a specific air handling unit, a lighting zone, an access point). In the middle tier are area or floor controllers that aggregate data from multiple field devices and execute the control logic for a building zone. At the top is the building management system (BMS) software, a graphical user interface that presents the entire building in a unified view, allows operators to override setpoints, and provides logging and alarming.
The communication between these tiers typically uses building-specific protocols (BACnet over IP or MS/TP, Modbus, LonWorks, or vendor-proprietary protocols) rather than general-purpose IT protocols. Many BAS controllers are embedded devices running Linux or a real-time operating system (RTOS) on constrained hardware, with web interfaces for configuration and remote access.
The internet-connected layer sits above the BMS: cloud platforms for remote management, vendor portals for remote support and diagnostics, and integration APIs that feed building data into enterprise systems or analytics platforms. This layer is where external attack surface is created. A BMS with a web interface accessible over the internet, a vendor remote access portal with reused credentials, or a cloud integration that exposes an API key are all entry points that did not exist when building systems were physically isolated.
Electronic physical access control is a common target of both cyber and physical attacks against buildings. The systems involved: card readers using RFID or NFC technology (HID ProxCard, Mifare, iClass), controllers that manage door locks and validate credentials against an access database, and the access management software that defines which credentials can open which doors at which times.
The cybersecurity weaknesses in physical access control are multiple. Many access controllers communicate with their management software over unencrypted protocols across the building network. The legacy Wiegand protocol, used by the majority of installed card readers to communicate with their local controller, transmits credential data in plaintext with no encryption and no authentication, making it trivially interceptable with inexpensive hardware. Older card technologies (HID 125kHz ProxCard) are trivially cloneable with a device that can be concealed in a wallet or pocket.
The convergence risk is bidirectional. Compromising the access control system from the network allows an attacker to modify door schedules, grant persistent access to arbitrary credentials, or disable alarm logging for specific access events. Conversely, physical access to network closets containing building controllers allows an attacker to connect to the building network and potentially pivot to corporate systems.
IP camera systems (CCTV and IP video surveillance) are ubiquitous in modern buildings and present a consistently underdefended attack surface. The camera market has historically been dominated by vendors with poor security practices: default credentials that ship enabled and are never changed, unpatched embedded Linux firmware with known vulnerabilities, and management systems with weak authentication.
The Mirai botnet's initial propagation in 2016 was primarily through IP cameras and DVRs using default credentials. Two of the most common: Axis Communications cameras shipped with root/root or root/pass until forced by market pressure to change this; Hikvision cameras were found at scale with default admin credentials and, in a more severe finding, with a backdoor authentication bypass vulnerability (CVE-2021-36260, a CVSS 9.8 critical command injection via the ISAPI interface) that allowed unauthenticated root access.
Camera systems on building networks are frequently connected to both the building management VLAN and, in some configurations, the corporate IT network for management access. This positioning makes them valuable pivot points: compromise a camera, gain a network foothold adjacent to both OT and IT segments.
Fire alarm systems are increasingly IP-networked, with central monitoring panels connected to reporting services over IP rather than traditional phone lines. Elevator controllers in modern buildings use IP connectivity for remote diagnostics and maintenance dispatch. These systems raise a specific concern: they are subject to life safety regulations and may have mandatory alarm reporting to authorities. Compromise that manipulates these systems (triggering false alarms, suppressing real alarms, or causing elevator faults) has consequences that extend well beyond data security.
Life safety systems are often explicitly carved out of IT security governance because they fall under different regulatory frameworks (NFPA 72 for fire alarm systems, ASME A17.1 for elevators) administered by building code authorities rather than IT compliance programs. This governance gap means they may have no security baseline requirements at all, even as they become more network-connected.
The Target breach of 2013 is the canonical case study in building systems as a corporate network entry point, and it remains relevant over a decade later because the conditions that enabled it are still common.
Target Corporation's retail networks included an HVAC monitoring portal that provided Fazio Mechanical, an HVAC contractor, with remote access to monitor refrigeration and HVAC performance at Target stores. Fazio's employees had neither the security awareness nor the security tooling to recognize a phishing email. Attackers compromised Fazio via phishing, extracted the credentials used to access Target's HVAC portal, and used those credentials to log into Target's vendor portal. Once inside Target's network through the HVAC portal, they moved laterally to the payment processing network and deployed POS malware that captured approximately 40 million payment card numbers over a period of several weeks.
The specific failure chain: an HVAC contractor with elevated network access, credentials protected only by a password (no MFA), vendor access portal not network-segmented from sensitive payment infrastructure, no monitoring that would have flagged the HVAC portal accessing payment systems. Each of these failures is still common in organizations that have not specifically addressed building system security.
The Target breach produced $202 million in settlements and remediation costs. The reputational damage contributed to the resignation of both the CEO and CIO. The initial entry point was a phishing email to an HVAC contractor.
Beyond the pivot-to-IT risk, building system compromise has direct operational consequences. An attacker who controls HVAC in a data center can manipulate temperature thresholds to cause thermal shutdowns or accelerate hardware degradation. An attacker who controls access control can physically lock occupants out of secure areas or, conversely, grant unlimited access to adversary-controlled physical credential holders. An attacker who manipulates fire suppression systems in a server room context introduces risks that are catastrophic and irreversible.
Default credentials are endemic in building systems, more so than in most other technology categories because building system vendors operated in markets where security was not a purchasing criterion and security researchers rarely focused on building automation equipment.
Representative examples of documented default credentials in building systems:
Honeywell EBI (Enterprise Buildings Integrator): default administrative credentials have been documented in multiple vulnerability disclosures and vendor manuals accessible publicly.
Siemens Desigo CC: default installation credentials documented in product documentation.
Johnson Controls Metasys: default credentials historically shipped with installations; multiple CVEs document authentication bypass vulnerabilities in web-based access.
Schneider Electric EcoStruxure: multiple CVEs covering authentication weaknesses and hardcoded credentials in field devices.
Axis Communications cameras: factory default root/pass credentials enabled by default through 2015; CVE-2018-10660 documented a shell command injection vulnerability in the configuration interface.
The pattern is consistent: vendors shipped products with credentials intended for initial setup and did not enforce or encourage credential changes at installation. Installers optimized for speed and reliability, not security. Building owners had no mechanism to audit what credentials were active on their systems.
The most common architectural failure in smart building security is the absence of meaningful network segmentation between building systems and the corporate IT network. In many commercial buildings, BAS controllers, IP cameras, and access control systems are on the same flat network or on a VLAN with unrestricted routing to the corporate network. The reason is usually convenience: facilities staff need to access BAS from their workstations, and creating a segmented network with controlled routing requires IT involvement that was either not sought or not prioritized.
A properly segmented smart building network architecture includes: a dedicated BAS VLAN that has no direct routing to corporate IT networks; access to the BAS VLAN from IT networks only through a jump host or bastion server with logging, MFA, and session recording; vendor remote access through a VPN terminated at a DMZ, not through a credential-based portal with direct network access; and IP cameras on a dedicated surveillance VLAN with outbound-only internet access to a monitoring platform and no path to corporate resources.
The concept of a unidirectional security gateway (data diode) is relevant for environments where building sensor data needs to flow to IT analytics systems but where no bidirectional communication is required. A data diode allows data to flow in one direction only by design, eliminating the possibility of using the data path as an attack vector from IT to OT.
Building system controllers typically run for 10 to 20 years without hardware replacement. Many run embedded operating systems that are no longer receiving security updates. The patching process, where it exists at all, requires coordination with the BAS vendor, a maintenance window, and physical access or an authenticated remote connection, creating friction that results in patches being deferred indefinitely.
The consequence: building controllers running Linux kernels from 2012, web server software with CVEs from 2015, and TLS implementations that do not support current cipher suites. These are not hypothetical risks. They are the current state of most commercial building automation systems in operation.
Smart building cybersecurity is a precise expression of what APC (Autonomous Posture Command) addresses: "Your posture adapts. Your hygiene never sleeps." Building systems fail because no one is watching them. Credentials are never rotated. Segmentation is never audited. Vendor access is never reviewed. The posture drifts from "configured reasonably" to "completely uncontrolled" over months and years while the facilities team manages the building and the security team manages the IT network, and nobody owns the intersection.
CDA's approach to smart building security begins with the same step as all SPH work: inventory. Before you can manage the posture of building systems, you need to know what is on the network. This is harder than it sounds in building environments because BAS devices often appear on network scans as undifferentiated IP endpoints with no obvious organizational relationship to the building system. Protocol-aware discovery (using BACnet Who-Is broadcasts, Modbus scanning, and vendor-specific discovery tools) is required to build an accurate picture.
The governance gap is a primary focus in CDA engagements that include building systems. Facilities management and IT security must share ownership of building network access, credential policy, and patch management. In most organizations, this requires explicit cross-functional policy, not just a verbal understanding. CDA recommends a formal asset classification that brings all IP-connected building systems under the IT asset management program, with security ownership assigned and monitored.
Physical security convergence is a CDA differentiator: IAT (Identity Access and Trust) and SPH both have roles in building security. The identity layer owns who can access building systems and with what credentials; the hygiene layer owns the security posture of the systems themselves. A complete building security posture requires both domains working in alignment.
United States Senate Committee on Commerce, Science, and Transportation. "A "Kill Chain" Analysis of the 2013 Target Data Breach." U.S. Senate, 2014. https://www.commerce.senate.gov/services/files/24D3C229-4F2F-405D-B8D2-891F831C5E47
CISA. "Risk Considerations for Managed Service Provider Customers." CISA Insight, 2020. https://www.cisa.gov/sites/default/files/publications/CISA_Insights_Risk_Considerations_for_MSP_Customers_S508C.pdf
Johnson Controls Institute for Building Efficiency. "Building Automation System Cybersecurity." Johnson Controls, 2023.
NIST. "Guide to Industrial Control Systems (ICS) Security." NIST SP 800-82 Rev. 3, 2023. https://csrc.nist.gov/publications/detail/sp/800-82/rev-3/final
ASHRAE. "Guideline 13-2015: Specifying Building Automation Systems." ASHRAE, 2015.
Arkin, Omar and Bitan, Yair. "Project Basecamp: Taking Down Industrial Control Systems." Digital Bond, 2012.
CDA, LLC. Planetary Defense Model Master Reference. CDA Canon, 2026.
CDA Theater missions that address topics covered in this article.
Written by Evan Morgan
Found an issue? Help improve this article.