Photo 127452233 © Funtap P |
Commercial facilities are an appealing target for cyberattacks for many reasons. It’s time to step up cybersecurity practices.

Smart Buildings Require Smart Cybersecurity: 5 Tips for FMs

July 19, 2023
It’s time to adopt a mindset of zero trust when it comes to cybersecurity. Harden your facility against attacks with these 5 protocols for facilities departments.

Why are commercial facilities an appealing target for cyberattacks? While most businesses protect employee and financial data, they overlook a simple fact—every building system connected to the internet is at risk of being hacked. It’s a massive opportunity for a bad actor to not only disrupt operations but endanger lives.

While cybersecurity practices may feel daunting, they’re not a lost cause. Every precaution your organization implements fortifies the digital side of your building’s footprint.

“Don’t get overwhelmed—just start. Cybersecurity is a process you have to mature through,” stressed Fred Gordy, director of OT risk assessment with Michael Baker International. “The goal is to be less vulnerable than you were yesterday.”

Weaponizing Commercial Buildings

Did you know that real estate is considered critical infrastructure by both the Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency? One reason is that facilities are prime targets for a threat known as killware.

“Rather than a type of virus, killware attacks are meant to cause property damage, human harm and even deaths,” Gordy explained. “It doesn’t take much either. Boilers can be turned into bombs, lights turned off so people fall down stairs and electrical panels shorted to start fires.”

“Most people can’t imagine what could go wrong with a building if it were hacked. But if someone gets control of its operational systems, they can make it a dangerous place,” added Jim McGlone, CTO of Automation Strategy & Performance, Inc. “For example, there was an attempted attack in 2021 of a water treatment plant—the goal was to poison the water by altering chemical levels. Private and public buildings are just as vulnerable to being weaponized.”

How is this possible? First, many building systems are openly exposed on the internet with few security protections. IoT devices are a double-edged sword because everything is connected. By breaking through one point, the rest of the network is accessible.

Second, an interface or direct communication between building and corporate systems is a massive risk. A bad actor may not care about HVAC, but your mechanicals could be an attractive portal if they provide a connection to enterprise data.

The good news is that the principles of physical security—creating layers of barriers—is the same for cybersecurity. These safeguards will thwart someone from penetrating your systems and data. Lock down where building controls interact with your electronic perimeter.

“Because bad guys will troll your digital neighborhood, cybersecurity is no different than physically hardening your building to send the message ‘We’re protected,’” Gordy stressed.

5 Cybersecurity Protocols for FM

There are entire books devoted to cybersecurity best practices. Your IT department should also be a robust partner in this effort. You can implement ISA/IEC 62443, a series of cybersecurity standards for automation and control systems. Follow the basics of changing passwords, be suspicious of links or attachments, perform weekly backups and control remote access.

But nothing will ever be accomplished without an attitude shift first. Cybersecurity begins as a mindset more than anything.

1) Implement Server Protocols

“Treat every computer that runs building controls like a server,” emphasized Gordy. “Don’t use those devices for direct internet access either. They should be locked up as well.”

2) Check What’s Exposed

“You’d be amazing at what’s unprotected. How far does the Wi-Fi extend outside of your building? Do you have unused ethernet jacks that are still active? Who has access to your IT closet?” asked McGlone.

3) Update Your Device Inventory

“Know what you have, how it’s connected and who has access. If you don’t have an accurate network diagram, you can’t keep the boundaries safe,” said Gordy.

4) Isolate Building Systems

“Create a DMZ network to isolate operational technology, which is a type of segmentation that only allows specific traffic with certain permissions,” McGlone recommended.

5) Screen Everyone

“Adopt a zero-trust policy, which means ‘Never trust, always verify,’” says McGlone. “This is critical for any visitors and vendors bringing their own device. Start screening everyone as if your facility were as important as a power plant.”

Understand Cybercriminals

Imagine all hackers like this photo? The truth is much more sophisticated. While there are mischief makers who enjoy the fun of it, cybercriminals often have darker motivations. There are nation-states whose sole motivation is to disrupt, disillusion and demoralize a country. Those engaging in corporate espionage can seriously damage a brand. Many are simply chasing money, leaving a wake of chaos in their pursuit.

“Those in it for profit are both the laziest and most persistent people in the world. They’re looking for the path of least resistance,” according to Fred Gordy, director of OT Risk Assessment with Michael Baker International. “If they send out 100,000 ransomware emails with a $10,000 decryption key and 1% are success, the takings are huge.”

How Commercial Buildings Can Be Weaponized

It doesn’t take a sophisticated attack to cause mayhem in a commercial building, but it can easily have malicious outcomes.


Imagine a 20-story hospital with 1,000 IoT devices on every floor—that’s 20,000 potential points of intrusion. Just turning off the lights or removing positive pressure could be catastrophic.

Sports and Entertainment Venues

What would happen if someone hacked the jumbotron and posted an urgent evacuation message? It would take a few keystrokes to cause a stampede.


The cost of shutting down a factory line is instantaneous. That’s real money lost in seconds, much less hours. More importantly, this doesn’t account for safety issues that occur from a sudden outage.

Industrial Facilities and Laboratories

Gases of all kinds are used and stored within buildings, especially those with scientific testing. The simple act of opening a valve to nitrogen, hydrogen, halon or natural gas could have fatal consequences.

Scenarios provided by Jim McGlone, CTO of Automation Strategy & Performance, Inc.

About the Author

Jennie Morton

A former BUILDINGS editor, Jennie Morton is a freelance writer specializing in commercial architecture, IoT and proptech.

Voice your opinion!

To join the conversation, and become an exclusive member of Buildings, create an account today!

Sponsored Recommendations

Handwashing Survey Research Drives Industry Solutions

Sharing well researched data on consumer likes and dislikes in public bathrooms, this guide presents handwashing public restroom hygiene trends and survey insights for facility...

Building Security & Technology Series: Webinar 2 - Building Safety Design & Technologies

Date: May 15, 2024Time: 1:00 PM EDT / 12:00 PM CDT / 10:00 AM PDT / 5:00 PM GMTDuration: 1 Hour eachGold Sponsors: Genetec, ISSSilver Sponsors: EVOLV, OpenEye ...

Building Security & Technology Series: Webinar 1 - Emergency Preparedness

Date: May 8, 2024Time: 1:00 PM EDT / 12:00 PM CDT / 10:00 AM PDT / 5:00 PM GMTDuration: 1 Hour eachGold Sponsors: Genetec, ISSSilver Sponsors: EVOLV, OpenEye Register...