Editor’s note: FM Perspectives are industry op-eds. The views expressed are the authors’ and do not necessarily reflect those of Facilities Management Advisor.
As commercial real estate undergoes rapid digital transformation, driven by the need for greater sustainability, improved energy efficiency, and the evolving demands of hybrid work, the cybersecurity of building management systems (BMS) is becoming an increasingly critical concern.
Property owners and facilities managers are integrating smart technologies to optimize energy usage, reduce operational costs, and create more adaptive, and establish tenant-friendly environments. Smart lighting and heating, ventilation, and air conditioning (HVAC) systems adjust dynamically based on occupancy, while automated security and access controls streamline operations. These advancements not only enhance efficiency but also help commercial buildings meet stricter environmental regulations and corporate sustainability goals.
However, the soft underbelly of increased digitalization is an increased exposure to cybersecurity risk. Once isolated, BMS are now deeply integrated with IT networks and increasingly internet-enabled, exposing them to cyber threats that were once limited to traditional enterprise systems. While IT environments typically benefit from mature security protocols and rigorous monitoring, BMS often lack the same level of protection, creating a significant blind spot for property owners, facilities managers, and tenants.
All too often, facilities teams are unaware of the cyber risks as they optimize for availability of access, creating open pathways for attackers to leverage vulnerabilities, insecure design by manufacturers, and obsolete credentials to compromise BMS. As buildings become smarter and more connected, ensuring the security of these critical systems is no longer optional—it’s essential for maintaining operational resilience, tenant safety, and long-term asset value.
Why Are BMS a Prime Target for Cyberattacks?
The integration of Internet of Things (IoT) devices and other cyber-physical systems (CPS) into BMS has dramatically expanded the attack surface for cybercriminals. Many BMS components rely on outdated software, insecure communication protocols, and weak access controls, leaving them particularly vulnerable. These weaknesses provide cybercriminals with multiple opportunities to exploit building systems for financial or disruptive gain.
Recent survey data found that commercial sectors experienced a wide swath of operational impacts due to cyberattacks, with respondents citing financial losses (38%), reputational damage (36%), and loss of customer or partner relationship (31%) as the most common operational impacts.
One of the most concerning threats is ransomware. Cybercriminals can seize control of critical building functions, such as HVAC or security systems, and demand payment to restore access. The reliance on third-party vendors for maintenance further introduces security risks, as attackers may exploit weak vendor networks to gain entry. Additionally, many BMS suffer from poor authentication measures, allowing unauthorized users to remotely access and manipulate building operations. In some cases, this could lead to physical safety hazards or widespread operational disruptions.
In sectors like healthcare, the consequences of such attacks can be especially dire. Hospitals, for example, rely on BMS to maintain climate control in operating rooms, ensure proper ventilation for infection control, and regulate power for critical medical equipment. A cyberattack that compromises these systems could directly impact patient safety—disrupting surgeries, contaminating sterile environments, or even cutting off power to life-saving machines. Beyond the immediate physical risks, prolonged operational disruptions can directly compromise patient safety, force patient evacuations, delay treatments, and result in significant financial losses.
As cyber threats targeting BMS grow more sophisticated, organizations must recognize the real-world consequences and prioritize stronger security measures. We have already witnessed nation-state adversaries attack building systems at military bases and water treatment facilities to project power and disrupt essential services in the case of a military conflict.
Key Cybersecurity Challenges in BMS
One of the biggest cybersecurity challenges for BMS is the number of vulnerable entry points. These systems feature multiple access points, including web interfaces, wireless connections, and third-party integrations. Many organizations struggle with visibility into these access points, making it difficult to secure them effectively. Forty percent of commercial real estate companies reported having an accurate asset inventory was the most important capability they were missing that may have decreased the impact of cyberattacks their organization experienced.
Another significant issue is outdated software and legacy systems. Many BMS still operate on obsolete software and protocols that lack modern security features, leaving them susceptible to known exploits. Recently, a researcher claimed to uncover over 1,000 vulnerabilities in a vendor’s building control products that could expose many facilities to remote attacks. Similarly, the communication protocols used in BMS, such as BACnet and Modbus, are often unencrypted or weakly secured, allowing attackers to intercept or manipulate sensitive building data.
A lack of proper network segmentation is also a major risk. Without segmentation, a compromised BMS component can serve as a gateway for attackers to access the entire building’s network, potentially leading to widespread disruptions. Weak authentication and access controls further compound these issues, as many BMS rely on default passwords or poorly configured permissions, making it easier for attackers to gain administrative control.
Securing BMS: Best Practices for Risk Mitigation
To mitigate these risks, commercial real estate stakeholders must take a proactive approach to cybersecurity. One of the most effective measures is implementing network segmentation. By separating BMS from IT networks, organizations can prevent attackers from moving laterally across critical systems in the event of a breach.
Strengthening authentication and access controls is another essential step. The use of multi-factor authentication (MFA) and role-based access controls (RBAC), along with regularly updating credentials, can help prevent unauthorized access. Continuous monitoring and threat detection solutions should also be deployed to identify and respond to suspicious activity before it escalates into a full-scale attack.
Regular software updates and patch management play a crucial role in reducing security vulnerabilities. Ensuring that BMS software and firmware are kept up to date helps close gaps that cybercriminals might otherwise exploit. Additionally, vendor risk management should be a priority. Building owners and facilities managers must carefully vet third-party vendors, enforce cybersecurity policies in service contracts, and limit vendor access to only the necessary systems to reduce potential security risks.
Proactive Security for a Digitally Connected Future
As commercial buildings continue to embrace smart technologies, cybersecurity must be treated as a priority alongside efficiency and sustainability. By addressing the hidden cyber risks in BMS, stakeholders can prevent operational disruptions, safeguard tenant safety, and protect their financial and reputational interests. The future of commercial real estate depends on securing its cyber-physical backbone before attackers identify and exploit its weakest links.
Grant Geyer is the chief strategy officer at Claroty, a cyber-physical systems protection company.
ALSO READ: How to Tell if Your Security Cameras Have Been Hacked