How Building Automation Systems Became Cybersecurity’s Biggest Blind Spot and Why Facility Managers Are Now on the Front Lines
The Breach Nobody Saw Coming
In 2013, attackers stole the credit card data of 40 million Target customers. The entry point wasn’t a phishing email to a finance executive. It wasn’t a zero-day exploit against a payment server. It was a login credential stolen from Fazio Mechanical, a small HVAC contractor in Pennsylvania that serviced Target’s refrigeration systems.
Fazio had remote access to Target’s network for monitoring purposes. That access wasn’t segmented from the payment infrastructure. The rest is data breach history.
That incident was more than a decade ago. The industry largely treated it as a cautionary tale for IT departments. But here in 2026, the lesson still hasn’t fully landed where it needs to: with the people who manage buildings.
The Building Is Now the Attack Surface
For most of the last century, building automation systems lived in their own quiet world: thermostats, dampers, valves, controllers, doing their job without much outside interference. The worst thing that could happen was a failed sensor or a misconfigured schedule.
That world is gone.
Today’s buildings are networked. HVAC systems report to cloud dashboards. Access control integrates with HR directories. Lighting responds to occupancy sensors feeding data into analytics platforms. Energy meters talk to grid operators. And almost all of it runs on IP.
The Building Automation System market is now valued at $124 billion and is projected to reach $204 billion by 2030. Every dollar of that growth is a dollar of new connectivity and new exposure.
According to Dragos, a leader in operational technology (OT) security and the top-ranked company in the 2026 Gartner Magic Quadrant for CPS Protection Platforms, BAS environments face five compounding vulnerabilities:
- Legacy infrastructure designed before security was a consideration
- An interconnected architecture where one compromised component cascades
- Remote access pathways built for convenience, not hardening
- Third-party dependencies vendors like that HVAC contractor with varying security postures
- Human factors, misconfigurations, and unsafe habits baked in over decades
“A compromised BAS controller can become a backdoor into sensitive business applications or data centers,” notes Veridify Security, which specializes in device-level authentication for building systems. The pathways attackers use aren’t exotic. They’re the same remote monitoring tools a technician uses every day.
The Protocols Were Never Designed for This
Here’s the uncomfortable engineering truth: BACnet and Modbus, the protocols running most of the world’s building automation, were built without cybersecurity in mind.
Default credentials. No encryption. No device authentication. Communications sent in plaintext across the network. These weren’t oversights; they were reasonable design choices for isolated, air-gapped systems in the 1980s and 1990s. The problem is that those systems are no longer isolated.
When a BACnet device is internet-reachable, which happens more often than anyone in the industry likes to admit, an attacker with basic tooling can read sensor values, override setpoints, or, in some cases, take complete control of field devices.
In October 2021, a building automation engineering firm in Germany learned this the hard way. Attackers exploited an exposed UDP port, penetrated the BAS, and, within hours, locked the owners out of their own light switches, motion detectors, and shutter controllers. The attack used the KNXlock vulnerability, a known flaw that had been documented but not patched.
The building itself became the hostage.
Incidents That Should Have Created Change
The German engineering firm wasn’t alone. The pattern keeps repeating:
- A U.S. school district had its HVAC systems disabled by ransomware, forcing building shutdowns until demands were met. Children couldn’t attend class. Administrators couldn’t override the systems.
- Aliquippa, Pennsylvania’s water utility suffered a booster station compromise tied to building and operational technology systems, disrupting critical municipal infrastructure in 2023.
- Commercial real estate operators have reported access-control breaches in which attackers remotely locked or unlocked doors in occupied buildings, not to steal data but to demonstrate they could.
These aren’t sophisticated nation-state operations. They’re opportunistic attacks on systems that were left exposed because no one thought to lock the door because no one realized the door existed.
Attackers have learned that operational disruption is often more valuable than data theft. Locking down an HVAC system in a hospital, disabling elevator controls in an office tower, shutting off lighting in a data center — these create immediate, physical consequences that ransomware gangs can monetize fast.
You Didn’t Sign Up For This. But Here You Are.
This is where the conversation may change for facility professionals.
IFMA the International Facility Management Association, has made it official: cybersecurity is now a facility management responsibility. Not just an IT concern. Not something to hand off to the network team. A core competency for anyone who manages a building.
“With connectivity comes increased risk,” IFMA states plainly. “Every connected device or system creates potential cybersecurity exposure.” Their new Cybersecurity Short Course for FM professionals is a direct acknowledgment that the industry is behind and needs to catch up fast.
The same message is landing in the HVAC trades. HVAC Today made waves this spring with a piece declaring that HVAC contractors are now “guardians of digital infrastructure.” Contractors who install and service BAS components are now the people holding credentials, connecting equipment, and in many cases, maintaining remote access to dozens or hundreds of client sites. That makes them like Fazio Mechanical before them either a security asset or a security liability, depending on their practices.
The question isn’t whether facility managers and HVAC professionals will have to engage with cybersecurity. That question has been answered. The question is whether they’ll engage proactively or reactively.
What the Industry Is Building in Response
The good news is that the AutomatedBuildings.com community isn’t waiting for a wake-up call. Several sponsors are actively building the defense layer this industry needs.
Secured by Cimetrics is one of the few companies in the industry purpose-built for BAS cybersecurity and has developed a comprehensive security framework anchored in the NIST Cybersecurity Framework. Their work on BACnet/SC (BACnet Secure Connect) is particularly significant: it adds TLS encryption, certificate-based device authentication, and network segmentation to BACnet deployments, essentially retrofitting the security layer the protocol never had. Earlier this year, fellow sponsor Engenuity Systems announced it was integrating Secured by Cimetrics’ BACnet/SC appliances and network segmentation devices into its smart building solutions a meaningful signal that security-by-design is becoming a market expectation, not a premium add-on.
Tridium is the company behind the Niagara Framework, which runs millions of buildings worldwide, and has developed Niagara Cyber Defense, a dedicated security product for Niagara-based BAS deployments. With Niagara 5 launching, Tridium has made cyber resilience a primary design pillar rather than a feature bolt-on. Their defense-in-depth approach aligns Niagara with enterprise IT security practices across supervisory, field device, and edge layers.
Johnson Controls is one of the world’s largest building technology companies. They maintain a dedicated cybersecurity trust center. Their recently published report, which identifies occupant well-being as a “mission-critical” outcome of BAS security, underscores how the framing has shifted: this is no longer about protecting hardware. It’s about protecting people.
OTI Operational Technology Integrators whose name says it all, focuses specifically on the OT layer where building systems and IT converge. OT security requires different tools and a different way of thinking than traditional IT security; OTI exists precisely at that intersection.
BACnet International is the standards body governing the protocol used in most BAS deployments. Has been instrumental in developing and promoting BACnet/SC adoption. Wider adoption of the secure protocol variant is one of the most practical near-term levers the industry has.
The Path Forward: Five Things Facility Managers Can Do Now
You don’t need a computer science degree to reduce your building’s exposure. You need a framework and a starting point.
1. Know what you have.
You cannot protect what you don’t know exists. Build or commission an asset inventory of every networked device in your building, not just servers and workstations, but every BAS controller, smart thermostat, access reader, and IP-connected sensor. Dragos calls this the foundation of any OT security program.
2. Segment your networks.
BAS traffic should not share a network segment with corporate IT. This single step physically or logically separating the OT network from everything else is the closest thing the industry has to a silver bullet. It’s what would have stopped the Target breach from becoming a payment card disaster.
3. Audit your vendor access.
Make a list of all third-party vendors, contractors, or service providers with remote access to your systems. When did they last use it? Is the access time-limited? Are credentials shared or individual? Many breaches enter through stale, unmonitored vendor credentials.
4. Require BACnet/SC on new deployments.
If you’re specifying or procuring BAS equipment, make BACnet Secure Connect a baseline requirement. Ask vendors, including your integrators, whether they support it. The question alone changes the conversation.
5. Get your IT team in the room early.
Not after the installation. Not when something goes wrong. Before the project scoping begins. Cybersecurity decisions made at the design stage cost a fraction of what they cost as retrofits and the collaboration between FM and IT is exactly what IFMA says is now essential.
The Bottom Line
The building automation industry built an incredible ecosystem of intelligence, efficiency, and control over the last thirty years. In doing so, it also built an attack surface that is now among the most underprotected in the entire technology landscape.
The people who manage that surface facility managers, building engineers, HVAC contractors, systems integrators didn’t sign up to be cybersecurity professionals. But the threat doesn’t much care about jobs
Because the next Target-style breach isn’t going to originate from a payroll system or a cloud storage misconfiguration. It’s going to come through a rooftop air handler on a strip mall in Pennsylvania. And when it does, someone who thought their job was about BTUs and setpoints is going to be the one answering the questions.
Have a perspective on BAS cybersecurity? Share your views. Contact sponsor@automatedbuildings.com.
AUTOMATEDBUILDINGS.COM hosts an epic series of free education sessions every year at AHR in partnership with Cochrane Supply
