FM newsroom – cyber security, building management, facility operations. As modern buildings evolve into intelligent ecosystems with IP-connected systems—from HVAC to surveillance cameras—they offer greater efficiency, comfort, and control. But with these advancements comes a hidden cost: a growing cyber attack surface that most organisations aren’t prepared to defend. Without cybersecurity built into the foundation, smart buildings may become liabilities rather than assets.
The Rise of the Cyber-Enabled Building
Modern building management systems are deeply integrated with corporate IT networks. Whether it’s remote access to heating and cooling systems, cloud-connected alarm systems, or video surveillance over Wi-Fi, these technologies bring operational benefits—but also new vulnerabilities. Every device added to the network is a potential entry point for cybercriminals.
Attackers increasingly target overlooked building systems. A compromised HVAC unit could shut down data centre cooling; a hijacked elevator could halt hospital operations. In many cases, these systems still run outdated software, rely on default credentials, or lack segmentation from the core IT network, as Max Rahner, Senior Business Development Manager at Tenable, raises attention in an interview for Facility Management magazine.
The Legal Mandate: Security is No Longer Optional
The expert also points out that organisations can no longer afford to treat building technology as a peripheral concern. Regulatory frameworks such as:
- NIS2 (Network and Information Security Directive)
- CER (Critical Entities Resilience Directive)
- DORA (Digital Operational Resilience Act)
all require a risk-based approach to cybersecurity, extending beyond traditional IT to include operational technology (OT) and building infrastructure.
These laws mandate that companies assess, document, and mitigate risks across all systems critical to business continuity, including elevators, fire alarms, and HVAC systems. The upcoming Cyber Resilience Act further compels product distributors in the EU to ensure long-term cybersecurity support for building tech devices, even if they’re not the original manufacturers.
The Overlooked Risk in Public and Private Sectors
Despite these regulations, many organisations still neglect building cybersecurity. Public-sector entities, for example, must comply with specific German BSI Baseline Protection modules (INF.13 and INF.14) and workplace safety rules like TRBS 1115. However, practical implementation often falls short.
Responsibility for securing building tech is frequently unclear. Tenants assume landlords are accountable; caretakers are expected to patch systems they don’t control. Meanwhile, basic vulnerabilities like cloneable access cards and factory-set passwords go unaddressed.
„It’s actually clearly the responsibility of cybersecurity to integrate technical building management and building automation into a modern, state-of-the-art security concept. External suppliers, such as landlords and service providers, must be taken into account. Fortunately, however, a shift in thinking is taking place there as well – and the message will be understood when IT, OT, and building technology converge in a central inventory and on a single dashboard, „ says Rahner.
From Shadow IT to Strategic Asset Management
One of the biggest challenges is visibility. Many companies don’t have a complete inventory of their building technology, let alone knowledge of how these systems interact with IT networks. This “shadow OT” can harbour undetected threats for years.
Tools like Tenable OT can help create an asset inventory, detect vulnerabilities, and assess their business-criticality. For example, a water pump used for decorative fountains may be low priority, but one cooling hospital equipment is mission-critical. Identifying and categorising systems is the first step toward securing them.
The Case for Integrated Cybersecurity
Modern platforms now allow IT, OT, and building tech data to converge into a unified risk management view. This operational perspective is essential to aligning cybersecurity with real-world business processes. A bank’s CISO, for example, might link air conditioning systems to the uptime of on-premise servers—helping prioritize protections not by technical connection, but by operational impact.
This risk-based prioritisation is the core principle behind NIS2, CER, and DORA. It ensures that the most important systems get the most protection, while reducing wasteful spending on low-impact threats.
Building Cybersecurity is Lagging Behind – But Catching Up
In terms of maturity, building infrastructure security is where industrial OT security was nearly a decade ago. But awareness is growing. Organisations are beginning to recognise the need for:
- Secure-by-design procurement policies
- Continuous patching and monitoring
- Cross-functional responsibility between IT, OT, and facility managers
Still, most companies have a long way to go. For cybersecurity to be effective, it must treat building systems not as an afterthought, but as integral components of business continuity.
A unified, risk-aware approach is no longer a nice-to-have—it’s a legal requirement and operational necessity. After all, a smart building isn’t truly smart if it can be hacked.
