Why Cyberattacks Are Targeting Industrial Control Systems

Posted on

A major threat is silently shifting its focus from the typical IT environment to the systems that run buildings: industrial control systems (ICS). For many years, the “smart” parts of buildings—their HVAC, elevators, security access, power grids, fire suppression systems—were considered safely tucked away. They were air-gapped or so specialized that only a few dedicated building operators accessed and worked with them. 

That era has ended. The digital transformation we’ve embraced for efficiency and sustainability has connected these formerly isolated systems to the internet and, by extension, to the global playground for cybercriminals. 

Today’s buildings aren’t simply targets for a typical data breach; there’s a potential for a physical catastrophe, massive disruption, or an outright crippling of operations. Commercial real estate professionals can’t ignore this shift; taking action to protect commercial buildings has become a core component of asset and tenant safety. 

What’s an ICS attack, and why are these buildings a target?

An industrial control system is the collection of hardware and software that manages and automates industrial processes. A commercial building will have systems like:

  • Building management systems (BMS) that control lighting, climate (HVAC), and energy usage.
  • Supervisory control and data acquisition (SCADA), which is used for large-scale, geographically dispersed control, like utility monitoring.
  • Programmable logic controllers (PLCs), which are the workhorses that run specific, localized machinery (e.g., a pump or an elevator mechanism).

ISC security is the practice of protecting these systems from cyberthreats to ensure their integrity, availability, and safety. It’s quite different from traditional IT security because in the ICS world, availability and safety often trump confidentiality. You can’t just patch an HVAC system during the workday if you have to shut down a building’s air supply.

A crime of opportunity

Profit and opportunity drive cybercriminal activity. The shift to ICS is driven by two main factors: vulnerability and value. 

Easy pickings: the vulnerability landscape

The truth about security, whether on a corporate network or a building’s control system, is that hackers don’t need to be Hollywood-level geniuses. Most attacks are crimes of opportunity that exploit simple, avoidable weaknesses.

  • Legacy systems and outdated software. Many ICS components were installed decades ago, with a focus on a long operational lifespan — not security. These components run on outdated operating systems and use proprietary protocols lacking basic security features like encryption and authentication. Think of it like having a high-security vault door but forgetting to update the vintage 1970s lock.
  • Weak authentication. Just like small-to-medium businesses, where 4 out of 5 attacks leverage stolen or weak credentials, many ICS devices still use default passwords or poor, single-factor authentication.
  • Lack of segmentation (flat networks). Historically, these systems were air-gapped (kept separate from each other). Now, they’re often connected to the main corporate IT network, but they lack proper network segmentation. A hacker who infiltrates the front-office IT network via a phishing email can pivot and move laterally into the mission-critical ICS network.

Maximum impact: high value targets

What’s the value to a hacker? It’s not just data; it’s leverage.

Ransomware. Imagine a ransomware attack that locks your facility managers out of the ventilation system, freezing tenants out or disabling fire alarms. The downtime for a major commercial property to resolve the issue can cost millions in lost revenue, remediation, and reputational damage. 

The average cost of a data breach is only the capital cost; deeper costs include regulatory penalties, insurance denials stemming from a lack of due diligence, and severe reputational hits.

Sabotage or disruption. For nation-states or activist groups, targeting critical infrastructure—often including large commercial and municipal buildings—offers a non-kinetic way to sow chaos. Disrupting a city center’s cooling systems during a heatwave or manipulating elevator controls poses a physical safety risk to tenants and the public.

How cybercriminals launch ICS attacks

The initial point of compromise is usually a lack of basic cyber “hygiene” within the organization or its partners. Unfortunately, there are many potential entry points.

  • Stolen/weak credentials (the easiest entry). An employee uses a weak password, or a service provider or vendor’s credentials aren’t properly secured. Hackers buy credential dumps on the dark web for pocket change. Far too many organizations still lack multifactor authentication (MFA), making this entry very tempting.
  • Phishing and social engineering. A malicious email remains the number one delivery system for malware. Once an employee clicks, the attacker gains a foothold in the IT network and quickly moves to the less-protected ICS environment, which is frighteningly easy because of poor network segmentation.
  • Vendor and third-party risk. The people you trust to maintain your systems (external IT, maintenance contractors, specialized equipment vendors, etc.) are often your weakest link. If a vendor’s network is compromised, the attacker gains access to your building systems through this backdoor. You could be paying for an elite service without realizing that your vendor uses outdated, free, or unsecured tools, which creates a critical vulnerability for your organization.
  • Misconfiguration and poor management. Four out of five cloud security incidents stem from misconfigurations. And if your internal or external IT team is stretched thin, tasked with everything from tech support and projects to compliance, security becomes deprioritized. Breaches can go undetected for months without proactive, continuous monitoring.
  • Lack of segmentation (flat networks): Historically, these systems were “air-gapped” (kept entirely separate). Now, they’re often connected to the main corporate IT network (the “IT/OT convergence”). However, many systems lack proper network segmentation. A hacker who infiltrates the front-office IT network via a simple phishing email can easily pivot and move laterally into the mission-critical ICS network.

Actionable steps to protect your building’s brain

The bad news? The risk is very, very real. The good news? You’re not helpless. You must center your defense strategy on governance, risk mitigation, and compliance (GRC).

Immediate, foundational fixes

  • Zero tolerance for weak credentials. Enforce MFA for all access points, particularly for any remote or privileged access to your ICS environment. Review and eliminate/update all default passwords.
  • Segment your network. This step is non-negotiable. Separate your operational technology (OT) network, which is your ICS, logically from your corporate information technology (IT) network. Even if attackers get into your email, they should encounter a formidable, application-aware firewall before they can touch your building management systems.
  • Patching and asset inventory. Create a comprehensive, regularly updated inventory of all ICS devices, software versions, and operating systems in your buildings. While some systems can’t be updated as frequently as others, you must know what you have so you can apply compensating controls, like isolating the device or implementing stricter monitoring, when direct patching isn’t possible.

Proactive monitoring and detection (offensive security)

  • Embrace 24/7/365 security operations. Relying on an internal IT team (who take vacations, get sick, and sleep) or a generic managed service provider (MSP) that only offers a basic “glorified antivirus” defensive security isn’t enough. You need offensive security—a dedicated security operations center (SOC) with live eyes on the prize.

    When automated attacks occur, minutes count. An elite SOC can stop most cyberattacks within 7 to 9 minutes compared to internal IT staff or basic MSPs that take days or weeks to notice an issue, let alone resolve it. This speed is critical to preventing minor incidents from escalating into catastrophic physical disruptions.
  • Monitor network traffic. ICS networks are usually pretty stable. Any strange or anomalous traffic should immediately raise an alert. Proactive monitoring helps you detect intrusions before they can cause damage.

Manage the human element and third-party risk

  • Training is key. Human error remains a primary cause of incidents. Implement mandatory, ongoing, and realistic security awareness training for all employees and contractors, focusing on how to spot phishing and the necessity for strong credentials.
  • Vendor due diligence. Vet every vendor that accesses your systems. Require proof of their security practices, including their use of MFA and network segmentation. If they get hit, you get hit. Protect yourself and write these requirements into every contract.

Plan for the worst

  • Develop an incident response and recovery plan. Know exactly what steps to take when a breach occurs. Test this plan and clearly outline who owns responsibility for each item. The plan should include IT, OT, legal, public relations, and business operations personnel.
  • Secure backups. Ensure all critical data, configurations, and logs for your ICS are regularly backed up, encrypted, and stored offline (air gapped) or offsite. Follow the 3-2-1 rule: Three copies of your data (the original data and at least two backups); two different types of storage media (for example, one backup on a local disk and another on cloud storage or tape); one copy stored offsite (to protect your data from a site-specific disaster, like a fire or flood). This strategy ensures that if cybercriminals attempt a ransomware scenario, you can restore operations without paying the ransom.

The threat landscape has evolved, and your building’s brain—the ICS—is the new, soft underbelly. Shifting your approach from reactive technical support to proactive, 24/7 security and a GRC mindset protects your assets and tenants and safeguards the long-term value of your commercial real estate portfolio.

Are you a commercial real estate investor or seeking a specific property to meet your company’s needs?  We invite you to talk to the professionals at CREA United, an organization of CRE professionals from over 90 firms representing all disciplines within the CRE industry, from brokers to subcontractors, financial services to security systems, interior designers to architects, movers to IT, and more.

Related Articles

How EOs on AI and LGBTQ+ Issues are Driving Wrongful Termination Claims

President Trump’s executive orders (EOs) on artificial intelligence (AI) and LGBTQ+ issues are creating a complex legal landscape for employers, […]
Social media marketing strategies for commercial real estate

There are over 4 billion active social media profiles. The average person spends almost 2 ½ hours on social media […]