The Internet of Things (IoT) has revolutionized commercial buildings, making them “smart” by connecting various devices and systems to collect and exchange data. This interconnectedness facilitates automation, real-time monitoring, and data-driven decision-making, which ultimately improves efficiency, comfort, and sustainability.
IoT has enabled the widespread deployment of smart sensors to monitor a vast array of parameters, including:
- Environmental conditions, like temperature, humidity, CO2 levels, and air quality (VOCs and particulate matter)
- Occupancy, detecting when and how people use spaces
- Energy consumption, tracking electricity, water, and gas usage at the most granular levels
- Equipment performance, monitoring vibrations, temperatures and operational data of HVAC systems, elevators, and other machinery
Building management systems (BMS) or building automation systems (BAS) are the brain of a smart building and integrate data from all connected IoT devices, like HVAC, security, and plumbing systems, elevators, lighting, and window shades, providing a single platform for monitoring, controlling, and optimizing various building operations.
The immense data volumes generated by IoT devices live in the cloud. Advanced analytics and AI algorithms analyze this data to identify patterns, predict trends, optimize operations, and provide actionable insights. This information facilitates proactive maintenance, intelligent energy management, and optimized space use.
Based on the data these systems collect and analyze, smart building systems can automatically adjust various parameters without human intervention. For example, lights will dim in an unoccupied room, and HVAC systems can power down (or up) based on occupancy and real-time weather conditions. Building managers can monitor and control all aspects of a building through mobile apps or web interfaces, addressing issues quickly and reducing the need for on-site personnel.
All this technological “magic” sounds wonderful — but there’s a dark side: a smart building’s connectivity to the internet can create vulnerabilities cybercriminals will exploit.
The need for cybersecurity in smart buildings
Smart buildings are amazing, but they’re not impenetrable fortresses. The number of cyberattacks on these advanced structures has been increasing. According to the 2024 Crowdstrike Global Threat Report, over 30 significant cyberattacks were reported in 2023. Matrix, a malicious actor, impacted hundreds of thousands of IoT devices in 2024 through a distributed denial-of-service (DDoS) campaign. Weak or lax security protocols, such as failing to change default passwords or enable two-factor authentication (2FA) or multifactor authentication (MFA), can create vulnerabilities for hackers to exploit. Risks include:
- Unauthorized entry
- Manipulation of environmental controls
- Theft of sensitive data
Because smart buildings rely heavily on interconnected devices and cloud-based services, they present an attractive target for malicious actors, underscoring the need for strong security measures to combat these digital threats. The increasing frequency of cyberattacks on smart buildings underscores the importance for organizations to prioritize cybersecurity as they rapidly adopt IoT and pursue digital transformation.
Key security risks for smart buildings
Building managers and third-party vendors can unintentionally create security gaps when they use remote access to manage BAS. Systems lacking proper monitoring and logging, or those directly exposed on public IP addresses, become prime targets for cybercriminals.
But these threats extend beyond remote access. The integration of IoT devices inadvertently creates welcoming environments for bad actors. Technologies controlling essential building functions like heating, lighting, and access systems have the potential to expose internal networks to unacceptable risks if not properly secured.
Buildings that adopt smart platforms increase their susceptibility to cyber threats, partly due to the fundamental designs of existing structures. Legacy building protocols, like BACnet and MODBUS, were developed in an era when security wasn’t a prime design consideration. Connecting these older systems to modern, internet-facing platforms is akin to leaving the back door unlocked.
Adding to these challenges? Some organizations — like insurance, healthcare, and real estate companies — store vast quantities of personal and financial information. Should this sensitive data fall into the wrong hands, it could lead to identity theft, financial fraud, and other harmful, inappropriate uses.
Smart building cyberattacks
In 2023, the Dark Angles ransomware gang launched a cyber attack on Johnson Controls International, a building automation and technology company. The hackers gained unauthorized access to volumes of data and deployed ransomware, resulting in a $27 million net revenue loss for the quarter.
On June 3, 2025, the Lexington-Richland 5 school district noticed that some of its buildings were affected by a cyberattack, which impacted the start of summer school classes and the payment of a year-end bonus to staff. In May 2025, EdforTech Alliance informed the Allentown School District that a cyberattack had been launched on its financial systems, impacting the district’s secondary virtual campus students, who were unable to log into the platform for the day. In 2022, the Jackson County Intermediate School District’s phone, classroom technology, and heating facilities were hacked by an outside bad actor.
In May 2020, cybercriminals gained unauthorized access to Kettering Health’s network, necessitating the cancellation and rescheduling of elective inpatient and outpatient procedures for one day. Other cyberattacks targeting hospital networks include a 2023 incident at Hospital Sisters Health System hospitals, which affected phones, medical records, imaging software, and other critical systems, resulting in a system-wide outage that lasted over two weeks to restore.
In other words, the smarter buildings get, the more attractive a target they become. And they face a variety of threats.
Potential threats and cyber risks to smart buildings
Understanding these threats is critical for implementing effective defenses. Here are some of the potential threats and how cybercriminals could use them to compromise a smart building’s systems.
Siegeware and BAS attacks
This specialized ransomware targets industrial control systems (ICS) and operational technology (OT) environments, which include building automation systems. Unlike typical ransomware that encrypts data for ransom, siegware locks out operators, preventing them from controlling physical processes like locking/unlocking doors, operating elevators, turning lights off, or critical infrastructure, rendering the building uninhabitable.
BAS attacks are deliberate attacks on the systems controlling a building’s HVAC, lighting, security, and access functions. These attacks could involve:
- Manipulating sensors (e.g., falsely reporting a lower temperature to overcool a space)
- Overriding control settings (e.g., turning off ventilation during a fire alarm)
- Disabling security systems (e.g., turning off surveillance cameras or access to card readers)
Malware
Malware is a broad term for malicious software designed to disrupt, damage, or gain unauthorized access to a computer system. Examples include viruses, worms, Trojans, ransomware, spyware, and rootkits. Malware spreads through infected emails, compromised websites, malicious downloads, or infected USB drives. Once inside a system, it can steal data, create backdoors, or launch further attacks.
Malware could compromise a smart building if an employee or contractor inadvertently introduced malware via an infected USB drive plugged into a BAS workstation. It could infiltrate the building’s network through a phishing email opened on a connected office computer, then propagate to the OT network. Once inside, malware could encrypt critical BAS configuration files (ransomware), allowing hackers to demand payment to restore functionality. It could also act as spyware, monitoring building operations and data for espionage or create backdoors for future remote access and control.
Denial of Service (DoS) and Distributed Denial of Service attacks
DoS attacks are designed to make a network resource or machine unavailable to its intended users by temporarily or indefinitely disrupting the services of a host connected to the internet. It typically involves flooding the target with traffic or requests until it’s so overwhelmed that it can’t respond. A DDoS is a DoS attack launched from multiple compromised computer systems (think “botnet”) that flood the target with traffic — and it’s much harder to block a DDoS than a DoS attack.
Many smart building systems rely on cloud platforms for data storage, analytics, and remote management. A DDoS attack on these cloud services could render the building’s smart features (remote access, energy optimization, predictive maintenance) inoperable. Attackers could overwhelm specific BAS controllers or network gateways within the building with junk data. The controllers could crash or become unresponsive, leading to the loss of automated control over HVAC, lighting, or security systems.
A DoS attack on a building’s internal network infrastructure could prevent or interrupt communication between sensors, controllers, and the central BAS, essentially “blinding” the building management system and preventing it from responding to environmental changes or security events.
SQL Injection
SQL injection is a code injection technique used to exploit vulnerabilities in data-driven applications. It happens when an attacker inserts malicious SQL statements into an entry field, like a login or search box, for execution by the underlying database. SQL injections exploit vulnerabilities in web applications that don’t properly clean user input, allowing attackers to manipulate or query the database in ways the developer didn’t intend.
Many smart building systems have web-based interfaces (e.g., dashboards for facility managers, tenant portals for booking rooms, or visitor management systems) that rely on SQL databases. An attacker could use an SQL injection in a login field to bypass authentication and gain unauthorized access ot the BAS or control system. Hackers could modify entries in the database to change access permissions for specific people, alter building schedules (like unlocking doors at specific times), tamper with energy consumption records, or extract sensitive occupant data.
Zero-Day exploit
A zero-day exploit is a software vulnerability that the software vendor is unaware of and that attackers discover and exploit before it’s fixed. The “zero-day” means the vendor has had zero days to fix the vulnerability, so there’s been no patch or fix released. Cybercriminals can use these flaws or ‘holes’ to gain unauthorized access, elevate privileges, or execute malicious code without detection by traditional security protocols.
Smart buildings use a wide array of software, from proprietary BAS apps to firmware on IoT devices. A zero-day exploit targeting a vulnerability in any of these components could wreak terrible damage. For example, an attacker could exploit a zero-day in a smart thermostat’s firmware to gain control over climate settings on an entire floor or building. A zero-day in a building’s video surveillance system could allow a bad actor to disable cameras, access live feeds, or inject fake video without detection until the software vendor releases a patch. Since there’s no known defense, these attacks are especially nefarious.
Cross-site scripting (XSS)
This type of security vulnerability, typically found in web applications, enables attackers to inject client-side scripts, like JavaScript, into web pages viewed by other users. When a vulnerable web application fails to properly validate user input, a cybercriminal can embed malicious script into a URL or form field. When another user accesses that page, the malicious script executes in their browser, appearing to come from a legitimate website.
Many smart buildings have web-based portals for tenant services, like room booking or service requests, or facility management dashboards. A hacker could inject an XSS script into a comment field or user profile. When the facility manager or another tenant views the compromised page, the script executes in their browser. This script could:
- Steal session cookies, allowing the hacker to hijack the user’s session and gain access to the portal
- Deface the web interface
- Redirect the user to a phishing site
- Execute commands within the user’s browser that interact with the smart building’s API, potentially altering settings or retrieving sensitive data
Advanced persistent threats (APTs)
APTs are a sophisticated, prolonged cyberattack campaign in which a cybercriminal establishes an illicit, long-term presence on a network to extract highly sensitive data or maintain access rather than to cause immediate harm. Well-funded, highly-skilled (and even state-sponsored) groups are most likely to carry out an APT.
These groups employ multiple strategies, including spear phishing, zero-day exploits, custom malware, and social engineering, to gain initial access and gradually move laterally within the network, escalate privileges, and establish persistent backdoors to exfiltrate data or prepare for a larger operation over months or even years. The most sophisticated APT discovered to date was GhostNet, identified in 2009.
An APT group might target a smart building not just for its own sake but as a gateway. They could gain access to a tenant’s corporate network through a vulnerability in the building’s shared smart infrastructure. Then, slowly map out the entire BAS network, identifying critical systems, planting backdoors and custom malware that a standard antivirus software wouldn’t detect. Why use APTs? Past motivations have included industrial espionage, long-term occupant surveillance, or preparation for future sabotage of national critical infrastructure in buildings connected to such systems. Unfortunately, APTs’ stealthy and persistent nature makes them difficult to detect and mitigate.
If you own or manage a smart building, it’s best to partner with a cybersecurity company that can audit and analyze its systems for vulnerabilities and recommend and implement patches and fixes to shore up its defenses from cyberattacks. Talk to Scott Kuperman, Director at TeamLogic IT, and member of CREA United, an organization of CRE professionals from 92 firms representing all disciplines within the CRE industry, from brokers to subcontractors, financial services to security systems, interior designers to architects, movers to IT, and more.
