Smart buildings rely on Internet of Things technology for everything from lighting to security systems. But the ease of such interconnectivity also brings the potential for expanded cyber threats. More than 30 adversarial actions were reported in 2023, and cyberattacks in 2024 impacted hundreds of thousands of IoT devices, an Asimily blog post states. These interconnected systems, while enhancing operational efficiency, create vulnerabilities that cybercriminals can exploit.

The consequences of cybersecurity breaches in smart buildings can be far-reaching, potentially leading to operational disruptions, financial losses and physical safety risks. Facilities leaders must address these challenges to safeguard building assets and occupants.

When devices like security cameras, thermostats and access control systems are designed with convenience in mind, the integration process can lead to overlooked security flaws. Weak passwords, unpatched software and outdated firmware are common issues that cybercriminals can exploit. Once inside the network, attackers can move laterally across interconnected systems, potentially gaining control over building operations like heating, ventilation and HVAC systems. Some of the earliest IoT hacks involved HVAC systems, in fact.  

In 2013, a cyberattack led to a data breach at retail giant Target that affected millions of its customers. That incursion came through the compromised account of an HVAC vendor. The financial impact was substantial, but the breach also exposed deeper issues around third-party risk management and the challenges of securing complex supply chains in a highly interconnected environment.

A lesser-known 2016 cyberattack hit the heating system of a smart building in Finland. By exploiting flaws in the building’s automated controls, attackers caused a system failure that left residents of two buildings without heat and hot water in winter . 

More recently, a cyberattack on a U.S. water treatment plant in 2021 exploited a vulnerability in the plant’s supervisory control and data acquisition system. Once inside, the hackers were able to alter chemical levels in the water supply, potentially endangering public health. 

Potential impacts

Cybersecurity breaches in smart buildings can impact operations, safety, finances and reputation. A breach in building operations systems could halt critical functions, such as HVAC or lighting, causing significant downtime and potential financial losses. 

In extreme cases, the loss of operational functionality to critical systems like HVAC, elevators or security controls can compromise the safety and security of building occupants. For example, unauthorized access to fire suppression systems or entry controls could have life-threatening implications. 

A smart building data breach can give hackers access to sensitive information including tenant data and operational details. The financial impact can involve direct costs like regulatory fines and indirect costs, such as lost business and reputational damage.

For property managers and owners, the reputational damage from a data-compromised building can lead to a loss of tenant confidence, decreased property value, and difficulty in attracting future tenants. The public perception of a brand can suffer greatly, as the breach may signal broader issues with how the organization manages security and privacy. This reputational damage often exceeds the immediate financial losses, affecting the company’s long-term success.

Best practices

Securing smart buildings requires a multi-layered approach, starting with establishing a rigorous schedule for software updates and patch management. This basic measure ensures that all IoT devices and systems are protected against known vulnerabilities. Implementing strong vendor and contractor management is also crucial. This includes vetting third parties, enforcing strict access controls, and continuously monitoring their activities to prevent breaches originating from external sources.

Employee training is another cornerstone of cybersecurity. Conduct regular training sessions to educate staff on how to recognize threats such as phishing attempts, properly manage passwords and adhere to secure protocols. Given that human error is a leading cause of security breaches, an informed and vigilant workforce is one of the best defenses against cyber threats.

Finally, adopting a zero-trust security model enhances protection by assuming that every entity, whether inside or outside the network, must be thoroughly verified before access is granted. This model is particularly effective in dealing with IoT cybersecurity challenges within smart buildings, ensuring that even trusted sources are subject to scrutiny.

Proactive measures such as regular updates, stringent vendor management, network segmentation, and comprehensive employee training can significantly reduce the likelihood of breaches. As smart buildings continue to evolve, staying ahead of cybersecurity trends and threats will be crucial for safeguarding both digital and physical assets.

Cybersecurity is a key element of a broader information assurance strategy, which covers not just keeping bad actors out, but also ensuring data accuracy and data availability for authorized users. Expertise in information assurance can help facilities managers address the risks of new smart-building technologies as well as the benefits.