Skip to content

CONTACT A TRANE EXPERT

Find Your Trane Rep
Abstract of world network, internet and global connection concept

Smart Building Cybersecurity: Risks, Fears and Solutions

As building automation systems become increasingly interconnected, builders, manufacturers, and owners can work together to benefit from them without compromising security.

Brian Meyers, System Controls Portfolio Leader, Trane

Published: April 11, 2025

The deployment of smart building technologies can help reduce energy use and improve performance. But necessary additional connectivity can increase cybersecurity risks.

To reduce these risks, owners, facilities managers, IT professionals, manufacturers, and others can work together to strengthen and maintain strong cyber-safe practices. These countermeasures include secure network design, plans to maintain these systems (including periodic software updates), and robust credentialing—ultimately protecting them from criminal mischief.

By developing plans and ensuring ownership of these long-term processes, stakeholders can embrace the benefits of smart systems without taking unnecessary risks.

Because they boost efficiency and productivity, smart building technologies are the future. These systems are often powered by artificial intelligence and other sophisticated technologies. They can control HVAC, lighting, irrigation, security, and other areas to simplify building management and increase energy savings, sustainability, comfort, and compliance.

Smart building technologies often require additional connectivity (within a building, and to Internet services) to deliver promised benefits. This connectivity can present additional risk; however, this risk is quite manageable. By following best practices and engaging with cross-functional teams, building owners and other stakeholders can safeguard these systems, helping them reap the benefits without taking on additional risk.

Cybersecurity Headlines Have Created Significant Fear

Cybersecurity risks can be daunting—in 2022, there were 480,000 cyberattacks in the U.S. alone.3 Still, with the advantage of hindsight, we can learn from mistakes and take proactive steps to avoid repeating them.

In response to this fear and uncertainty, many companies have focused on indemnification. Cybersecurity insurance has become both popular and costly.4 However, while insurance may increase peace of mind, it doesn’t inherently secure the systems. 

Many companies have implemented processes that allow specialized teams to focus on validating products and installation processes for smart controls deployed within their facilities. These teams often set minimum product expectations, perform vulnerability assessments, and document expected configurations.

While there is no universal definition of “secure” in the cybersecurity world—there are many well-documented cybersecurity best practices that can be implemented today to realize operational benefits without undue risk. 

Safeguarding Smart Building Technologies

Historically, Operational Technologies (OT) including building automation systems have been implemented without the involvement of Information Technology (IT) departments. This reality can come from a few places:

  • IT resources may not be available within many organizations
  • IT resources may be seen as slowing or stopping progress
  • OT resources may not believe that IT partnership is necessary (Who would bother to hack my OT system? There are certainly more valuable targets).

With this reality and the increased adoption of smart building technologies (including Internet of Things (IoT) systems), OT systems have increasingly been targeted by bad actors. These actors have developed tools to discover, exploit, and monetize building systems. These tools can easily provide information about the system’s software, IP address, operating system, and open ports.5

The first step for implementing these beneficial technologies without adding undue risk is to bring the OT and IT teams together. These teams can layout the network design, implement timely and frequent system updates, monitor credentials and access management, and other necessary items to facilitate cross-functional teamwork. A brief overview of these items is laid out below.

Secure Network Design

Proper network layout is essential to the defense of the system. Network administrators often use firewalls, virtual local area networks (VLANs), and other technologies to restrict access to only those that need it.

Physically separating systems can achieve the same outcome, though it may be costly or sacrifice convenience. Network administrators can also physically protect network access (e.g. locked IT closets). 

Timely and Frequent System Updates

Clear ownership for applying system updates is also important.

Consider how smartphones and other products handle security—manufacturers develop patches, and consumers install them, but who takes responsibility for updating building automation systems? IT or facilities?

BAS and HVAC equipment manufacturers can frequently produce security patches to update their connected controllers. But if nobody is specifically tasked with applying these updates, the risks remain.

Credential and Access Management

User credentials can be a vulnerable point in a system’s security. Weak or reused passwords have plagued networked systems since they were introduced. Using a centralized identity provider, often called single sign-on or federated authentication, is a modern way to improve credentialing.

This type of system allows administrators to manage active users and other policies, including password complexity, expiration policies, and multi-factor authentication, including one-time passcodes and biometrics. If an employee’s duties change or they leave the company, credentials should be immediately updated. 

Cybersecurity is a Team Sport

Ultimately, security measures fall short of current best practices when people are siloed. Facilities and Information Technology (IT) staff, for example, have different goals, which can lead to adversarial relationships. Facilities want convenience, and IT demands security. Both groups have valuable perspectives and experiences to contribute.  

This highlights an important reality: cybersecurity is complex and requires a multi-disciplinary approach. IT staff may not fully understand the issues contractors, owners, and facilities people face and vice versa. While the above best practices are important, a cross-functional team with clear roles/responsibilities is arguably the most important best practice to enable realized operational value while minimize organizational risk.

By proactively developing these collaborative teams, companies can avoid gray areas in which individuals assume someone else is responsible and the work doesn’t get done. By clearly delineating who oversees software and hardware issues, organizations can significantly reduce the impacts of bad actors taking advantage of known vulnerabilities.

References

1Williams-Grut, Oscar. “Hackers Once Stole a Casino’s High-Roller Database through a Thermometer in the Lobby Fish Tank.” Business Insider, Business Insider, www.businessinsider.com/hackers-stole-a-casinos-database-through-a-thermometer-in-the-lobby-fish-tank-2018-4. Accessed 9 July 2024.

2 Robert J. February, et al. “Email Attack on Vendor Set up Breach at Target.” Krebs on Security, 12 Feb. 2014, krebsonsecurity.com/2014/02/email-attack-on-vendor-set-up-breach-at-target/.

3Published by Ani Petrosyan. “U.S. Number of Cyberattacks 2022.” Statista, 2 Feb. 2024, www.statista.com/forecasts/1448523/us-cyberattacks-annual.

4Staff, SC. “Fighting Ransomware: A Guide to Getting the Right Cybersecurity Insurance.” SC Media, 12 Jan. 2024, www.scmagazine.com/resource/a-guide-to-getting-the-right-cybersecurity-insurance.

5“Top 5 Search Engines for Internet-Connected Devices and Services.” 5 Useful Search Engines for Internet-Connected Devices and Services, www.welivesecurity.com/2023/05/18/5-search-engines-internet-connected-devices-services/. Accessed 9 July 2024.