A story in The Times last week by Emily Wright described a scary scenario: hackers remotely locking occupants inside an office building by taking control of its operational systems. Doors sealed. Alarms triggered. Chaos engineered - not through IT networks, but through building systems like HVAC and access control.
Sounds extreme - but it’s not hyperbole.
Modern commercial buildings are now dense ecosystems of connected technologies - BMS, HVAC, lifts, CCTV, access control, IoT sensors, even coffee machines. In the wake of the pandemic requirements to move everything from on premises to cloud base, there wasn’t the time to develop a cybersecurity strategy for the buildings.
The result? Buildings have quietly become cyber-physical attack surfaces.
The shift: from IT risk to building risk
Cybersecurity in real estate has traditionally focused on tenant IT environments. But attackers are increasingly targeting operational technology (OT) - the systems that actually run buildings.
Why? Because OT often has:
- weaker authentication
- legacy protocols
- poor network segregation
- default credentials
- undocumented integrations
And critically: disruption to OT creates immediate physical and business impact.
A hacked laptop is an IT incident.
A hacked building is a safety, operational, and reputational crisis.
The uncomfortable truth: most owners don’t know their exposure
Across portfolios, we repeatedly see:
- Unknown devices connected to BMS networks
- Remote access pathways with no audit trail
- Vendors retaining persistent credentials
- Building systems exposed to the public internet
- No clear ownership between IT and FM teams
In other words, risk exists - but visibility doesn’t.
Russ Dobson, COO of Node says:
Smart buildings are rapidly evolving into complex cyber-physical ecosystems, where network infrastructure is both an enabler of performance and a core part of the asset's risk surface. As upgrades layer onto legacy technologies, visibility often falls behind connectivity - which is why independent, rigorous audits are essential. They uncover hidden vulnerabilities, strengthen governance and help owners maintain secure, resilient operations beyond what compliance alone can demonstrate.
Why building technology audits are now essential infrastructure
As buildings digitise, technology governance must mature alongside it. That starts with understanding what is actually deployed and how it is configured.
Trustek’s building technology audit provides:
- a full map of connected systems and interfaces
- identification of cyber-physical vulnerabilities
- clarity on ownership and responsibility
- assessment of remote access and network exposure
You can’t manage what you can’t measure. The collation of the point solutions that are within our existing assets should be the minimum starting point for managing the building's cybersecurity risk.
-2.jpg)
