Why smart buildings are attractive targets 

What makes smart buildings appealing to cybercriminals? 

Smart buildings are increasingly attractive targets for cybercriminals. The combination of connected systems, limited security monitoring, and immediate operational impact makes them ideal for extortion. Unlike traditional IT attacks that might take days or weeks to create business pressure, compromising a building's operational systems creates immediate, visible consequences that building operators cannot ignore. 

For MSPs advising building operators, understanding these attack scenarios is essential. The threat landscape for smart buildings differs fundamentally from traditional IT security, and the tactics attackers use exploit weaknesses that most security tools never see. Here are the four primary ways criminals target smart buildings, and what you can do about each. 

Scenario 1: Ransomware on building management systems 

How do attackers deploy ransomware on BMS? 

Criminals gain access to the building management system, often through compromised credentials or vulnerable remote access portals that were set up years ago and never properly secured. Many BMS platforms include remote management capabilities that vendors use for maintenance and support. If these access points use weak authentication or have not been updated with security patches, they become easy entry points for attackers. 

Once inside the building network, attackers move laterally to identify BMS controllers and the management workstations that configure them. They study the environment, understanding which systems are most critical and where backups might exist. Then they deploy ransomware that encrypts both the BMS controllers themselves and the workstations that manage the building. 

What is the impact of BMS ransomware? 

When the encryption executes, heating, cooling, and lighting stop responding to commands. The building becomes uncomfortable or unusable. Tenants cannot work effectively in spaces that are too hot, too cold, or too dark. Building operators lose control of critical systems and have no way to adjust conditions as needs change throughout the day. The ransom demand typically ranges from tens of thousands to hundreds of thousands of dollars, with payment deadlines measured in hours rather than days. 

Recovery without payment is painful for several reasons. BMS configurations are complex and often poorly documented. Many building operators lack complete documentation of setpoints, control logic, and integration points between systems. Rebuilding from scratch can take days or weeks. During recovery, the building remains degraded or partially functional. Lost productivity and tenant complaints compound the direct financial damage. 

Is this a real threat or hypothetical? 

This is not hypothetical. Building automation systems are now the third most common target for ransomware, behind traditional IT and healthcare. Attackers know these systems are rarely backed up properly and poorly monitored from a security perspective. Real-world examples include hotel chains with ransomware locking guests out of rooms, office buildings with HVAC and lighting encrypted, and retail facilities unable to operate due to building system compromise. 

What can MSPs do to prevent BMS ransomware? 

MSP protective actions: 

• Monitor for unauthorized access to BMS networks and management interfaces 

• Detect anomalous communication patterns that suggest lateral movement from IT to OT networks 

• Alert on any encryption activity in OT environments before widespread damage occurs 

• Ensure BMS configurations are backed up regularly with offline or immutable storage 

• Verify network segmentation between corporate IT and building automation networks 

• Track remote access to building systems and alert on suspicious connections 

Scenario 2: Access control system compromise 

How do attackers compromise access control systems? 

Attackers target the physical access control system through multiple potential vectors. Compromised credentials from phishing campaigns or password reuse give them legitimate access to management interfaces. Vulnerable controller firmware with known exploits allows direct compromise of access panels. Default passwords that were never changed during installation provide easy entry. Many access control systems were deployed years ago when security was an afterthought, and those original weaknesses persist today. 

Once they control the access system, they can manipulate physical security across the entire facility. Modern access control systems are networked platforms that manage thousands of doors across multiple buildings from centralized servers. Compromising that central management gives attackers control over every access point in the organization. 

What can attackers do once they control access systems? 

The capabilities attackers gain are deeply concerning from both security and safety perspectives. They can unlock doors remotely throughout the facility, letting unauthorized people into secure areas. They can lock authorized people out, including during emergencies when rapid evacuation is critical. They can grant credentials to accomplices, creating legitimate-looking access that bypasses all physical security measures. They can disable security systems entirely, turning off alarms and monitoring. They can erase access logs to hide their activity and make forensic investigation difficult. 

The safety implications are severe. Imagine an attacker who can remotely unlock any door in a hospital, compromising patient safety and medication security. Or lock employees inside a building during an emergency, creating life safety hazards. Or grant access to restricted areas containing valuable equipment, sensitive information, or hazardous materials. These are not theoretical concerns - they are real capabilities that attackers gain through access control compromise. 

What are the liability implications? 

Beyond safety, there is significant liability exposure. If unauthorized access leads to theft of property or intellectual property, physical assault or violence, privacy violations, or regulatory compliance breaches, the building operator may face substantial legal consequences. Insurance claims, tenant lawsuits, regulatory fines, and reputational damage can all follow from a single access control compromise. Building operators become liable for breaches that occurred because they failed to secure systems they did not realize were vulnerable. 

What can MSPs do to protect access control systems? 

MSP protective actions: 

• Monitor access control system traffic for anomalies and unusual patterns 

• Alert on configuration changes or unusual command sequences 

• Detect communication with unexpected external addresses that could indicate remote attacker access 

• Verify that default credentials have been changed on all controllers and panels 

• Baseline normal access patterns and alert on deviations 

• Monitor for bulk credential changes that could indicate compromise 

• Track firmware versions and alert on unauthorized updates 

Scenario 3: Climate system manipulation 

How do attackers manipulate HVAC systems? 

Attackers target HVAC controls for either extortion or sabotage. They gain access through similar vectors as other building systems - compromised credentials, vulnerable interfaces, or inadequately secured remote access. Once inside, they override temperature settings beyond normal operating ranges, disable climate control entirely, or cycle systems rapidly to cause equipment damage. The attack can be dramatic and immediate, or subtle and gradual depending on the attacker's objectives. 

In dramatic attacks, they make conditions unbearable. In summer, they turn heating to maximum, making spaces unbearably hot. In winter, cooling systems run constantly, making buildings uncomfortably cold. Equipment suffers damage from constant rapid cycling as compressors, motors, and control systems are forced to start and stop repeatedly outside normal operating parameters. Energy bills spike as systems run inappropriately or inefficiently. Tenants complain and may break leases or demand compensation for unusable spaces. 

What buildings face the highest risk from climate attacks? 

For buildings with sensitive environments, climate manipulation can cause damage far exceeding the building value itself. Data centers face server and network equipment damage worth millions when cooling fails. Laboratories lose experiments and sensitive materials when temperature deviations occur. Food storage facilities face inventory loss and health hazards when refrigeration is compromised. Pharmaceutical storage loses medications that become ineffective outside temperature ranges. Museums and archives see irreplaceable artifacts damaged by environmental changes. 

Can HVAC attacks be subtle rather than dramatic? 

The attack can be subtle and harder to detect than dramatic sabotage. Rather than making spaces immediately unbearable, attackers might make small changes that increase energy costs over time. Gradual efficiency degradation goes unnoticed by occupants but shows up in utility bills months later. Attackers then extort payment to reveal what they have done and restore normal operation. This approach avoids immediate detection while generating ongoing costs that compound month after month. By the time building operators realize something is wrong, the financial damage is substantial and the attack vector is difficult to identify. 

What can MSPs do to detect HVAC manipulation? 

MSP protective actions: 

• Baseline normal HVAC operation patterns including setpoints, schedules, and cycling behavior 

• Alert on unusual setpoint changes especially those outside normal operating ranges 

• Detect changes to operating schedules that differ from programmed patterns 

• Identify commands that come from unexpected sources rather than authorized management systems 

• Monitor for signs of remote access to HVAC controllers from unusual locations 

• Track energy consumption patterns and correlate with HVAC behavior 

• Alert on rapid cycling that could indicate malicious activity or compromised logic 

Scenario 4: IoT devices as entry points 

How do attackers use IoT devices to compromise smart buildings? 

Attackers compromise low-security IoT devices like IP cameras, occupancy sensors, or smart lighting and use them as entry points to reach higher-value targets. These devices are attractive initial targets because they often have weak default credentials that were never changed, firmware that is rarely updated, and limited or no security features. Many were deployed by contractors who prioritized functionality over security, and they are not managed by IT teams or included in asset inventories. 

Once compromised, attackers use these IoT devices as pivot points. The compromised device itself might not be valuable - a camera in a lobby or a motion sensor in a hallway has little inherent worth. But once inside the network, attackers can move laterally to corporate systems with sensitive business data, access tenant networks in multi-tenant buildings, reach critical building infrastructure like BMS or access control, establish persistent access for future attacks, and conduct reconnaissance on network architecture and systems. 

What is the impact of IoT compromise? 

This is especially dangerous when building networks are not properly segmented from tenant networks. A compromised camera in the lobby becomes a beachhead for attacking tenant systems. From the building operator's perspective, they become liable for a breach that affected their tenants, even though the initial target seemed innocuous. Tenant lawsuits and insurance claims can follow, often exceeding the cost of proper security by orders of magnitude. 

The challenge is that IoT devices are often invisible to traditional security tools and processes. They were installed by facilities teams or contractors without going through IT procurement. They are not in asset management databases. No one is tracking their firmware versions or monitoring their network behavior. They exist in the same visibility gap as other building systems, but they are even more numerous and diverse. 

What can MSPs do to secure IoT devices in buildings? 

MSP protective actions: 

• Discover and inventory all IoT devices on building networks, including shadow IT deployed by contractors 

• Monitor for unusual traffic patterns from IoT devices that could indicate compromise 

• Detect lateral movement attempts from IoT devices to other network segments 

• Verify network segmentation between building systems and tenant networks 

• Track firmware versions and identify devices running outdated software 

• Alert on IoT devices communicating with unexpected external addresses 

• Implement least-privilege access so IoT devices can only reach necessary resources 

The common thread: The visibility gap 

What do all four attack scenarios have in common? 

All four scenarios share a common element: they exploit the visibility gap. Building operators typically have security tools watching their corporate IT systems. They have firewalls at the perimeter. They might have endpoint protection on workstations. They implement email security and web filtering. They monitor and log activity on servers. 

But the building systems themselves sit in a blind spot. No agents are monitoring BMS controllers because these devices cannot run agents. No protocol-aware detection is watching for anomalous commands because traditional security tools do not understand BACnet or Modbus. No alerting occurs when an access control panel starts communicating with an unusual destination because no one is watching that traffic. There is no visibility into HVAC controller behavior. There is no inventory of IoT devices on building networks. 

Why do attackers specifically target building systems? 

Attackers know this. They target building systems precisely because they know defenders are not watching. From the attacker's perspective, corporate IT systems have multiple layers of security that must be bypassed or evaded. Building systems have minimal or no security monitoring, making initial compromise easier. Compromise of building systems creates immediate operational impact that is visible and disruptive. Recovery is difficult due to poor documentation and backup practices. And pressure to pay ransoms is higher than for traditional IT ransoms because building operators cannot wait days or weeks for recovery - they need their buildings functional immediately. 

The MSP opportunity in smart building cyber attacks 

What risk do MSPs face if clients experience building system attacks? 

For MSPs, these attack scenarios represent both a risk and an opportunity. The risk is straightforward: if you are advising building operators and they get compromised through systems you were not monitoring, that reflects on you. Clients will reasonably ask why these systems were not protected, why they were not informed about this vulnerability, and what value they are receiving if critical systems are completely unmonitored. The relationship damage can be significant, and the client may seek other providers who can offer more comprehensive coverage. 

What opportunity exists for MSPs in commercial building security? 

The opportunity is equally significant. Most MSPs cannot offer building security. If you can, you differentiate immediately. You open conversations with commercial real estate companies managing building portfolios across multiple properties. You engage with hospitals concerned about access control and life safety systems. You serve retail chains with building automation across hundreds of locations. You partner with hospitality operators protecting guest access and climate control. You support data center operators with critical HVAC monitoring. 

These are valuable client relationships with recurring revenue opportunities and lower competitive pressure than traditional IT security services. The question is how to develop that capability without building an OT security practice from scratch. Hiring industrial security specialists is expensive and difficult. Training existing staff on building protocols takes years. Deploying specialized monitoring infrastructure requires capital investment. Developing expertise in building automation, access control, and HVAC control is time-consuming. Building relationships with OT-focused vendors is challenging. 

How enhanced.io helps MSPs secure smart buildings

What does enhanced.io provide for building security? 

We built our platform specifically to close the building security gap for MSPs. Our Open XDR integrates with the sensors and collectors needed to monitor building systems. Our protocol-aware detection understands BACnet, Modbus, and other building automation protocols that traditional security tools ignore. Our behavioral analytics baseline normal building system operation and detect anomalies that indicate compromise or malicious activity. 

Our SOC team understands both IT and OT threats specific to smart buildings. When an alert fires on unusual access control activity or anomalous HVAC behavior, the analysts investigating know what questions to ask and what context matters. Our fractional security directors can explain findings to building operators in business terms they understand, translating technical security concepts into operational risk language that facilities managers and property owners can act on. 

How quickly can MSPs start offering building security? 

If you want to offer building security to your clients, we can help you get there without years of investment in OT expertise. Platform integration takes one to two weeks. You can conduct your first building assessment within thirty days. Full operational capability typically comes within ninety days. The infrastructure, expertise, and support exist today. The market opportunity is open now, before it becomes crowded. 

What should MSPs do next? 

Ready to assess your clients' building security posture? Start by identifying which clients have building management systems, access control, or HVAC automation. Evaluate their current security coverage and identify the visibility gap in building systems. Understand which attack scenarios are most relevant to their building types and operational requirements. 

Contact us for a discovery conversation about OT security assessments for your clients' buildings. Learn how enhanced.io enables MSPs - like Onsite Technologies - to deliver comprehensive commercial building security without building an OT practice from scratch. 

Or read our complete guide to OT security for MSPs to understand the full technical approach and market opportunity in protecting smart buildings from cyber attacks.