The traditional MSP security model 

What does the standard MSP security stack cover? 

If you have been in the MSP space for any length of time, you have heard the pitch: deploy endpoint protection, add email security, maybe throw in some DNS filtering, and your clients are covered. 

For traditional IT environments, that is not entirely wrong: 

• Endpoints are where users work 

• Email is where threats arrive 

• DNS filtering catches the obvious stuff 

What is the problem with the traditional approach? 

Here is the problem: that model assumes your clients only have endpoints. And if any of your clients operate in smart buildings, that assumption is dangerously wrong. 

The standard MSP security approach creates a massive blind spot in smart buildings because building systems do not appear in traditional security tools. 

The 70% you cannot see 

What makes up the invisible attack surface in smart buildings? 

A typical smart building contains hundreds or thousands of connected devices that have nothing to do with laptops or servers: 

• Building management system (BMS) controllers 

• HVAC units with network interfaces 

• Access control panels 

• CCTV cameras and video surveillance systems 

• Occupancy sensors 

• Smart lighting controllers 

• Lift controllers 

• Environmental monitoring systems 

Why are these devices invisible to MSP security tools? 

None of these devices run Windows. None of them can install an endpoint agent. None of them show up in your RMM platform. 

And collectively, they represent roughly 70% of the attack surface in that building. 

What is the MSP security visibility gap? 

This is what we call the MSP security visibility gap: the disconnect between where you deploy security tools and where attacks actually originate. In smart buildings, that gap is enormous. 

The visibility problem: 

• Traditional tools monitor endpoints (laptops, servers, workstations) 

• Building systems operate on the same network but remain completely unmonitored 

• Attackers exploit this blind spot to gain initial access 

• MSPs have no way to detect compromise until damage is done 

Why attackers love building systems 

What makes building systems attractive targets for attackers? 

Sophisticated attackers follow the path of least resistance. They probe for entry points that defenders are not watching. 

Building systems are perfect targets because: 

• Low visibility: Connected to the network but rarely monitored from a security perspective 

• Weak authentication: Often use default credentials or weak authentication that has never been changed 

• Protocol gaps: Run industrial protocols (BACnet, Modbus, OPC-UA) that IT security tools do not understand 

• Lateral movement: Provide opportunities to move from building systems into corporate networks 

• Immediate impact: Create operational disruption when compromised, increasing ransom payment likelihood 

Are ransomware groups actually targeting building systems? 

Yes. Ransomware operators have figured this out. Building automation systems are now the third most common target for ransomware attacks, behind traditional IT and healthcare. 

Real-world examples: 

• Hotel chains with ransomware locking guests out of rooms via encrypted access control 

• Casinos with attacks disabling slot machines and building systems simultaneously 

• Manufacturing facilities facing complete shutdowns when BMS controllers are encrypted 

The attackers know that locking a building's HVAC or access control creates immediate pressure to pay. When your email server goes down, business slows. When your building management system is encrypted, your facility becomes uninhabitable. 

What building operators do not know 

How much of their attack surface do building operators typically understand? 

Here is the uncomfortable part: most building operators have no idea what is connected to their networks. 

We work with a partner who specializes in smart building security. When they run discovery scans for new clients, they consistently find three times more connected devices than the client expected. 

What types of unknown devices appear in building networks? 

Common discoveries include: 

• IP cameras the facilities team installed years ago 

• HVAC controllers added during a retrofit project 

• Access control panels from a vendor who went out of business 

• Legacy building automation systems from previous owners 

• Wireless sensors deployed by contractors 

None of it documented. None of it monitored. All of it vulnerable. 

Why do building operators have such poor visibility? 

Building systems accumulate over years or decades: 

• Facilities teams install devices without notifying IT 

• Contractors add systems during renovations 

• Vendors deploy equipment with remote access for maintenance 

• Previous owners leave legacy systems in place 

Unlike IT assets that go through procurement and inventory processes, building systems often bypass these controls entirely. 

Why endpoint tools cannot help 

Can I just extend my existing endpoint protection to building systems? 

No. The natural response is to extend your existing security tools to cover these devices. If endpoint protection works for laptops, surely it can work for building controllers? 

It cannot. Here is why: 

What prevents endpoint agents from running on building systems? 

Technical limitations: 

• Building systems run on real-time operating systems (RTOS) designed for specific control functions 

• They do not have the compute overhead to run security agents 

• They cannot be rebooted for updates without affecting building operations 

• Many run embedded firmware with no capability to install additional software 

Protocol incompatibility: 

• Building systems use industrial protocols like BACnet, Modbus, and OPC-UA 

• Traditional security tools have never heard of these protocols 

• Your EDR was designed to detect malicious processes on Windows 

• It has no idea what normal behavior looks like for a BMS controller 

What happens if you try to scan building systems? 

Even if detection were possible, response actions could be catastrophic: 

• Rebooting a controller could shut down HVAC across an entire building 

• Isolating a device could disable access control or life safety systems 

• Updates could cause operational disruptions during business hours 

Your endpoint tools cannot take response actions without potentially shutting down the building. This is why smart building cybersecurity requires fundamentally different approaches. 

A different approach: Passive monitoring 

What is passive monitoring and how does it work? 

Securing building systems requires a fundamentally different approach: passive monitoring. 

How passive monitoring works: 

• Monitor network traffic generated by building systems without sending packets to devices 

• Learn what normal behavior looks like for each device type 

• Detect anomalies that suggest compromise 

• Never touch the devices themselves 

Is this technology proven? 

This is not new technology. Industrial security vendors have been doing it for years in critical infrastructure and manufacturing environments. 

But until recently, it was only available to enterprises with massive budgets and dedicated OT security teams. 

What is the opportunity for MSPs? 

The opportunity for MSPs is to bring that capability to the buildings that cannot afford enterprise solutions: 

• Commercial real estate companies with portfolios of office buildings 

• Hospitals managing multiple facilities 

• Retail chains with hundreds of stores 

• Educational institutions with campus buildings 

• Hospitality operators with multiple properties 

These organizations need smart building cybersecurity but cannot justify enterprise OT security budgets. They are perfect MSP clients. 

The competitive angle 

Can my endpoint-focused competitors offer building system security? 

No. Here is what makes this interesting from a business perspective: your endpoint-focused competitors cannot follow you here. 

Mainstream MSP security vendors: 

• Huntress: No OT capability, architecture built around endpoint agents 

• Blackpoint: Cannot monitor devices that do not run agents 

• RocketCyber: Focused exclusively on traditional IT security 

None of them have OT capability. Their architecture is built around endpoint agents. They cannot monitor devices that do not run agents. 

What about enterprise OT security vendors? 

The vendors who do understand OT security operate at a different level: 

• Claroty, Dragos, Nozomi: Enterprise-focused with enterprise pricing 

• Sell direct to large organizations 

• Do not have MSP channel programs 

• Not designed for the mid-market buildings MSPs serve 

What gap does this create in the market? 

That leaves a gap in the market: 

• Smart buildings need security 

• MSPs are the natural delivery channel 

• But most MSPs cannot serve them 

• And enterprise vendors do not want to 

This is classic market opportunity: underserved customer segment, natural distribution channel, weak competition. 

Closing the gap: The enhanced.io approach 

How does enhanced.io enable MSPs to secure building systems? 

At enhanced.io, we built our platform to close this visibility gap specifically for MSPs. 

Our approach: 

• Open XDR architecture: Integrates with sensors and collectors needed to monitor building systems 

• Protocol-aware detection: Understands BACnet, Modbus, OPC-UA, and other industrial protocols 

• SOC team expertise: Analysts understand both IT and OT environments 

• Fractional security directors: Translate technical findings into business language that building operators understand 

What results are MSPs seeing? 

We are already monitoring more than 10,000 industrial and building automation devices across our partner network. 

Partner outcomes: 

• MSPs who previously had to turn away smart building clients now compete for them 

• Revenue expansion from adding OT security to existing building operator clients 

• Market differentiation from endpoint-focused competitors 

• Higher-value client relationships with facility managers and building operators 

How quickly can MSPs start securing building systems? 

Most MSPs: 

• Complete platform integration in 1-2 weeks 

• Conduct first building system assessment within 30 days 

• Add OT security to service offerings within 90 days 

The platform, training, and support infrastructure exist today. The market opportunity is open now. 

What should MSPs do next? 

If you are an MSP looking to differentiate in a crowded market - like Onsite Technologies - the 70% that your competitors cannot see is exactly where you should be looking. 

Start here: 

1. Identify which of your clients operate smart buildings (most do) 

2. Assess the building systems currently invisible to your security tools 

3. Understand the OT security requirements your clients face 

4. Explore how enhanced.io can extend your security coverage 

Ready to explore OT security for your MSP? 

Read our complete guide to OT security for MSPs to understand the market opportunity, technical requirements, and go-to-market approach. 

Or book a discovery call to discuss how enhanced.io can help you close the visibility gap in your clients' smart buildings.