Smart buildings and cybersecurity seem unrelated on the surface. Smart buildings are principally concerned with using connectivity to gain visibility into assets and capturing data for optimization of operational performance in terms of maximal conservation of water and energy. Cybersecurity, on the other hand, is concerned with protecting communications networks, and the information on those networks, from foreign and domestic adversaries who could use unauthorized access to create outages, hold assets hostage and cause other damages.
This presentation offers a comprehensive, albeit inexhaustive, exploration of the relationship between smart buildings and cybersecurity that: (i) explores the history of smart buildings; (ii) clarifies the difference between operational technology (OT) and information technology (IT) cybersecurity including the protocols that drive OT cybersecurity programs; (iii) provides recent examples of critical attacks on building controls; (iv) defines present designs standards, policies, and programs for cybersecurity in the built environment; (v) identifies common educational gaps among architecture, engineering and construction (AEC) and cybersecurity professionals; (vi) anticipates how the overlap between smart buildings, AI, and cybersecurity will continue to grow in importance over the coming years; (vii) recommends that the architects, engineers, contractors, owners, and operators of all smart buildings have a professional responsibility to become better educated about basic cybersecurity concepts; (viii) proposes that non-profit organizations such as ASHRAE, USGBC and GBI have an obligation to the public to incorporate cybersecurity standards into energy performance-based codes; and (ix) concludes with recommendations of practical next steps for smart building owners.
By the end of this presentation, you should be able to: (a) appreciate the history and key events in building cybersecurity; (b) understand the risks and best practices for smart buildings; (c) relate elements of cybersecurity to your responsibilities as a design or construction professional; and (d) effectively consider the implications of cybersecurity for the future of real estate assets.
Appendix A includes reference to incident report guidelines, and Appendix B includes the Quiz to qualify readers for the available Continuing Education Units (CEUs).
Keywords: smart buildings, green buildings, operational technology, building control systems, internet of things, artificial intelligence, cybersecurity, corporate risk, commercial real estate
History of the Smart Building Market
Singapore is one of the most sustainable cities in the world and is still innovating to increase its efficiency and alleviate its environmental impact today.
Smart or intelligent buildings can be generally defined by any building that uses technological automation to control building operations, including but not limited to heating, ventilation and air conditioning (HVAC), humidity, lighting, audio/visual, access control, security, and utility monitoring systems. According to this definition, there are many gradations of intelligence in buildings; some buildings are smart across all functions of the built environment, but most are selectively intelligent with a primary focus on controlling HVAC and electrical—energy using systems. The strongest use case for smart buildings is that better control leads to cost savings.
The historical and social context for the role of Western institutions in the modern green building movement starts around 1894 in New York City, with the founding of the American Society of Heating and Ventilation Engineers (ASHVE), an organization started by industrialists, engineers, and inventors who wanted to professionalize and expand the emerging field of heating and ventilation. From 1900-1930, ASHVE published scientific research on topics such as minimum ventilation rates, comparative studies of the efficiencies of various heating methods, laboratory studies in the performance of different building materials, experiments in minimum thermal comfort related to humidity and drafts and the latest concepts in mechanical cooling. This work was sponsored by major industrialists of the era and served as a key driver for the urbanization efforts in American cities like New York, Boston, Chicago and Philadelphia. In 1954, ASHVE merged with the American Society of Refrigerating Engineers (ASRE), which was started in Chicago in 1904 to focus on building science specifically around the latest in cooling methods. This merger resulted in the 1959 renaming of the organization as ASHRAE—the American Society of Heating, Refrigerating, and Air-Conditioning Engineers.
In the 1920s, the English government began its own version of ASHVE, with the establishment of the Building Research Board (BRB), which had a mandate to scientifically study subjects such as building materials, fire safety, overcrowding, structural strength, thermal performance, durability, and sanitation standards. The BRB had similar motivations as ASHVE, mainly the development of local standards and codes to aid in the urbanization of industrial-era Britain.
The BRB was later renamed the Building Research Establishment (BRE), in 1971.
ASHRAE launched the first national, voluntary energy code (“Standard 90-75 Energy Conservation in New Building Design”) in 1975. This first energy code was a product of the times; as a combination of technological improvements—in terms of the rise of electronics, computers and internet communications—and environmental concerns led to the acceleration of the development and implementation of energy efficient technologies in the built environment.
In the 1980s, this interest in energy efficiency gave way to the first building automation systems (BAS). The global property boom of the late 1980s coincided with the implementation of the first applications of BAS for the purposes of energy efficiency. The internet boomed in the 1990s, which gave rise to a gold rush in everything digital—including digital building controls.
England began shaping an environmental advocacy–laden version of energy codes with the creation of the Building Research Establishment Environmental Assessment Method (BREEAM) in 1990 by the BRE. That same year saw the formation of the not-for-profit Green Building Initiative (GBI) in the UK, as a more user-friendly, less documentation heavy, assessment questionnaire based version of the BREEAM standard.
The US was not far behind in the conversation, with grassroots groups of environmental advocates and building professionals converging regularly around green building topics. In 1993, David Gottfried, an environmental lawyer, Rick Fedrizzi, then head of marketing at Carrier Global, an HVAC manufacturer, and Mike Italiano, an environmental attorney, incorporated the U.S. Green Building Council (USGBC) as a not-for-profit organization to connect and capitalize upon a combination of the environmental and energy savings movements in the United States.
Throughout the 1990s, global HVAC equipment manufacturers such as Carrier, and building controls manufacturers like Johnson Controls, continued to drive the market for digital building technologies. This market for “green buildings” was promoted through strategic appeals to environmentalism and legitimized in the U.S. by legislative victories that required ASHRAE or Leadership in Energy and Environmental Design (LEED®) Certification and pushed energy codes forward at the municipal and state levels.
At the turn of the century, the push for energy efficiency in the new construction market expanded into a similar push in the existing building world. ENERGY STAR, which was established in 1999 by the U.S. Department of Energy (DOE), became a way for building owners to quickly contextualize the performance of individual buildings against national performance averages for similarly typed and sized buildings in comparable climatic conditions.
The typical smart building controls up to this point were driving reductions in energy usage for individual assets through the coupling of sensor technologies with centralized monitoring and controllability of temperature set-points, ventilation levels, lighting and operation schedules—all enabled by a spectrum of wireless communications embedded in physical devices, routed through the ether, and more or less consolidated and connected through BAS software. For an asset owner, investment in such smart controls could be reduced to simple cost benefit analysis.
Green and smart buildings unlocked new educational opportunities for building professionals and the investment class. Architects, engineers, general contractors, trade installers, facilities managers, asset operators, consultants, end-users and owners all assumed some level of responsibility for the design, construction, retrofit, maintenance and operation of the new digitally enabled assets. Professional accreditation, such as the USGBC’s LEED Accredited Professional (LEED AP), became the standard way of communicating knowledge of the new reality. Throughout the late 2000s, it was becoming increasingly standard professional practice to design buildings with energy efficiency in mind, powered by standards and software simulations.
Energy efficiency was becoming an inarguable professional responsibility, but whether or not architects and engineers needed a third-party toll-taker to validate building performance was not agreed upon by everyone; how much the fees should be and who should benefit from those fees was questionable, especially by organizations that were competitive with the USGBC sponsors. Amid such questions, in 2004 the GBI expanded its Green Globes program from Europe into the U.S. market as a low-cost provider with less onerous third-party documentation requirements.
In 2006, the “green building industry” as a whole won a major coup with the Fireman’s Fund Insurance Company’s endorsement of Green Globes and LEED Certification programs as a path to 5% lower insurance premiums. This coup was followed by the 2007 incorporation of energy efficiency standards at the Federal level through President George W. Bush’s Executive Order 13423, Strengthening Federal Environmental, Energy, and Transportation Management, which broadly committed all Federal agencies to goals in energy efficiency and other areas.
Green and smart buildings unlocked new educational opportunities for building professionals. Architects, engineers, general contractors, trade installers, facilities managers, asset operators, consultants, end-users and owners all assumed some level of responsibility for energy-efficient or green buildings. A sea of professional accreditations, such as the GBI’s Green Globes Professional (GGP) and USGBC’s LEED AP, became the standard way of communicating knowledge of the new reality. Throughout the late 2000s, it was becoming increasingly standard practice across the board to design and operate buildings with energy efficiency in mind, powered by best practices, field audits and software simulations.
Between 1975 and 2006, the market for efficient building equipment, controls, software, accredited professionals, certifications and consultants ballooned, and not only for publicly owned and operated buildings. In that time period, ASHRAE had updated its U.S. energy codes six times, obligating American designers to a 40% more efficient baseline than where it started 32 years prior. In that same time, the International Code Council (ICC) had updated its own performance standards—also six times—through its Model Energy Codes (MEC) and later International Energy Conservation Code (IECC), although to a less aggressive 20% mandatory performance mark. Over those 32 years, the market capitalization for United Technologies Corporation (UTC), the parent company for Carrier Global, doubled from $33 billion to $66 billion dollars. Johnson Controls (JCI), the key to running that equipment, had grown an astounding 30 times, from a $1 billion market cap in 1975 to $30 billion market cap in 2006.
These three decades of major market growth lead to a widening of the gap between traditional and smart buildings, leading some real estate investors to strategically claim smart or green buildings as a new asset class. Smart buildings were a different animal: This new class of buildings were enabled for automation by wireless sensor systems that connected previously separate mechanical and electrical components of the building into a coordinated BAS equipped with analytic and remote monitoring capabilities. This level of sophistication in controls made smart buildings a justifiable investment for global real estate developers and operators, whether in pursuit of better usability, energy efficiency, corporate environmental responsibility or returns.
In 2006, the green building movement found a new rallying cry with the development and promotion of scientific evidence for human acceleration of global warming, popularized by former Vice President Al Gore’s film An Inconvenient Truth (2006). Not only was it a matter of reducing energy consumption simply for the sake of efficiency, but it was also imperative to make those reductions in fossil fuel usage in order to reduce the impact of commensurate carbon emissions on the environment. In this same breath, the operation of existing buildings around the world became recognized as a major source of pollution, accounting for some 40% of the carbon emissions that were contributing to global warming. The worst perpetrators within the built environment were the worst-performing buildings lagging behind efficiency efforts.
Next, the market leaders expanded from new construction codes into mandatory performance for existing assets. As early as 2009, Washington, D.C., and New York state began to pass mandatory benchmarking codes requiring new and existing commercial assets to benchmark energy performance. These codes gave rise to the Energy Performance Contract Guaranteed Savings model, precursor to the contemporary Energy Savings Performance Contracts, where energy services companies (ESCOs) would underwrite net cashflow positive improvements for existing building stock based on the achievement of savings over time.
By the 2010s, almost every state in the U.S. had adopted a statewide energy efficiency code except for Missouri, Mississippi, South Dakota and Wyoming. In 2016, 195 out of 198 Parties to the United Nations signed the Paris Agreement, a commitment to “hold global temperature increase below 1.5°C above pre-industrial levels” through emissions reductions. In order to maintain such a goal, it was calculated that global emissions would have to be cut by 50% by 2030. Governments, and the broader commercial market, responded to this goalpost by setting incremental commitments to net-zero emissions with goals extending into 2050 and beyond. In 2024, two studies, one published by the World Meteorological Organization, and the other by the Copernicus Climate Change Service suggested that the 1.5°C temperature increase limit had been surpassed. Despite breaking through the global temperature warning mark, governments and organizations throughout the world continue to observe incrementalist approaches to emissions reductions.
The need for large-scale carbon reductions has spawned efforts by many owners and operators to consolidate data collection, analysis and reporting through remote monitoring programs. There are any number of broad and sector-specific private software-as-a-service models that offer interfaces for such aggregations. As long as the data for the individual assets is being sent to a BAS, those BASes can be set up to convey that data to the cloud, and that data can be aggregated into any number of real-time performance dashboards, some of which enable operators to not only read but also write scripts to optimize multi-asset performance.
Municipalities have started to apply the promise of collective control to the infrastructure of entire cities. The concept of the smart city offers the opportunity to capture, read and write at any aggregate level on top of all of the built environment assets connected inside of given municipal boundaries, including public buildings, traffic controls, public transportation, electric vehicle charging stations, water systems, waste disposal, private buildings, closed-circuit television (CCTV), self-driving vehicles and power supplies. Powered by smart grid infrastructure, such smart cities have been proposed as a wave of the future—using the internet of things (IoT) to collect and transmit data to enable more informed and responsive governance, reduce resource consumption, enable smart mobility, reduce traffic congestion and enhance the delivery of public services.
Cities around the world are already competing with each other to become the smartest cities. In the U.S., one analysis marks Atlanta, Boston, San Francisco, Washington, D.C., and Chicago as the top five smart cities, in that order. Funding for worldwide smart cities initiatives doubled between 2018 and 2023, from $81 billion to $189.5 billion, invested in that short five-year period. One forecast indicates that smart cities investment will grow to $3.73 trillion by 2030, with smart buildings–related technology alone accounting for $570 billion of that projected estimate.
Chicago is in the top five smartest cities in the United States, in part for its reliable grid infrastructure.
Ostensibly, the institutionalization of these larger scale smart building mechanisms provide a technological means for monitoring, reporting and prioritizing work to improve efficiencies and reduce emissions. Performance insights captured by smart buildings provide the data necessary to understand the impact buildings have on the grid and on climate. Whether the discussion revolves around energy security or environmental policy, it is clear that the smart controls market leaders are behind both energy security and environmental policy and will continue driving the real estate market forward.
The context surrounding the history and development of the smart buildings market helps set the stage for a focused conversation about the implications of technological adoption, because the implementation of technology is not without consequences. We will now see how smart devices that are misunderstood, misconfigured and mismanaged can lead to real operational liabilities including equipment downtime, loss of privacy and deeper network compromises—all of which can stem from failures to correctly design, specify or commission the security of those devices.
Differences Between IT and OT
IT is information technology; technology that deals with networked digital information—like file storage, hosted websites, software applications and all kinds of databases. Traditional IT systems are made up of familiar and essential services like email, website hosting, database storage and access (customer data, financial information, etc.), internet access (including Wi-Fi), telecom (Voice Over Internet Protocol, or VOIP, phones) and more. These systems are often composed of a number of Windows-based workstations, servers usually running Windows or Linux operating systems, network switches and routers, printers, onsite and cloud storage devices, and personal devices brought into the facility. To have a solid handle on an organization’s IT services, one needs to have skills in programming, networking, system administration and cybersecurity, as well as training in Transmission Control Protocol/Internet Protocol (TCP/IP), Hypertext Transfer Protocol (HTTP) and File Transfer Protocol (FTP) protocols. IT systems and components must run to keep the enterprise operating and the employees productive. Downtime or compromise due to a criminal attack or data breach can result in lost revenue, corporate devaluation, decreased productivity, reputational damage, criminal liability, financial liability and other possible damages.
OT, or operational technology, is technology that pertains to operational assets. Some describe OT as IT plus physics. The OT landscape includes devices such as HVAC, occupancy sensors, fire alarms, elevators, lighting, security cameras, keycards, fish tank thermostats, digital signage and many other systems—just about any device that physically does something in a building. Often one or two Windows-based servers are used to interface with several embedded OT controllers throughout the building, which monitor and manage traffic for hundreds or thousands of edge devices, often with serial connections back to the embedded controller. To maintain a solid position on OT, one needs to have skills in electrical engineering, automation, system integration and instrumentation, plus training in building automation and control networks (BACnet), Modbus, DNP3, PROFIBUS, OPC and Ethernet protocols. Downtime in the OT world means physical processes can grind to a halt; the lights go out, doors may not unlock, spaces may see extreme temperature fluctuations, IT equipment may overheat, elevators could stop running, or the hoods over the kitchen range may stop evacuating smoke. In some environments, downtime or compromise due to criminal attacks or breaches can result in equally serious consequences as IT-related issues and worse.
Given the major differences in purpose, education, skills and training, IT and OT systems are not usually managed by the same teams. On the pure IT side, there are Network Administrators, Software Engineers and Cybersecurity Analysts. On the traditional OT side, there are Control Engineers, Supervisory Control and Data Acquisition (SCADA) Technicians and Automation Engineers. These professionals are operating in separate environments with separate budgets, teams and standards—hunting different risks.
Almost every organization of a certain size has some level of IT support, even if it is reliant upon outsourced or managed services. It would be unusual for any municipality, sizable professional services firm, retail chain, hospitality company, real estate investment trust or government contractor to not have at least one full-time IT professional on staff just to manage regular requests. However, the vast majority of even mature organizations with physical assets do not have anyone with an OT background on the team. Instead, the responsibility for managing connected devices is often assumed to fall on facilities management (FM) professionals, including in-house building managers and external vendors who have limited to no training in the necessary protocols or cybersecurity standards. This is due in part to the fact that for a long time the assumption has been that building equipment and connected edge devices are to be managed only from a simple mechanical—not from a networked or cybersecurity—perspective.
This assumption—that cybersecurity in smart buildings is always someone else’s job—has gone relatively unnoticed in the commercial and industrial real estate industries, even as the smart building market has matured. This gap has led to OT cybersecurity related network assets becoming an unmanaged no-man’s-land lacking responsibility. CISOs, and other responsible parties, are increasingly placed in situations where the organization has a stack of physical assets that have been accumulating decades’ worth of connected OT devices in unknown locations with unknown provenance, undocumented settings, potential dependencies and interconnections into other aspects of the organization’s network, leaving no one the wiser.
This huge operational knowledge-gap within the real estate industry’s existing building stock is only exacerbated by the total absence of OT standards or best practices within the energy codes and green building standards used to construct new buildings. Energy codes in many states practically require connected devices in order to meet energy efficiency standards, and third party green building certification programs such as LEED and Green Globes reward project owners, designers and construction teams for achieving superior energy performance, but none of these standards consider how the same properties that are celebrated for their environmental sustainability can contain a number of security vulnerabilities due to the misconfiguration and mismanagement of those smart devices and their networked settings. The acceleration of the mandatory incorporation of smart controls into the built environment for new and existing individual assets might have noble goals in terms of energy and environmental performance, but unfortunately is missing the mark in terms of protecting human security.
The next section looks at several of the known attacks on controls and other connected devices in order to familiarize the reader with typical attack vectors and weaknesses in smart buildings. These examples will demonstrate that attacks on smart building systems can be significant and impact privacy, health and safety. This will give us context to turn our attention to the existing landscape of standards for design, construction and installation of cybersecure systems.
Known Attacks on Smart Buildings
The vast majority of cybersecurity breaches are not reported. It is estimated that only 10% of breaches are reported to law enforcement, and 40% are not even reported to the internal leadership of the affected organizations. It is common to believe that reporting is not necessary, could affect the organization’s reputation, or may result in other unintended damage.
Critical Infrastructure: Volt Typhoon
The ongoing Volt Typhoon campaign is the most current and highest profile example of a national-scale, behind-the-scenes, long-term exploitation of smart building systems and telecommunications networks by a U.S.-designated foreign adversary. The U.S.’ recent disclosure of the nefarious extent of these covert Chinese state–affiliated threat group programs has served as a major wake-up call to professionals in the critical infrastructure and telecommunications industries.
Volt Typhoon’s program focuses on quietly infiltrating critical infrastructure across the United States, including transportation, water, energy and communication systems. What sets this campaign apart is its method and intent: Attackers use “living off the land” techniques, blending into normal network traffic and exploiting legitimate administrative tools rather than deploying malware, making detection difficult.
The goal of this program is not immediate sabotage. Instead, Volt Typhoon’s activity suggests a long-term strategy of pre-positioning, quietly embedding itself within operational networks to establish persistent access. In doing so, the attackers are believed to be mapping out vulnerabilities in U.S. infrastructure—possibly to disrupt or disable it during a future geopolitical conflict.
Among the systems targeted are building automation networks, power distribution systems and other operational technologies often overlooked in traditional cybersecurity postures. These systems, designed for efficiency and remote control, effectively serve as soft targets—rarely monitored with the same rigor as enterprise IT, but just as critical to real-world resilience.
The Volt Typhoon campaign reflects a growing trend: Adversaries see smart infrastructure not just as collateral but as strategic terrain. Infiltrating HVAC controllers, security systems and Building Management Systems (BMSes) is no longer about short-term gains—it’s about preparing the long-term battlespace.
The Volt Typhoon operation illustrates that in the age of cyber-physical convergence, infrastructure isn’t attacked as an afterthought—it’s attacked as a tactic. And in that context, smart buildings must not only be efficient—they must be secure, monitored and ready.
Critical Infrastructure: Colonial Pipeline
The 2021 Colonial Pipeline cyberattack revealed how interconnected and interdependent critical infrastructure has become—and how vulnerabilities in digital systems can have sweeping real-world consequences, even in the physical supply chain. At 5,500 miles in length, running from Houston, Texas, to the Port of New York and New Jersey, the Colonial Pipeline is the largest pipeline system for refined oil products in the U.S.
In this incident, attackers from the ransomware group DarkSide infiltrated Colonial Pipeline’s corporate IT network through a compromised password to a legacy account. While the OT that controls the flow of fuel was not directly breached, the company proactively shut down pipeline operations to contain the threat—halting the delivery of fuel to half of the U.S. East Coast.
The resulting disruption triggered panic buying, fuel shortages and economic ripple effects, with long lines at gas stations and price spikes across several states. Colonial Pipeline Company ultimately paid a $4.4 million ransom, highlighting the high-stakes decision-making organizations can face when cyberattacks impact core business continuity.
This event starkly illustrates how digitally enabled infrastructure—whether pipelines or smart buildings—requires holistic cybersecurity approaches that span both IT and OT systems. Though the initial breach was through a relatively mundane IT weakness, the downstream effect impacted critical physical infrastructure, blurring the line between cyber risk and public services.
Education: IoT Attack on a U.S. University
A 2017 group of interconnected devices or botnet cyberattack on an unnamed U.S. university served as a wake-up call to the hidden risks embedded in unmanaged IoT ecosystems. In this incident, thousands of connected devices—including smart vending machines, lighting systems, and campus appliances—were hijacked and weaponized into a coordinated botnet that overwhelmed the university’s network.
The attackers exploited default credentials on these devices, which were connected to the same network used for core university services. Once compromised, the devices were used to flood the institution’s domain name system (DNS) servers with traffic, slowing or disabling access to critical academic and administrative resources including course registration, email, and learning platforms. Though no data was stolen, the disruption was significant and prolonged.
This attack illustrates a core risk of modern smart environments: the convergence of operational and information technology without adequate security segmentation or lifecycle management. Many of the devices involved had been deployed with factory settings, unpatched firmware, and no centralized monitoring—creating an invisible yet exploitable campus-wide attack surface.
This attack was not a failure of academic IT—it was a failure to recognize that cybersecurity in the built environment must encompass every connected device, no matter how operational or mundane. As buildings and campuses grow more intelligent, the need for comprehensive cyber-physical security grows not just in complexity—but in urgency.
Entertainment: Fish Tank Attack in Vegas
The 2017 cyberattack on a Las Vegas casino demonstrated that even the most seemingly benign smart devices—such as a connected fish tank thermometer—can serve as covert entry points for adversaries seeking to exploit digital infrastructure.
In this case, attackers breached the casino’s corporate network through an internet-connected smart thermometer installed in a decorative lobby aquarium. Once inside, the device served as a pivot point—allowing the attackers to move laterally through the internal network, identify a high-value database and exfiltrate 10 gigabytes of sensitive data back out through the same device connection, effectively bypassing the IT department’s standard security perimeters.
An IT department’s standard security perimeters may be bypassed by a smart thermometer in an aquarium without proper care.
Though the attack did not disrupt operations or affect guests directly, it revealed a critical failure in the segmentation and monitoring of operational technology within the building ecosystem. The example shows how unmonitored, internet-exposed devices in public-facing spaces can provide attackers with low-friction access to sensitive digital assets. The fish tank itself seemed innocuous, as it was designed for comfort and aesthetics, not cybersecurity. Yet its broader connectivity to the rest of the network, unmanaged and unsecured, made it the softest spot in an otherwise hardened chain that ultimately exposed sensitive corporate data.
Hospitality: Weakest Link Attack in Vienna
The 2017 cyberattack on the Romantik Seehotel Jägerwirt in Vienna, Austria, revealed how conveniences such as keyless entry, when poorly secured, can expose critical building functions to malicious disruption—turning guest services into leverage in a digital extortion.
The Vienna hackers exploited a simple vulnerability in the openness of an IoT device: a wireless-enabled keycard system. The keycard system was online, network connected and had visibility into the rest of the BMS/BAS. Hackers gained easy access to the unsecured device and used that device-specific access to infiltrate connected internal systems; the unauthorized party then took control of the keycard-based door-locking infrastructure, locked guests out of their rooms, disabled the reservation system and demanded a ransom to restore functionality. With new guests arriving and operational systems frozen, hotel management paid the ransom on the spot, citing the practical urgency of restoring access during peak ski season.
Though no physical harm occurred and traditional keys remained available for emergency use, the symbolic consequences were significant. This wasn’t merely an IT incident—it was a disruption of core operational technology embedded in the physical building environment. The attack blurred the lines between information security and hospitality infrastructure, illustrating how the simplest smart access systems—when connected without proper rate limits, segmentation, encryption or redundancy—can be turned into critical vulnerabilities.
Multifamily: Cold Nights in Finland
The 2016 distributed denial-of-service (DDoS) attack on a Finnish apartment complex’s heating system revealed how smart building technology, when poorly secured, can threaten the basic safety and habitability of a space.
In this case, two buildings in Lappeenranta, Finland, experienced repeated shutdowns of their central heating system in the middle of winter. The root cause wasn’t a mechanical failure—it was a targeted DDoS attack on the building’s internet-connected HVAC control system, which overwhelmed the automation servers with traffic, causing them to repeatedly crash and reboot. Each reboot temporarily disabled the heating system, rendering the buildings cold and uninhabitable during sub-zero temperatures. While the attackers likely had no specific motive tied to the building itself—possibly using it as part of a broader automated campaign—the operational consequences were immediate and severe. Residents were left without heat in dangerous conditions, and building managers had to manually override the automated systems.
The attackers used a seemingly innocuous vector—a connected HVAC controller—as a target that was able to cause damage to the larger asset. This is a demonstration of how something as simple as a single misconfigured device, which is internet-enabled and connected to other devices, can translate directly into physical discomfort and life safety risks. With this example, we begin to consider how few property management organizations have cybersecurity practices in place, let alone cybersecurity for building controls and other operational building technologies.
Office: Anyone’s Guess—Google Australia’s BMS
We might rationalize the above hospitality and multifamily incidents as an example of oversight by a retailer that did not prioritize digital security, but as this next case study shows, it can happen to anyone—even Google. In 2013, there was a high-profile intrusion into Google Australia’s Sydney offices via an unguarded building management system that was easily accessed from the public lobby.
The BMS in this building, which controlled all heating and cooling functions in the building, had been installed with default credentials and left unpatched, exposing it to remote login attempts. Attackers on the public wireless network found the BMS in a scan and were able to crack the administrative password that was ironically set to “anyonesguess.” Though the system did not provide access to Google’s core IT assets because it was properly segmented, the attackers were granted the authority to interact and remotely control all of the building’s core functions.
Even a company known for top-of-the-line technological sophistication had failed to consider proper cybersecurity hygiene for its smart building systems. The disconnection between design, controls installation, commissioning, building operations and security led to an event that could have become a significant loss incident. Again—at any point, had there been awareness, any one of the building engineers on the team could have specified proper security practices or witnessed correct configuration of the smart building systems.
Google responded by promptly disconnecting the compromised BMS from the internet. No operational damage was reported. But the event triggered broader industry reflection on the assumed invulnerability of smart commercial properties. The symbolic implications were profound. Anyone, even Google, can overlook the cybersecurity posture of their physical environments. The event still serves as a cautionary tale for building professionals, underscoring the need to treat OT systems as part of a broader cybersecurity strategy and highlighting that connectivity without security does not create intelligence—it creates exposure.
Retail: Target’s HVAC Attack
At first glance, HVAC and IT systems might appear unrelated. But as the infamous Target data breach shows, smart buildings that use connected networks to monitor and optimize operational performance can create vulnerabilities when OT cybersecurity is treated as an afterthought.
In this case, attackers gained access to Target’s corporate network through credentials given to a third-party HVAC vendor. That vendor had been granted remote access to Target’s building automation systems for ongoing commissioning services—routine maintenance and energy efficiency monitoring—that are increasingly standard in large retail facilities that aim to reduce energy costs across their portfolios. The problem was that the network that ran the connected building devices was not properly segmented from the greater network. So the attackers were able to use HVAC vendor credentials to move laterally into the organization’s payment systems.
The attackers used this vulnerability to install malware across point-of-sale systems in hundreds of stores nationwide. Over 40 million credit and debit card numbers and 70 million personal records were compromised—resulting in more than $200 million in damages, and an even greater loss of public trust. Target’s IT department had not suspected that building automation controls—that were tacked on the OT side of the fence—had been improperly segregated and secured. The controls contractors that installed the networked devices and the operator of the smart building data aggregation platform also had not considered proper network hygiene, and there were probably any number of AEC professionals on the team, including the third-party vendor that was hired for the ongoing commissioning service, that did not properly assess risk.
This event is a large-scale enterprise example of the persistent and systemic misperception that building controls are merely passive energy-saving tools and not potential attack surfaces. In reality, every connected thermostat, lighting controller or elevator panel is a node—part of an expanding web of endpoints that must be architected, monitored and protected like any critical digital infrastructure. This breach was not about a failure of technology; it was about a failure to design and manage that building technology with its risks in mind. At any point, any of Target’s building management stakeholders could have prevented harm, if only they had the proper awareness.
Ongoing Siegeware Attacks
Unlike traditional ransomware, which encrypts data, siegeware attacks target the functionality of physical systems, holding control of a building’s environment hostage until a ransom is paid.
Even something as typical as a semi-automated lighting system may be able to be compromised in a cyber attack.
A siegeware attack compromises a BAS and threatens to disable, disrupt or manipulate critical functions—not by stealing data, but by locking out legitimate operators from essential building controls. These attacks often leverage weak or default credentials, outdated firmware or exposed remote access ports to gain initial access. Once inside, the attacker can manipulate temperature settings, disable fire alarms, shut down elevators or block physical access, creating urgent and sometimes dangerous conditions.
Siegeware has been observed in commercial offices, luxury condominiums, hotels and healthcare facilities—settings where comfort, safety and uptime (the period of time a computer, system or service has been continuously running and available) are not just amenities, but expectations. For example, an attacker might threaten to disable climate control in a data center, shut off HVAC in a senior living facility during a heatwave, or lock a hospital’s access control systems during an emergency—all unless a ransom is paid, typically in cryptocurrency.
These attacks often go unreported, but cybersecurity professionals have documented several cases where building operators were extorted via email or phone, forced to choose between paying a ransom or compromising tenant safety and building reputation.
The rise of siegeware illustrates a fundamental shift in the cyber threat landscape: Buildings themselves are now targets. The risk is not about information loss, but operational paralysis and reputational damage, particularly for high-profile or mission-critical facilities. Unlike data breaches, the consequences of siegeware are immediate, physical and hard to ignore.
In smart buildings, OT is no longer passive infrastructure—it is an active attack surface. Protecting it requires more than firewalls and passwords. It demands a security-first approach to system architecture, vendor management, remote access and incident response.
Ultimately, siegeware attacks underscore that cybersecurity is now a standard condition for building occupancy. If a building can be held hostage by someone on the other side of the world, then cybersecurity is not a technical concern—it is a core operational responsibility.
Incident Takeaways
The major incidents described in the above section demonstrated many different kinds of OT attacks that could be characterized under three major vulnerability categories: “weakest link” (Finland Apartment Complex, Las Vegas Fish Tank, Vienna Hotel, Volt Typhoon); “default device settings” (Google, John Doe University); and “unsegmented connected networks” (Target). These incidents also highlighted a range of consequences due to unsecure OT systems ranging from disruptions to normal building functions (Google, Vienna Hotel, John Doe University); loss of private data (Las Vegas Fish Tank, Target); disruptions of critical infrastructure (Colonial Pipeline, Volt Typhoon); and risks to physical safety (Finland Apartment Complex). The next section looks at the existing public and private standard landscape for cybersecurity in buildings and sets the stage for later evaluation of some of the common disconnections between building design, construction, installation, operations and asset management teams.
Current Building Cybersecurity Design, Construction and Operation Standards
The connected devices that enable smart buildings create an attack surface that can and will be exploited, in order to steal sensitive information, disrupt critical systems and extract ransoms. However, despite the clear and present danger, international building codes and standards have yet placed scant emphasis on cybersecurity considerations. This section looks at how much, or how little, existing building codes and standards have considered cybersecurity for control systems.
International and National Construction Codes and Standards
The International Building Code (IBC) and International Existing Building Code (IEBC) developed by the International Code Council (ICC) are the major standards for new and existing facilities worldwide. Neither of these codes currently includes any cybersecurity requirements. These standards have been developed in order to create a global program for safety in the built environment, but that definition of safety only includes preventative solutions to physical threats such as fire, structural and egress. As of this writing, the ICC has yet to incorporate standards around digital threats, which in many cases can lead to physical threats and physical damage.
In the United States, the National Fire Protection Association (NFPA) has started to touch on cybersecurity for networked fire alarm systems including NFPA 72 (National Fire Alarm and Signaling Code) and NFPA 731 (Standard for the Installation of Electronic Security Systems). These standards have at least begun to provide prescriptive recommendations that improve system integrity in order to prevent unauthorized access and preserve functionality of alarm systems.
Additionally, the National Electrical Code (NEC), also known as NFPA 70, does not yet have any explicit cybersecurity provisions, but it has indirectly started to support cybersecurity by requiring safe power supply to sensitive systems. Ostensibly, the language of “safe power supply” can serve as a future gateway to an elaborated security requirement that includes direct cybersecurity requirements.
ASHRAE provides two basic guidelines for cybersecurity in buildings. Guideline 135 (BACnet) defines requirements around a key protocol for building automation, and includes network security features such as encryption and authentication. Guideline 13 provides best practices for specifying building automation systems, including cybersecurity measures.
U.S. Department of Defense Standards
U.S. Department of Defense (DOD) projects have the most stringent requirements for cybersecurity for facilities-related control systems. Unified Facilities Guide Specifications (UFGS) Section 25 05 11 Cybersecurity for Facility Related Control Systems (FRCS) sets clear guidelines for the design, authorization, specification, construction and operation of connected devices, including, but not limited to HVAC, fire alarm, utility monitoring, audio/visual, building automation and control systems. At the DOD, every new construction project that includes connected devices is required to comply with this specification, which has been built on top of the National Institute of Standards and Technology’s (NIST) Risk Management Framework (RMF), NIST SP 800-82 (Industrial Control Systems), and NIST 800-53 (Cybersecurity Controls). Further, in August 2025 CISA released the Foundations for OT Cybersecurity: Asset Inventory Guidance for Owners and Operators, which is broadly applicable to the defense of all OT environments and additionally includes sector specific taxonomies for the energy, water and wastewater, oil and gas, and electricity sectors, which have been particular targets.
Green and Smart Building Certification Programs
Green building certification programs, such as LEED and Green Globes, emphasize the importance of energy efficiency, which often requires smart control systems. However, these programs do not yet consider the cybersecurity risks associated with smart buildings. Similar to how the ICC only considers physical safety, green building certification programs mainly consider environmental and human safety. Among global building certification programs, only the WiredScore program places sufficient emphasis on cybersecurity in the built environment.
WiredScore is a program that certifies digital connectivity in high-performance buildings. They assess and certify buildings based on digital infrastructure, including measures to protect against cyberattacks, physical damage and natural disasters. The WiredScore assessment methodology includes evaluation of the measures that a building has in place to prevent and mitigate cyberattacks by virtue of privacy controls, network security and incident response plans. WiredScore also integrates with SmartScore certification, which focuses on smart building operations. The explicit link that WiredScore is making to smart buildings, connected buildings and cybersecurity makes sense—as evidenced by their growth as a global program.
Resilience and Cybersecurity
While cybersecurity as a singular consideration may not have yet made its way into standard building codes, there is hope that the field might be captured in future planning around resilience. Indeed, resilience is one of those catch-all terms that means different things to different people. Everyone in the three worlds of building design, building construction and infrastructure know that resilience is good, but there is not yet agreement on what is resilient.
Resilience in the Design Industry
In the building design world, resilience is conventionally associated with protection from the environment in terms of the protection of assets from extreme weather events. The IBC includes resilience-related requirements for structural integrity, wind, seismic and flood loads, which directly support the physical resilience of assets. The IBEC includes similar considerations for retrofitting buildings that may be subject to environmental hazards. The International Residential Code (IRC) also includes minimum design standards for single-family dwellings.
On the smart building side of the fence, resilience is often linked with energy efficiency. The IECC, which has been adopted by most of the United States, is beginning to include language that contextualizes energy efficiency as a matter of resilience to extreme weather and grid outages. The concept of passive survivability has risen as the idea that buildings should be able to maintain habitable conditions during power loss.
In 2012, the architecture firm Perkins&Will developed a building certification rating system called RELi to integrate “resilience planning” into high-performance building design projects. The RELi system, which has since been acquired by the USGBC, is a resilience-focused system that emphasizes disaster preparedness, social cohesion, risk mitigation and recovery. It is meant to be used in conjunction with IBC and IECC for enhanced resilience planning in design.
The USGBC has begun to incorporate resilience into the LEED rating system. The latest version, LEED v5 requires resilience as a prerequisite for certification. The required assessment is meant to evaluate how sites might be affected by current and future climate hazards such as flooding, hurricanes, wildfires and heat waves. It is meant to help project teams identify and understand the natural vulnerabilities to buildings and their occupants. LEED v5 for Building Design and Construction includes credits focused on resilience, such as Resilient Site Design, Resilient Envelope and Infrastructure, and Resilient Ventilation System Design. LEED v5 for existing Building Operations and Maintenance includes credits focused on Operational Planning for Resilience and Health and Well Being during adverse and extreme events.
The Green Building Initiative also incorporates resilience into its mission through the Green Globes certification system and the Distinction in Resilience, which recognizes buildings that demonstrate efforts and compliance with best practices for creating a resilient built environment. The resilient design best practices referenced by the GBI include Durable Materials, Passive Survivability, On-site Resources, and Considering Climate Risks based on project locations.
Resilience in the Critical Infrastructure Industry
Water systems are among the sixteen critical infrastructure sectors.
Among critical infrastructure and national security professionals, the term resilience is associated with protection from environmental and non-environmental threats, including crime, terrorism, pandemics, supply chain interruptions and, increasingly, cybersecurity incidents. As a matter of definition at the Federal level, the U.S. Department of Homeland Security (DHS) considers resilience as the ability to “prepare for and adapt to changing conditions and withstand and rapidly recover from disruption.” There are more than a few Federal policy directives, mandates, plans and orders that address resilience from this national security point of view. Presidential Policy Directive PPD 21: Critical Infrastructure Security and Resilience mandates that DHS lead efforts to strengthen the security and resilience of the assets, systems and networks in the 16 critical infrastructure sectors (chemicals, commercial facilities, communications, critical manufacturing, dams, defense, emergency services, energy, financial, food and agriculture, government, healthcare, information technology, nuclear, transportation and water systems). The National Infrastructure Protection Plan (NIPP) 2013: Partnering for Critical Infrastructure Security and Resilience provided an earlier framework for encouraging “all-hazards” strategies that integrate physical, cyber and human factors. DHS’ own strategic plan for 2020–2024 identified resilience as a mission objective: to increase national capacity to withstand and recover from cyber and physical threats, and to strengthen resilience communities, systems and supply chains. Most recently, the 2025 Executive Order 14239: Achieving Efficiency Through State and Local Preparedness indicates that the EO was established “to empower states, localities, and citizens to more effectively prepare for incidentslike cyber attacks and weather events.”
The inclusion of resilience as a priority in national security planning documents, and the clear “all-hazard” language used across the DHS and the White House orders indicates that there is a growing interrelation between digital and physical infrastructure. The recognition of the issue, and the basis for a strategic connection, is there. It is only that the relationships between cybersecurity, resilience and the built environment have not yet been communicated to, or absorbed by, the everyday design professionals and the standard creating organizations that are on the frontlines of implementing cyber-physical resilience as a practice.
Professional Disconnects
Cybersecurity resilience has not yet made it to the stage in the design and construction world because, unlike the other factors, it is not clear who bears professional responsibility for implementing cyber-physical measures. Wind protection can point to the structural engineer; fire protection to the fire protection professional; protection from energy downtime to the mechanical and electrical engineers; physical security to the materials and access control suppliers. The architect can specify the requirements, and the contractor can take responsibility for installation, implementation and quality control. All of these disciplines already have a seat at the table, and they already have the training, but mention the responsibility for cybersecurity in a design or construction meeting, or to an equipment supplier, and all eyes will roll. No one on the team wants to bear the liabilities associated with cyber-physical systems. The technical training is lacking on a whole. The security of cyber-physical systems is invariably relegated to the purview of the owner as an “operational problem” to deal with after the final building is turned over.
Of course, it is ineffective to kick the proverbial can. The owner is not going to rewire the building. The connected devices that have been installed are not going to be uninstalled. No one is going to resequence building controls. The ports that are open are going to stay open. WiFi- and Bluetooth-enabled devices will remain WiFi and Bluetooth enabled. Unsecured devices are probably going to remain unsecured. No one is going to change the way that controls and automations are networked into the building. If the building is totally run on one server, then that is a convenience for the IT department, right? The building’s management and mechanical engineers are not going to touch this stuff. Inevitably, cyber-physical security becomes a matter for the owner’s IT department, which becomes its own game of kick the can.
As we read earlier, there are significant differences between IT and OT:
“IT is information technology; technology that deals with networked digital information—like file storage, hosted websites, software applications and all kinds of databases. Traditional IT systems are made up of familiar and essential services like email, website hosting, database storage and access (customer data, financial information, etc.), internet access (including Wi-Fi), telecom (VOIP phones), and more.”
“OT, or operational technology, is technology that pertains to operational assets. Some describe OT as IT plus physics. The OT landscape includes devices such as HVAC, occupancy sensors, fire alarms, elevators, lighting, security cameras, keycards, fish tank thermostats, digital signage and many other systems—just about any device that physically does something in a building.”
Per these differences, building management would be making an operational mistake to relegate cyber-physical planning, operations and security to the IT staff. Even cybersecurity-trained IT professionals may not have the interdisciplinary knowledge necessary to diagnose and adjudicate OT system issues. Just because the IT cybersecurity professional understands network vulnerabilities does not mean that they understand building controls. Those are two different worlds. This is not a shortcoming of their profession, it is a disciplinary boundary: IT deals with the assets in the cloud and someone else deals with the physical assets.
Building ownership understandably finds itself in a no-man’s-land for cyber-physical systems: architects, engineers and construction professionals are not responsible; building maintenance engineers and managers are not responsible; and the IT department is not responsible for the cyber-physical risks. Further, building codes are not responsible; disciplinary standards are not responsible; and building certification programs are not responsible. National policies, plans and orders might prioritize “resilience” on paper, but when no one is responsible, risk prevails.
Military Precedent for Civilian Cyber Code
To be fair, cyber-physical security is relatively new to the building industry. Even the Department of Defense has only recently, within the last eight years, started to incorporate Cybersecurity for Facilities Related Control Systems into its Unified Field Guide Specifications. It was not until 2017 that the DOD released Unified Facilities Criteria (UFC) 4-010-06: Cybersecurity of Facility Related Control Systems, as a design criteria for architectural and engineering teams. That UFC was followed by UFGS 25 05 11: Cybersecurity for Facilities Related Control Systems on November 1, 2017 and at that moment became a contractual requirement. If there were a demonstrable basis for a specification for cyber-physical system security, this would be it.
Accordingly, there is a high likelihood that the future incorporation of cybersecurity into building codes would have a basis in this proven military doctrine. This would not be an unprecedented development for a building code to start on base. There are several historical examples of built environment practices that have followed a military-to-civilian standards pathway.
Seismic Design Detailing
The DOD began requiring ductility and confinement detailing for seismic areas in the 1940s, expanding into the 1970s. In 1976, the Uniform Building Code (precursor to International Building Code) adopted detailed seismic provisions. In 2000, the IBC integrated American Society of Civil Engineers (ASCE) standard 7: seismic detailing as a requirement, which deals with minimum design loads, including seismic loads.
Fire Protection for Munitions and Explosives
In the 1960s, the DOD incorporated DOD Ammunition and Explosives Safety Standards. The NFPA followed suit with separation and hazard classification rules for civilian buildings much later, in 2012.
Hurricane Hardening
In the 1970s and 1980s, Navy and Air Force bases in hurricane-prone areas began requiring missile-impact resistance and enhanced wind load design into design standards. In 1988, Florida Building Code adopted windborne debris standards; ICC incorporated storm shelter standards in 2008.
SCIF Physical & Technical Security
The DOD issued specifications for Sensitive Compartmented Information Facilities (SCIFs) in the 1990s. ASTM incorporated similar guidelines in the 2010s.
Blast-resistant Design
In 2002, the DOD issued UFC 4-010-01: Minimum Antiterrorism Standards, in response to the bombing of the Khobar Towers (1996) and the USS Cole (2000). Progressive collapse/blast design concepts began appearing in GSA contracts in 2003, and in the civilian ASCE 59 standard in 2011, followed by 59-22, which "provides minimum requirements for planning, design, construction, and assessment of new and existing buildings subject to the effects of accidental or malicious explosions."
Preventive Collapse Prevention
In 2003, DOD incorporated detailed progressive collapse-resistance criteria in the UFC. Between 2005 and 2010, ASCE 7 introduced similar provisions. IBC referenced progressive collapse prevention requirements for certain occupancy types in 2009.
The above cases demonstrate that there is precedent for translation of military standards into civilian standards. In each of these cases, for physical systems, there was a five- to ten-year standard adoption gap, during which time the military released a standard and one of the civilian trade associations decided to take ownership of that specification. Ostensibly, the code cycle for cyber-physical systems will follow that same path. If current action is any indication of future results, one might predict that ASHRAE—via incorporation of basic cybersecurity standards into Standard 135 and Guideline 13—is likely to be the trade organization that steps up to the plate.
Emerging Professional Responsibilities
Federal cybersecurity standards exist in UFGS Division (DIV) 25, which, according to the Construction Specifications Institute (CSI), is the section for “Integrated Automation.” On a regular project that does not have any particular penchant for cybersecurity, DIV 25: Integrated Automation is the section where one would find the specifications for integration of connected devices—including but not limited to HVAC, lighting, security, fire protection, electrical systems, building controls and building automation systems—into one unified, functional whole under a single automation control platform. DIV 25 also typically includes provisions that address data exchange, networking, connectivity and interoperability of device protocols and the control logic for sensors, actuators and user interfaces. This Division, sans cyber, is often owned by controls contractors, or, ideally, by a specifically trained Master Systems Integrator (MSI); the MSI being the person who understands how to integrate various systems and components within a larger system to ensure seamless functionality and efficient operation. The MSI is that bridge between the owner’s project requirements, the basis of design, the designers and installing contractors. Incidentally, MSIs often utilize ASHRAE Standard 135 (BACnet) and Guideline 13 (BAS) as the standard referenced framework for their integration responsibilities. Again, these two ASHRAE standards are the current bellweathers for inclusion of cybersecurity in the built environment.
Another professional candidate for responsibility for Cybersecurity for Facilities Related Control Systems comes from inside of the commissioning profession, a subfield of the mechanical and electrical engineering disciplines. In the field, it is not uncommon for the practical reality of the OT cyber role to be communicated as “cybersecurity commissioning.” In the broadest sense, commissioning is the practice of witnessing and verifying that building systems conform with the Owner’s Project Requirements and Basis of Design. A certified commissioning authority’s (CxA) work includes using those foundational documents to complete a design review; develop a commissioning plan, which details the prefunctional and functional performance guidelines of devices, components and systems; complete and report site observations; work with the installing contractors to complete functional testing of the installed systems; develop an issues log; and complete final reporting. In the course of the commissioning agent’s work, that professional will have provided the owner with third-party verification that the systems have been designed for the desired outcomes, that what was installed was what was supposed to have been installed, and that the final product works properly, with minimal issues, before the project moves into close-out. Oftentimes there will be an operational training component to that scope of work, and occasionally system retesting before the end of the warranty period. The commissioning agent is in many ways in an ideal position for assuming responsibility for physical-cyber systems because that person is a third party, knows the building systems, knows how those systems are supposed to work, reviews the equipment submittals, writes the scripts to verify performance criteria, observes the completion of those scripts, develops a log of issues before turn-over and adjudicates those issues. The commissioning process is the same process that a third party would follow for cyber, for the same systems, with a similar outcome.
Commissioning authorities also maintain a strong relationship with ASHRAE, using ASHRAE Guideline 0 as the primary field guide and reference material for the commissioning practice.
The work of both MSIs and CxAs involve a combination of training in mechanical engineering, controls engineering and policy. These professions both understand the technical inner workings of connected devices, controls and automation. Both are reviewing and optimizing designs for performance. It would not be a far cry for either to add cybersecurity to the toolbox.
Energy Codes as an Implementation Pathway
In the United States, the IECC has been adopted by 48 of the 50 states. It is the primary vehicle for moving the building industry forward. IECC uses ASHRAE 90.1 as a foundational standard for its energy efficiency guidelines and allows demonstrable conformance with ASHRAE 90.1 as a compliance pathway. The relationship between ASHRAE and IECC is that between a standard developing and model code body.
The widespread adoption of IECC standards and reliance upon ASHRAE technical standards further suggests that ASHRAE is an ideal candidate for physical cybersecurity standards. The incorporation of cyber-physical specifications into ASHRAE technical standards would provide a direct path to the diffuse dissemination of those standards into most states and municipalities; it would be the fastest way to bring the nation’s physical assets into cyber-physical compliance.
Further justification for the dissemination of cyber standards through energy code is found in the relationship between cybersecurity and resilience planning. Among all of the DHS official resilience factors—wind, fire, flood, energy, terrorism, supply chain disruptions and pandemic—cybersecurity shares the most affinity with energy-related considerations. The examples of attacks that have been shared in this text, such as Volt Typhoon and others, have shown how attackers can exploit vulnerabilities in building controls and energy systems and use that unauthorized access to develop threats to real-world physical assets. In fact, there cannot be energy resilience without cyber-physical resilience. The reliability of grid or backup power is worthless if a threat on the back-end is manipulating performance or denying access.
A new gas pipeline proposed in Texas called the Rio Bravo Pipeline Project is one of many energy and gas projects that could become compromised during a cyber attack.
Future Vulnerabilities
Between 2005 and 2018, the reported number of cyber incidents has grown consistently by about 1,000%. Ransomware has grown particularly aggressively, with a reported $1.25 billion paid out to cyberterrorists in 2023. The United States is a particular target for ransomware attacks, accounting for half of all attacks worldwide and growing by 146% year-over-year. A recent report by Dragos warns that OT cyber risk could exceed $300 billion this year, due to indirect losses from cascading attacks that start with one compromise and lead to others.
As a reminder, “70% of CISOs admit that the vast majority of everyday cybersecurity incidents are due to unknown or unmanaged network assets”, “only 10% of breaches are reported to law enforcement”, and “40% [of incidents] are not even reported to the internal leadership of the affected organizations.” Keep in mind that these factors are largely representative of the past operating environment, where sophisticated attacks are more or less limited by physical capabilities and have to physically prioritize targets. Given limited time and resources, in many cases, the targets that have been prioritized by state and non-state actors have been those associated with the highest value critical infrastructure such as defense, government, water and energy. The urgency has not yet been impressed on assets of lesser value.
The threat level for everyday assets will soon change. The development of artificial intelligence (AI) is in the process of exponentially accelerating the number and sophistication of attacks. Some estimate that cyberattacks on commercial businesses due to AI have already surged by 1,760%. Amazon Web Services (AWS) internal documents report that in December 2024 attack volume jumped from 100 million to 750 million unauthorized attempts to gain access per day. This astonishing increase in attack velocity is only using the current commercially available technologies. Given that the level of sophistication of what technology is commercially available is changing at an amazing rate, one can reasonably expect an exponential increase in attacks.
The scenario of exponential, 1,000% point levels of increase is before the advent of AIs that can autonomously plan, execute and react. Once the autonomous cat is out of the bag, the rate of replication of attack vectors will make the thousand-percent gains look like the good old days.
And so while most uncritical real estate investment trusts (REITs), asset managers, and other commercial operators have enjoyed the luxury of relatively manageable levels of cyber-physical threats due to not being on the high-priority radar soon that will change. When physical resources are no longer a constraint, physical prioritization is no longer a limit. At that point, and leading up to it, the danger to everyday assets will become real, fast. The harmless internet of things device that nobody thinks about that is connected to the rest of the building network, like the fish tank in the casino example, is an attack vector. The vending machine is an attack vector. The WiFi- and Bluetooth-enabled pressure valve is definitely an attack vector. The building automation system becomes a gaping, large attack surface. The convenient little smart building sensors, monitors and connected devices that have been installed and ignored more or less without incident for the past 20 or so years will become the future weakest links in the cyber-physical systems that are our built environment.
Public Safety
The disruption of cyber-physical systems in critical and commercial infrastructure can create incidents that have real-world impact. As the Volt Typhoon attacks show, the chaos that can be caused is not only a matter of data privacy and “things in the cloud.” Attackers can ground airplanes, turn off pumps and destroy physical safety systems. On this basis, cybersecurity in the built environment should become an emerging public safety concern. There are several examples of systemic code changes in which safety concerns have played a primary role, after the fact of a disaster or protracted legal battle.
Fire-Safety Driven Code Changes
Several fire-related incidents including the Great Chicago Fire (1871), Cocoanut Grove Nightclub fire (1942), the MGM Grand fire (1980), the Oakland Hills Firestorm (1991), and past California wildfire seasons (2017–2020) have triggered widespread adoption of codes and standards for better building practices such as fire-resistant exterior walls, limits on wood framing in dense areas, firebreak streets, egress requirements, occupancy load limits, panic hardware on exit doors, and fire sprinkler requirements in high-rise hotels and casinos.
Structural and Earthquake Safety
The Long Beach earthquake (1933) and San Fernando earthquake (1971) provided an impetus for the development of modern building codes to require earthquake-resistant design for all public schools in California and to modernize seismic load calculations and detail ductility in reinforced concrete and steel structures.
Wind and Hurricane Resistance
Hurricane Andrew (1992), Hurricane Katrina (2005) and Hurricane Sandy (2012) have sparked progress in codes around impact-resistant glazing, stronger roof-to-wall connections, tighter nailing patterns for sheathing, and increased wind design speeds in coastal hazard areas.
Toxic Material and Indoor Air Quality
During the 1970s and 1980s, public health concerns over the incident rates of lung disease and cancer due to asbestos led to a national ban on asbestos in building products. Radon-resistant construction standards were implemented in the 1990s after studies linked radon exposure to lung cancer.
Americans with Disabilities (ADA) Act
The Federal ADA Act of 1990 did not come out of nowhere: It was the result of decades of activism, court cases and legal challenges that built momentum for the standard. Incremental victories such as the Architectural Barriers Act (1968) required federal buildings to be available to disabled members of the public, Section 504 of the Rehabilitation Act (1973) protected people from discrimination in federal employment by requiring real-world changes such as ramps and accessible restrooms in federal buildings, and the Fair Housing Amendments Act (1988) extended protections to people with disabilities in housing.
Financial Incentives for Green Buildings
In a perfect world, the prioritization of improvements in public and commercial real estate would follow from predicting the types of changes that would be of clear, demonstrable benefit for the general public. However, American society has yet to see such proactive developments. Rather, the pragmatic, incrementalist logic of asset ownership largely follows a different rubric: that of
return on investment (ROI). In most cases, demonstration of clear ROI is the necessity that drives prioritization of improvements in the built environment. Short of disaster, financial factors such as cost savings, rental rates and increased asset valuations are what produce change. One could argue that the emergence of the green building, smart building and healthy buildings markets have followed this purely economic logic.
Energy Efficiency
Of course, cost savings due to energy efficiency has been, and will probably continue to be, the most popular driver of the adoption of technology in buildings. Equipment upgrades, physical sensors and building automation systems that cost x-dollars to implement, but save y-dollars over time provide a no-brainer heuristic for real estate asset owners of all types.
Private Insurance Premiums
In 2006, the LEED Certification and Green Globes programs rose in popularity as private benchmarks that communicated real estate value through the adjustment of insurance premiums. The well-known Fireman’s Fund Insurance Company study (2006), which found lower risk of certain losses resulting from mechanical, electrical and plumbing system failures, led to 5% lower insurance premiums for assets certified under these programs. Over time, other insurance providers such as Liberty Mutual, Zurich North America, FM Global and State Farm have developed their own programs to incentivize green building upgrades. For example, Zurich North America offers additional insurance to rebuild green after a loss event, FM Global offers a 5% premium offset for clients investing in climate resilience, and State Farm offers discounts for homes with energy-efficient features, such as new roofs or automatic sprinkler systems. In addition, all of these programs have since incorporated incentives for environmental “resilience-based” risk mitigations.
Occupancy Rates and Rental Prices
While there has not yet been any large-scale, publicly available, study to link green buildings to higher occupancy rates, there is a strong industry consensus and anecdotal evidence through private industry-backed consulting reports and commercial analyses that suggest that certified buildings are worth more because of higher tenant retention rates, which are used as an indicator of public demand and asset value. The “Green is Good” Series, which includes Sustainable Office Outperforms in Class A Urban Markets and Sustainable Office Impact on Investment Pricing (2021), a report commissioned by the global REIT Cushman & Wakefield and shared by the U.S. Green Building Council, suggests an average of 21.4% higher resale value, 11.1% average higher rent, 25.3% price per square foot rent premiums in Class A offices, 40.9% premiums in Class B offices and 77.5% premiums in Class C offices over non-certified counterparts.
Similar private studies have been commissioned on other certification programs such as WELL and Fitwel. For example, a 2020 economic impact report by the Centers for Disease Control and Prevention (CDC) found that Fitwel certified buildings could lead to improvement in occupant health and productivity due to the reduction of absenteeism and increased tenant satisfaction, in support of higher lease and lower vacancy rates. A 2020 study by the real estate investment trend firm JLL commissioned by global wellness leader Delos found that WELL-certified buildings can command rent premiums of 3-11% above non-certified buildings. A later JLL study from 2021 found a 2-5% premium for Fitwel Certified assets. A 2021 CBRE study found that WELL-certified office buildings often experience lower vacancy rates and higher rental rates than non-certified buildings. A 2021 academic paper published in the Journal of Real Estate Research also found a positive but modest effect of the WELL-certified label on asset value.
Federal Tax Credits
Past tax credits from Section 179D (2005) have allowed commercial building owners to deduct up to $1.80 per square foot for energy efficiency–related upgrades that reduce energy use by at least 50% compared to baseline standards. The Investment Tax Credit (ITC), through Section 25D, has provided a 30% credit for residential properties, and, through Section 48E, up to a 30% credit for commercial properties that install solar panels, solar hot water heating, and other renewable energy systems. Further on the residential side, Section 45L has enabled residential buildings to claim an up to $2,500 per unit credit for energy efficiency units and $5,000 per unit for net zero ready buildings. As of now, the credits from Section 179D and Section 25D are set to expire December 31, 2025. Section 48E currently remains in effect for projects that begin construction by July 4, 2026 and are placed in service by December 31, 2027.
State Tax Credits
Independent tax credits and incentives for energy efficiency related upgrades such as solar panel installation are offered in many states.
Several states, including but not limited to California, New York, Massachusetts, Texas and Colorado, offer independent tax credits and incentives for energy efficiency–related upgrades. The incentives programs include rebates and tax abatements for energy-efficient upgrades, energy-efficient appliances, building retrofits and solar installation. The Database of State Incentives for Renewables & Efficiency (DSIRE) is a great resource for further information.
Cybersecurity in Real Estate
Despite demonstration of the present risks to insecure cyber-physical assets, cybersecurity in real estate still remains outside of the Overton Window—a shifting range of politically acceptable subjects and arguments—for public and commercial real estate. There has, thankfully, not yet been a cybersecurity crisis in the United States on the level of a California Wildfire or a Hurricane Katrina with which to prompt reactive standardization. And, while there are plenty of software solutions, such as monitored firewalls and antivirus software that promise to reduce network threats, there is no quick, single piece of equipment that can eliminate all the threats that exist in the disparate devices connected to the built environment. There is no overt operational cost savings for cybersecurity as a preventive measure: It is less like a technological upgrade and more like optional device maintenance that would come out of already-strained operational budgets. There is no quick ROI, no Federal or state tax credits, no privately commissioned reports that indicate asset value or rental premiums. There are, however, a few incentive programs through Chubb, AIG and Beazley that offer premium discounts or credits for organizations that demonstrate strong cybersecurity practices, including for smart buildings and OT environments, but this alone does not seem promising. Try as we may to prevent a market crisis, with risk acceleration, and without clear incentives for necessary change, the general odds appear stacked against code and economic-based action. Unfortunately, for all except those investors, owners and professionals who are far ahead of the curve, cyber-physical security is yet, and is likely to remain, a deprioritized afterthought until a public-disaster response, perhaps one driven by AI-based agents, requires otherwise.
Further Reading
Asset owners and industry professionals who are interested in incorporating cybersecurity standards are encouraged to read and implement the best management practices found in cyber-physical standards such as DOD UFGS 25 05 11: Cybersecurity for Facility Related Control Systems, NIST SP 800-37: Risk Management Framework, NIST SP 800-82: Guide to Industrial Control Systems Security, ISA/IEC 62443: Security for Industrial Automation, ASHRAE Standard 135, and ASHRAE Guideline 13.
Glossary
Architecture, engineering and construction (AEC)
Artificial intelligence (AI)
American Society of Civil Engineers (ASCE)
American Society of Heating, Refrigerating, and Air-Conditioning Engineers (ASHRAE)
American Society of Heating and Ventilation Engineers (ASHVE)
American Society of Refrigerating Engineers (ASRE)
Amazon Web Services (AWS)
Building Automation Systems (BAS)
Building Management System (BMS)
Building Research Board (BRB)
Building Research Establishment (BRE)
Building Research Establishment Environmental Assessment Method (BREEAM)
Centers for Disease Control and Prevention (CDC)
Chief Information Security Officers (CISOs)
Construction Specifications Institute (CSI)
Certified commissioning authority (CxA)
Distributed denial-of-service (DDoS)
Department of Homeland Security (DHS)
domain name system (DNS)
Department of Defense (DOD)
Department of Energy (DOE)
Database of State Incentives for Renewables & Efficiency (DSIRE)
Energy services companies (ESCOs)
Facility Related Control Systems (FRCS)
File Transfer Protocol (FTP)
Green Building Initiative (GBI)
Green Globes Professional (GGP)
Hypertext Transfer Protocol (HTTP)
Heating, ventilation and air conditioning (HVAC)
International Building Code (IBC)
International Existing Building Code (IEBC)
International Code Council (ICC)
International Energy Conservation Code (IECC)
internet of things (IoT)
Johnson Controls (JCI)
International Code Council (ICC)
Information technology (IT)
Investment Tax Credit (ITC)
Leadership in Energy and Environmental Design (LEED)
LEED Accredited Professional (LEED AP)
Model Energy Codes (MEC)
Master Systems Integrator (MSI)
National Electrical Code (NEC)
National Fire Protection Association (NFPA)
National Institute of Standards and Technology (NIST)
National Infrastructure Protection Plan (NIPP)
Operational technology (OT)
Real estate investment trust (REIT)
Risk Management Framework (RMF)
Return on investment (ROI)
Supervisory Control and Data Acquisition (SCADA)
Sensitive Compartmented Information Facilities (SCIFs)
Transmission Control Protocol/Internet Protocol (TCP/IP)
Bataoel, V. (2026, March 10). The Risks of Being Smart: Smart Buildings and Cybersecurity Standards. Retrieved from https://www.buildinggreen.com/feature/risks-being-smart-smart-buildings-and-cybersecurity-standards
