Key Takeaways
- Buildings are now OT environments. BMS, HVAC, access control, lifts and metering run on industrial protocols (BACnet, Modbus, KNX, LonWorks) that were never designed for hostile networks.
- IT/OT convergence removed the isolation. Remote management, cloud dashboards and corporate-network integration mean building systems are reachable far beyond the plant room.
- Access control and CCTV are physical-security systems with cyber exposure. A compromise can unlock doors, disable cameras or expose footage.
- Vendor remote access is the dominant ingress route. Maintenance contractors, often with shared credentials and persistent tunnels, are the most common path in.
- Legacy controllers cannot be patched on an IT cadence. Segmentation, monitoring and controlled remote access carry the load while equipment is replaced over years.
Buildings Are Now Operational Technology Environments
A modern commercial building, campus, hospital, hotel or mixed-use development is, from a cybersecurity standpoint, an operational-technology environment. Beneath the facade sit networked control systems: a building management system orchestrating heating, ventilation and air conditioning, dedicated HVAC controllers, electronic access control governing doors and turnstiles, lift and escalator controllers, CCTV and video management, lighting control, fire and life-safety systems, energy metering and increasingly a long tail of building Internet-of-Things sensors. These systems speak industrial protocols (BACnet, Modbus, KNX, LonWorks, DALI) that were designed for reliability and interoperability, not for authentication or encryption.
Facility operators rarely set out to run an OT environment. They inherited one. Each subsystem was procured from a different vendor, installed at a different time, and originally operated in isolation. The cybersecurity model, to the extent there was one, assumed physical isolation. Then connectivity arrived: remote management for efficiency, cloud dashboards for portfolio oversight, integration with corporate IT for reporting and analytics, and tenant-facing apps. The isolation that the original security model depended on quietly disappeared, but the controllers underneath did not change.
The result is a high-consequence environment defended like a low-consequence one. A compromise of building systems is not an abstract data-confidentiality issue. It can disable climate control in a data centre or hospital, unlock or lock doors, disable cameras during a physical intrusion, manipulate energy systems, or provide a pivot from the building network into corporate IT. Across India, Singapore, UAE and Malaysia, the growth of smart buildings and connected-estate management has expanded this exposure faster than security practice has kept pace.
Securing the Building Management System
The building management system, sometimes called the building automation and control system, is the supervisory brain of the facility. It aggregates data from and issues commands to the subsystem controllers, presents operator workstations and dashboards, and increasingly exposes a web or cloud interface for remote oversight. Because it touches everything, a compromise of the BMS is functionally a compromise of the building.
Recurring findings in our facility engagements: BMS operator workstations running end-of-life operating systems with no realistic patch path, default or shared credentials retained on controllers and front-end software (vendor manuals frequently publish these), BMS web interfaces exposed directly to the internet (often discovered through internet-wide scanning services that index exactly these devices), unencrypted BACnet and Modbus traffic that can be read and forged by anyone on the network segment, and no logging or monitoring of operator actions, so a malicious or erroneous command leaves no trail.
The mitigation priorities mirror industrial OT practice adapted to buildings. Place the BMS and its controllers on a dedicated network segment, firewalled from corporate IT and unreachable from the internet except through a controlled remote-access path. Remove the BMS web interface from direct internet exposure. Replace default and shared credentials with named accounts and, where the platform supports it, multi-factor authentication on the operator and engineering front-ends. Inventory every controller with its protocol, firmware version and patch status. And introduce monitoring of the BMS network so anomalous commands and unexpected connections are detected. Codesecure assesses building management systems with a safety-first methodology, defaulting to passive observation and configuration review and reserving any active testing for agreed maintenance windows.
Need a Sector-Specific Cyber Programme?
Codesecure Solutions delivers ISO/IEC 27001:2022 certified VAPT, compliance and managed security for online platforms, education, real estate, retail and fintech customers across India, Singapore, UAE and Malaysia. Named consultants, fixed-price proposals, free retest within 90 days.
See Industry Services →Access Control, CCTV and Physical-Cyber Convergence
Electronic access control and video surveillance occupy a special category because they are physical-security systems with a cyber attack surface. When they fail, the consequence is not data loss in the abstract; it is doors that unlock, turnstiles that release, and cameras that go dark. The convergence of physical and cyber security means a network-borne attack can produce a physical-world outcome, and a physical intrusion can be enabled or masked by a cyber compromise.
Common weaknesses: access-control panels and door controllers on the general corporate network rather than an isolated segment, default credentials on controllers and on the network video recorders, IP cameras with known firmware vulnerabilities and no patch programme (cameras are a frequent entry point and a frequent participant in botnets), video management systems exposed to the internet for remote viewing, and credential technologies (legacy proximity cards) that are trivially cloned. A breach of the access-control server can grant the attacker the ability to provision their own credentials or disable alarms.
Defensive measures: isolate access-control and video systems on their own segment with no internet exposure except through a controlled path, replace default credentials and apply firmware updates on a managed cadence, retire trivially cloneable card technologies in favour of stronger credentials, restrict and log administrative access to the access-control and video-management servers, and integrate these systems into the same monitoring regime as the rest of the building OT so that, for example, a door-controller reboot or a camera going offline generates an alert rather than passing unnoticed.
IT/OT Convergence and Network Segmentation
The central architectural problem in building cybersecurity is convergence without segmentation. Building OT now connects to corporate IT for reporting, to vendor clouds for analytics and remote management, and to tenant-facing services, but the network design rarely reflects the risk. In many facilities the BMS, access control, CCTV, corporate IT and guest Wi-Fi share addressing and routing with only nominal separation, so a foothold in any of them reaches the others.
The remedy is a layered segmentation model borrowed from industrial practice. Building OT (BMS, HVAC, lifts, metering) sits in its own zone. Physical-security systems (access control, CCTV) sit in their own zone. Corporate IT is separate again. A controlled demilitarised zone mediates any necessary data flow between OT and IT, so that, for example, energy data can flow up to a reporting dashboard without the dashboard's network being able to reach down and issue control commands. Traffic between zones passes only through documented, allow-listed and logged paths. Internet exposure of OT and physical-security systems is eliminated except through a hardened remote-access path.
Reaching this state in an occupied, operating building is a phased programme rather than a single project, because changes to live building systems must respect operational and safety constraints and often require vendor coordination and maintenance windows. A realistic estate-wide segmentation programme runs over many months. The interim gains, however, start early: simply removing internet-exposed BMS and CCTV interfaces and isolating the most exposed controllers materially reduces risk in the first weeks.
Vendor Remote Access and Maintenance Contractors
Vendor remote access is the dominant ingress route into building OT, exactly as it is in industrial plants. The BMS vendor, the HVAC contractor, the lift maintainer, the access-control integrator and the CCTV provider all expect remote diagnostic and maintenance access to meet their service commitments. Without a controlled approach this devolves into permanent VPN tunnels, shared credentials used across multiple sites, and remote-access tools installed on operator workstations that themselves sit on the corporate network. Each is a standing invitation.
The recommended pattern is a single, hardened remote-access path for all external parties. Every contractor connects through one controlled jump host or privileged-remote-access gateway that sits in the building's demilitarised zone with no other purpose. Sessions are recorded for after-the-fact review, credentials are vaulted and rotated rather than shared, multi-factor authentication is enforced, and access is requested per session rather than left as a persistent tunnel. The contractor does not hold a permanent key to the building; they request entry each time, and that entry is logged and time-bound.
This single control closes the most common breach path in the sector. It also produces the audit trail that insurers and clients increasingly expect: a clear record of who accessed which building system, when, and what they did. Codesecure helps facility operators design and implement controlled vendor-access architectures that satisfy operational, audit and insurance requirements.
Facing a Customer Audit or Regulator Query?
Whether you need DPDP, PDPA, PDPL, GDPR, PCI DSS or RBI-aligned evidence, our compliance and VAPT lead is available for a 30-minute free scoping call. Audit-ready, board-ready, no slideware.
Talk to a Specialist →Patching Legacy Controllers and Building IoT Monitoring
Most building controllers cannot be patched on an IT cadence. Firmware updates require downtime that disrupts occupied spaces, often need vendor involvement, and sometimes are simply unavailable because the controller is years past the manufacturer's support window. The realistic posture, as in industrial OT, is that compensating controls do most of the work while equipment is replaced over a multi-year capital cycle.
Those compensating controls are familiar: strict segmentation so an unpatched controller cannot be reached by an attacker, monitoring so anomalous behaviour on the OT network is detected, and application allowlisting on the Windows-based operator workstations so untrusted code cannot execute even on an unpatched host. For controllers the vendor will no longer support, the right governance is explicit, documented risk acceptance paired with a replacement roadmap, rather than a pretence that the system is patched.
Building IoT (the growing population of wireless sensors, smart meters, occupancy detectors and environmental monitors) adds a new class of small, numerous, often poorly secured devices. Each new device is a potential foothold and a potential path out of the building network into a vendor cloud. The discipline is to inventory these devices, place them on constrained network segments with no route into control systems, assess the vendor's cloud security posture before deployment, and monitor for the anomalous outbound connections that signal compromise. Codesecure delivers building-IoT and OT assessments that surface this inventory and the configuration drift that accumulates across a connected estate.
Frequently Asked Questions
Is a building really a cybersecurity target?
Yes. Building management systems, access control and CCTV are networked control systems whose compromise can disable climate control, unlock doors, disable cameras or provide a pivot into corporate IT. Internet-exposed BMS and camera interfaces are routinely discovered by internet-wide scanning, and building systems are often the least-monitored part of an estate.
Can you test our building systems without disrupting operations?
Yes. Codesecure uses a safety-first methodology that defaults to passive observation, configuration review and vendor coordination, reserving any active testing for agreed maintenance windows. We do not run disruptive active tests against live building control systems in production unless explicitly scoped and authorised in writing.
What is the most common way attackers get into building OT?
Vendor remote access. Maintenance contractors typically hold persistent VPN tunnels and shared credentials, often reused across sites. Routing all external access through a single hardened jump host with session recording, vaulted credentials, MFA and per-session approval closes the most common ingress path and produces the audit trail insurers expect.
How do we secure controllers that cannot be patched?
Compensating controls: strict segmentation so the controller is unreachable by attackers, monitoring of the OT network for anomalies, application allowlisting on operator workstations, and documented risk acceptance paired with a replacement roadmap for unsupported equipment. This mirrors industrial OT practice adapted to building systems.
Should access control and CCTV be on the office network?
No. They should sit on a dedicated, isolated segment with no internet exposure except through a controlled path, with default credentials replaced, firmware maintained, and administrative access logged. Placing the network video recorder and door controllers on the flat office network is a frequent and serious finding.
Can Codesecure assess a whole portfolio of buildings?
Yes. Codesecure delivers facility and building-OT cybersecurity assessments using a representative-class approach for multi-site estates, covering BMS, HVAC, access control, CCTV, building IoT, segmentation and vendor access. ISO/IEC 27001:2022 certified delivery, named consultants, fixed-price proposals, free retest within 90 days.
Secure Your Buildings Without Disrupting Operations
Codesecure Solutions delivers facility and building-OT cybersecurity, BMS and access-control assessment, segmentation design and vendor-access hardening for operators across India, Singapore, UAE and Malaysia. ISO/IEC 27001:2022 certified delivery, safety-first methodology, named consultants.
