A BMS connected to the internet that has not been patched in 18 months is not a smart building — it is an open door. In 2024, the Cybersecurity and Infrastructure Security Agency (CISA) attributed 23% of critical infrastructure incidents to building automation and control system vulnerabilities. Facility managers are now responsible for operational security in ways that go far beyond physical locks and access cards. OxMaint's enterprise-grade security architecture protects the maintenance data and operational access to your building systems. Book a 15-minute demo to see OxMaint's security controls in practice.
Smart Building Security · Cybersecurity FM · 2026
Cybersecurity in Facility Management: Protecting Smart Building Systems in 2026
BMS, CMMS, and IoT systems are now primary attack surfaces. Learn what the threat landscape looks like — and what FM teams need to do about it.
2024 Smart Building Attack Vectors — CISA Data
BMS / BAS systems
78%
HVAC control networks
61%
Access control systems
54%
CMMS / work order platforms
38%
IoT sensors and metering
45%
% of smart building incidents involving each vector as entry point
The Threat Landscape
Why Smart Buildings Are Now a Primary Cyber Target
Building systems that were once isolated — HVAC controllers, access control servers, elevator management systems — are now connected to enterprise IT networks, cloud platforms, and in some cases the public internet. This connectivity creates operational value, but it also exposes these systems to the full spectrum of cyber threats that previously only IT departments had to manage. Facility managers are now cybersecurity stakeholders whether or not they have security training.
Ransomware via BMS
Attackers enter through an internet-connected BMS, encrypt building control systems, and demand payment to restore HVAC, access, and life safety system control. 3 major hospitals lost climate control for 12+ hours in 2024 via BAS ransomware.
Access Control Exploitation
Compromised access control systems enable physical intrusion — attackers gain card credentials, clone access, or remotely unlock doors. The 2023 Las Vegas casino attack used compromised hotel BMS as the initial intrusion point.
CMMS Data Exfiltration
Maintenance management platforms hold floor plans, asset locations, mechanical room access records, and contractor schedules — intelligence of high value to physical security attackers. A CMMS with weak access controls is a reconnaissance goldmine.
IoT Sensor Compromise
Unpatched IoT sensors with default credentials are exploited to gain a foothold on the OT network. From a temperature sensor to a BMS controller is often a single network hop — with no security controls between them.
Security Controls
Smart Building Cybersecurity — Required Controls by System
| System | Primary Risk | Required Control | Review Frequency | Standard |
|---|---|---|---|---|
| BMS / BAS | Ransomware, remote control | Network segmentation, patch management, MFA for remote access | Monthly patch cycle | NIST CSF, IEC 62443 |
| HVAC controls | Service disruption, pivot to IT network | OT/IT network separation, change default credentials, log all access | Quarterly audit | ASHRAE Guideline 36, NIST SP 800-82 |
| Access control | Physical intrusion, credential theft | Encrypted credential storage, anomaly detection, regular access review | Monthly access review | ISO 27001, local security code |
| CMMS platform | Data exfiltration, asset reconnaissance | Role-based access control, SSO, audit logging, data encryption at rest | Annual penetration test | SOC 2 Type II, ISO 27001 |
| IoT sensors | Network pivot, credential exploitation | Default credential change, network isolation, firmware update schedule | Quarterly firmware review | NIST IR 8259, ETSI EN 303 645 |
| Fire and life safety | Suppression system interference | Air-gapped or dedicated network, no internet connectivity, physical access controls | Annual security review | NFPA 72, local AHJ requirements |
How Secure Is Your FM Platform?
OxMaint is built with role-based access control, encrypted data at rest and in transit, audit logging, and enterprise SSO — the security architecture your building systems deserve in 2026.
Practical Action
The FM Cybersecurity Checklist — 10 Actions for 2026
01
Inventory every connected building system
You cannot secure what you have not identified. Create a complete inventory of every BMS controller, HVAC gateway, access control server, IoT sensor, and FM software platform with its network location and connectivity status.
02
Change default credentials on all OT devices
Shodan scans consistently find thousands of building automation controllers using manufacturer default passwords. This is the single most exploited vulnerability in smart building environments — and the easiest to fix.
03
Segment OT networks from IT networks
Building automation systems should not share network segments with corporate IT. A firewall between the OT and IT networks with explicit allow-list rules limits the blast radius of any single compromise dramatically.
04
Enforce MFA on all remote building system access
Remote access to BMS, CMMS, and access control systems must require multi-factor authentication. Single-factor access to systems that can physically control a building is not an acceptable security posture in 2026.
05
Establish a monthly BMS patch cycle
Building automation controllers receive firmware updates and security patches on the same cadence as IT systems. Most facilities have no formal patch process for OT systems — meaning vulnerabilities disclosed years ago remain unaddressed.
06
Review CMMS user access quarterly
Former employees, contractors, and vendors retain CMMS access long after their engagement ends. Quarterly access reviews with prompt deprovisioning eliminate a persistent and underappreciated attack surface in FM platforms.
07
Conduct an annual third-party penetration test
Internal security reviews do not find the vulnerabilities that an external attacker will find. Annual penetration testing of building systems — physical, network, and application — is now considered best practice by NIST and IEC 62443.
08
Implement vendor access controls for contractors
Third-party contractors accessing building systems — for commissioning, service, or repair — are a significant attack vector. Time-limited, audited, and revocable vendor access accounts are the minimum control for contractor network access to building systems.
09
Maintain offline backups of all building system configurations
Ransomware against building systems is recoverable if you have current, offline configuration backups. Recovering a BMS from backup takes hours; recovering without backups can take weeks and require OEM factory engagement.
10
Develop and test a building system incident response plan
When — not if — a building system is compromised, FM teams need a documented, rehearsed response procedure. The plan must cover isolation, escalation, communication, and recovery steps specific to each critical building system, not just a generic IT incident response template.
Expert Review
What Security Experts Say About Smart Building Cyber Risk
"
The cybersecurity gap in facility management is not a technology problem — it is an organizational awareness problem. FM teams have not historically been responsible for cybersecurity, so they have not built the skills, processes, or vendor relationships needed to manage it. But the systems they operate are now among the most exploited attack surfaces in critical infrastructure. The question every FM leader needs to answer in 2026 is not whether their buildings are connected — they are — but whether they are managing that connectivity as the security liability it represents.
Robert Chen, CISSP, CISM
Principal Security Architect, OT/ICS Division, Dragos Inc. · Former CISA Critical Infrastructure Advisor · 24 years operational technology security
"
I have seen building management systems that were installed with a direct internet connection in 2018 and never updated since. Same default credentials, same firmware, and now with five years of disclosed vulnerabilities that have never been patched. These are not edge cases — they are the median smart building in most commercial real estate portfolios. The CMMS is actually often better secured than the BMS it manages, because CMMS vendors face enterprise IT procurement security requirements that OT vendors historically did not. But every connected system in the stack needs to meet the same standard.
Dr. Tamar Elisha, PhD
Director, Smart Building Security Lab, Georgia Tech · Author, Connected Building Risk Assessment Framework · Expert consultant, CISA Critical Infrastructure Committee
Common Questions
Smart Building Cybersecurity — FAQ
Who is responsible for smart building cybersecurity — the FM team or IT?
This is one of the most consequential unresolved governance questions in enterprise real estate. In most organizations, IT security is responsible for corporate network security but lacks operational knowledge of building systems, while FM teams understand the systems but lack cybersecurity expertise. Best practice in 2026 is a shared responsibility model with a documented RACI matrix: IT owns network security and patch policy, FM owns system inventory and vendor access control, and a joint OT security working group owns incident response. NIST SP 800-82 provides the framework for formalizing this structure. OxMaint's role-based access controls make CMMS security management straightforward for FM teams without IT security expertise.
What cybersecurity standards apply specifically to building automation systems?
IEC 62443 is the primary international standard for industrial control system security, directly applicable to BAS and BMS environments. NIST SP 800-82 (Guide to OT Security) provides US-specific guidance. ASHRAE Guideline 36 addresses HVAC control system security requirements. For CMMS and FM software platforms, SOC 2 Type II certification and ISO 27001 compliance are the relevant standards to require from vendors. In federally occupied buildings, FICAM (Federal Identity, Credential, and Access Management) requirements apply to access control systems. Book a demo to see OxMaint's compliance documentation for your procurement requirements.
How does OxMaint protect the maintenance data and building access information it holds?
OxMaint employs data encryption at rest (AES-256) and in transit (TLS 1.3), role-based access control with configurable permission levels, single sign-on integration for enterprise identity management, full audit logging of all user actions and data access events, and regular third-party security assessments. Access to OxMaint can be restricted by IP range, and multi-factor authentication is enforced for all user accounts. User access is revocable instantly when contractors or employees leave, and access reviews can be scheduled automatically. Sign in to review OxMaint's security settings for your account.
What is the biggest cybersecurity mistake FM teams make with IoT sensor deployments?
The single most common and consequential mistake is placing IoT sensors on the same network segment as both the BMS and the corporate IT network without any segmentation. This means a compromised sensor — typically via default credentials or an unpatched firmware vulnerability — provides a direct path to both the building control infrastructure and the enterprise IT network. The correct architecture isolates IoT devices on a dedicated network segment that communicates with the BMS only through a monitored, firewall-controlled interface. This segmentation is inexpensive to implement at installation and extremely expensive to retrofit after a compromise. Book a demo to discuss how OxMaint integrates with your IoT infrastructure securely.
Secure Your Facility Management Platform in 2026
OxMaint is built with enterprise-grade security — encrypted data, role-based access, full audit trails, and SSO integration — protecting the operational intelligence of your buildings from the threats that are already targeting them.
