Picture the Scene

On a Tuesday morning in downtown Chicago, tenants in a new office tower swipe their badges at the glass entrance doors. Inside, the lobby lighting adjusts automatically to the growing crowd. Elevators, programmed with AI algorithms, optimize the flow of people to the upper floors. In the basement, the HVAC system quietly recalibrates to account for the rising temperature.

To most observers, this is progress made visible: an elegant choreography of technology, architecture, and data designed to deliver efficiency and comfort. What no one sees is that the same interconnected system is also quietly under attack. From a café in another country, a hacker is probing the building’s networks, looking for a forgotten device running outdated firmware. Within hours, a single weak vendor credential could open a path not only to the HVAC, but to access controls, surveillance cameras, even tenant Wi-Fi.

This isn’t a hypothetical. Researchers have demonstrated that smart buildings—those equipped with Internet of Things (IoT) devices that manage everything from lighting to locks—are uniquely vulnerable to exploitation. And while executives have spent two decades coming to terms with the financial and reputational costs of data breaches, far fewer have confronted the reality that in a connected building, cyber risk doesn’t just live in the cloud. It lives in the walls, the elevators, and the air ducts.

The Cyber-Physical Fault Line

Smart buildings represent one of the fastest-growing frontiers of urban technology. According to MarketsandMarkets, the global smart building market is expected to nearly double to $121 billion by 2026. For commercial real estate owners, the appeal is obvious: lower operating costs, predictive maintenance, and premium tenant experiences. For investors, the efficiency gains translate into higher asset valuations and sustainability benchmarks.

But there’s a hidden cost. With each new sensor or connected system, the attack surface expands.

Cyber-physical risk is what happens when digital systems have direct control over the physical environment. In a smart building, that risk is no longer theoretical. Consider the building management system (BMS), the nerve center that controls HVAC, lighting, elevators, and fire alarms. If an attacker compromises it, they don’t just access data—they can lock tenants out, disable fire suppression, or plunge a facility into chaos.

Other points of vulnerability are less obvious but equally dangerous. Occupancy sensors track employee movement in real time. Access control systems rely on mobile credentials stored on personal devices. Even smart thermostats and connected parking meters collect streams of information that, if intercepted, could be used to map tenant behavior or enable more sophisticated attacks.

The line between an IT problem and a facilities problem is collapsing. Yet, many organizations continue to treat smart building risk as someone else’s concern—until the day it isn’t.

Why Smart Buildings Are Hacker Playgrounds

When researchers from cybersecurity firm Kaspersky scanned the internet for exposed building management systems, they found thousands of devices accessible with little more than a browser and patience. Many were running on outdated operating systems. Some still used default passwords like “admin123.”

For attackers, this is low-hanging fruit.

The vulnerabilities fall into three main categories:

1. Legacy Systems and Patch Gaps

Most building management systems were never designed with cybersecurity in mind. They run on software that may not have been updated in years, leaving them vulnerable to known exploits. A single unpatched system can provide an entry point into an entire building’s infrastructure.

2. Vendor Portals and Default Credentials

Third-party vendors often require remote access to elevators, HVAC, or lighting systems. These portals are a frequent target for attackers, especially when they use shared credentials across multiple sites. In one case study, researchers gained access to a building’s entire HVAC system through a contractor’s forgotten account.

3. Shadow IoT Devices

Tenants, contractors, or even cleaning crews introduce new devices—cameras, sensors, routers—without oversight. Each becomes a potential backdoor. Because these devices often lack strong encryption, they’re easy for attackers to compromise.

Hackers aren’t guessing. They’re scanning, cataloging, and waiting. And when they find a gap, they don’t just steal data—they manipulate the physical world.

When Cyber Meets Physical: Real-World Consequences

The risks aren’t abstract. In recent years, there have been well-documented cases where hackers exploited IoT vulnerabilities in real-world settings:

• The Casino Thermostat Breach. Attackers gained access to a North American casino’s high-roller database through a Wi-Fi–connected fish tank thermometer in the lobby. Ten gigabytes of data were siphoned off before anyone noticed.
• Hospital Ransomware Attacks. Several hospitals across Europe and North America have been forced to divert patients or shut down care after ransomware crippled their building and medical IoT systems. In some cases, HVAC and access control were targeted to heighten the pressure.
• Office Tower Disruption. In one widely cited case, hackers manipulated a building’s HVAC system to overheat servers, forcing an emergency evacuation. The building was offline for two days, tenants displaced, and losses mounted.

For tenants, the disruption is immediate. For owners, the costs ripple outward: reputational damage, lost occupancy, higher insurance premiums, and in some cases, litigation over duty-of-care failures.

Why This Is a C-Suite Problem

It’s tempting for executives to delegate smart building risk to IT or facilities teams. But that misses the point: cyber-physical threats are fundamentally business risks, not just technical challenges.

• In logistics, a ransomware attack on a smart warehouse can halt robotics and autonomous conveyors, derailing delivery schedules and breaching contracts.
• In commercial real estate, a compromised building system can undermine tenant trust, depress renewal rates, and directly impact asset valuation.
• In healthcare, tampered IoT systems can expose providers to HIPAA violations and patient safety crises.
• In retail, compromised POS and occupancy sensors create financial losses and brand damage.
• In private equity, one vulnerable smart asset can drag down an entire portfolio, exposing investors to regulatory scrutiny and reputational risk.

The bottom line: if you oversee assets, people, or portfolios, cyber-physical risk is your problem. Ignoring it won’t make it someone else’s.

The Illusion of Efficiency vs. the Cost of Breach

Smart buildings are marketed as tools for efficiency and sustainability. They save energy, reduce staffing requirements, and appeal to environmentally conscious tenants. The efficiencies are real.

But the efficiencies are also fragile. A single cyber-physical incident can erase years of savings. Consider the costs of a major breach:

• Operational disruption. Tenants are locked out, deliveries delayed, revenue lost.
• Safety hazards. Attackers manipulate fire alarms, elevators, or HVAC systems, putting occupants in harm’s way.
• Legal exposure. Failure to secure building systems may violate duty-of-care obligations, triggering lawsuits.
• Reputational damage. Tenants may not return, insurers may raise rates, and investors may look elsewhere.

According to IBM’s 2024 Cost of a Data Breach Report, the average breach now costs $4.45 million. For cyber-physical incidents, where disruption includes physical systems and real estate, the numbers climb far higher. One executive put it bluntly:

“It’s cheaper to build resilience than to rebuild trust.”

Building a Defense-in-Depth Strategy

So how can leaders respond? The answer isn’t a single tool or vendor. It’s strategy.

Segmentation. Building systems should never share the same network as tenant IT. Firewalls, VLANs, and strict access controls are basic but often overlooked.

Vendor Accountability. Contracts should mandate patching schedules, multi-factor authentication, and logging. Third-party access should be monitored continuously.

Continuous Monitoring. Intrusion detection isn’t just for IT. Smart buildings generate traffic patterns that can be monitored for anomalies. Sudden surges or unexplained commands may indicate compromise.

Testing and Auditing. Regular penetration testing and red-teaming for BMS and IoT devices can uncover flaws before attackers do.

Incident Response. Cyber and physical teams must train together. A ransomware drill shouldn’t just test data recovery—it should include scenarios where elevators or HVAC are impacted.

Executives don’t need to be engineers. But they do need to demand that these measures are in place, tracked, and reported.

The Role of Protective Intelligence

Cyber-physical threats rarely emerge without warning. Attackers scout, test, and chatter. Protective intelligence—the monitoring of digital signals, industry chatter, and threat feeds—can provide early alerts.

• Monitoring dark web forums for discussion of building technologies.
• Tracking vendor vulnerabilities and zero-day exploits.
• Identifying insider risks through anomalous access activity.

For organizations with high-value assets or executives, protective intelligence is no longer a luxury. It’s an early warning system. When combined with resilient design, it can turn a potential crisis into a manageable incident.

Why Many Organizations Aren’t Ready

Despite the risks, most organizations lag behind. The reasons are depressingly familiar:

• Assumption and complacency. IT assumes facilities are managing it. Facilities assume IT has it covered. Neither is right.
• Vendor dependence. Building owners assume system vendors will patch and secure devices. Many don’t.
• Lack of regulatory clarity. Until regulators demand cyber-physical security, many firms underinvest.
• Budget bias. Leaders see smart building technology as a capital improvement, but treat security as an optional add-on.

Insurers are beginning to change that dynamic. Cyber liability carriers increasingly demand proof of resilience before underwriting large policies. For CRE owners and portfolio managers, that shift may be the wake-up call.

The Executive Playbook: What Leaders Can Do Now

If you oversee smart buildings or portfolios, the path forward is clear:

1. Commission a Cyber-Physical Risk Assessment. Get a comprehensive view of your building’s vulnerabilities. Don’t assume you know where the gaps are.
2. Make IoT Security Part of Due Diligence. Before acquiring a new asset or portfolio company, assess the building’s IoT posture.
3. Leverage Fractional CSO Services. Many firms can’t justify a full-time security executive. A fractional model ensures oversight without the cost of a six-figure hire.
4. Train Cross-Functional Teams. Facilities and IT should not operate in silos. Blended tabletop exercises expose blind spots before attackers do.
5. Elevate Reporting. Make cyber-physical risk a recurring item in board packets. Risk ignored is risk assumed.

Conclusion: Smarter Security for Smart Buildings

Smart buildings promise efficiency, sustainability, and convenience. But without security, they are liabilities disguised as assets.

For hackers, poorly defended IoT ecosystems are irresistible targets. For executives, the choice is clear: treat cyber-physical risk as a strategic, board-level issue—or risk financial, legal, and reputational fallout.

The organizations that thrive in 2025 and beyond will not be those with the flashiest dashboards or the greenest certifications. They will be the ones that understand that resilience is the foundation of value. In the era of smart buildings, the smartest investment is security.

At Chesley Brown, we help companies close these gaps before attackers exploit them. From cyber-physical risk assessments to protective intelligence and Fractional CSO services, our team works alongside executives to ensure smart buildings stay smart, and secure.

If you’re responsible for protecting your people, your tenants, or your portfolio, now is the time to act. Let’s build resilience before the next breach defines your brand.