Why HVAC Cybersecurity Matters More Than Most Facility Managers Realize

Hang ThongUpdated

The 2013 Target breach — the one that cost roughly $162 million and put cybersecurity on the CFO agenda everywhere — started with the retailer’s HVAC vendor. A contractor’s credentials got stolen, those credentials had network access they shouldn’t have had, and attackers pivoted from a heating and cooling portal to forty million credit card numbers. That story is over a decade old. In the buildings I walk through today, HVAC cybersecurity is still the weakest link most facility managers have. Not because they don’t care. Because the systems quietly got more connected while everyone’s attention was elsewhere.

How HVAC became a cybersecurity problem

Commercial HVAC used to be an island. Pneumatic controls, proprietary protocols, air-gapped from everything else. A building’s heating and cooling spoke to itself and nobody else.

That era ended a long time ago. Modern building automation systems (BAS) run on IP networks. They speak BACnet or Modbus. They’re monitored remotely. Contractors log in from trucks. Energy data flows to cloud dashboards. A rooftop unit bought in 2022 often ships with a cellular modem whether anyone configured it or not. That connectivity is useful — remote diagnostics, predictive maintenance, energy optimization — and it’s also an attack surface that didn’t exist when most buildings were designed.

A modern commercial HVAC network often has more internet-facing endpoints than the corporate network sitting three floors up. Nobody in IT is watching it. That’s the gap.

Why attackers target HVAC specifically

Three reasons, all of which still hold true:

  • HVAC and BAS systems are often network-connected to the corporate LAN, either directly or through a poorly segmented VLAN. Compromising one is frequently a stepping stone to somewhere more valuable.
  • The devices themselves are rarely patched. The manufacturer may have released a firmware update in 2021, but nobody in the building has touched that controller since it was installed.
  • The vendor access model is permissive by default. Contractors get VPN credentials, often shared. Third-party support tools install remote access agents that nobody audits.

In the real incidents I’ve reviewed, attackers didn’t exploit some novel HVAC zero-day. They used ordinary phishing to steal a contractor credential, logged into the BAS portal, and walked laterally. The HVAC system wasn’t the target in the strategic sense — it was the door.

Misconceptions that keep the risk high

“Our HVAC system isn’t even connected to the internet.”

Check again. The cellular modem on the rooftop unit is connected. The building automation controller with the “energy monitoring” web interface is connected. The thermostat that integrates with your tenant app is connected. If it has an IP address, it’s connected. I’ve walked buildings where the facility manager insisted the BAS was air-gapped, and we found four separate paths to the internet inside an hour.

“Nobody would bother attacking our HVAC.”

Most HVAC compromises aren’t targeted. They’re opportunistic. Scanners find exposed BACnet devices or BAS portals, brute-force or phish their way in, and then figure out what’s useful on the other side. Your building doesn’t have to be interesting. It has to be reachable.

“That’s the vendor’s problem, not ours.”

Contractually, maybe. Practically, a breach inside your building is your incident, your tenants’ disruption, your reputational damage, and your notification obligation. Vendor contracts rarely indemnify fully for what a compromised HVAC controller can cascade into.

What facility managers should actually do

A practical HVAC cybersecurity plan doesn’t require rebuilding the building. It requires five things done well:

  1. Inventory every connected device. BAS head end, controllers, VFDs, thermostats, cellular modems, IP-connected sensors. You cannot protect what you can’t name.
  2. Segment the OT network from IT. At minimum, a dedicated VLAN with firewall rules. Better, a one-way data diode for telemetry that flows out but prevents lateral access in.
  3. Change default credentials and enforce unique, vaulted logins for every contractor. Shared logins are the single most common finding in HVAC security assessments.
  4. Patch and update on a defined cadence. Quarterly for firmware where possible. If a device can’t be patched, isolate it with extra care.
  5. Monitor. Log BAS traffic. Alert on unusual connections. A good IT partner can set this up inexpensively — many of the tools are free or bundled with platforms the building already owns.

Who owns this problem?

Organizationally, HVAC cybersecurity falls in a crack. Facility managers don’t think of it as their job. IT doesn’t know the BAS exists. The HVAC contractor assumes someone else is watching. The outcome is predictable: nobody owns it until something goes wrong.

The fix is simple but requires intent. Assign an owner — usually a joint IT/facilities responsibility — put the BAS into your asset inventory, and treat HVAC cybersecurity like the operational risk it is. The Target breach is over ten years old. The lesson is still sitting on the rooftop.

Tech

Related Articles

Automation Solutions
How Automation Solutions Help Reduce Errors and Improve Efficiency? 
The Beginner’s Guide to 3D Model Specs: How AI Ensures Perfect Scale for Every Project
The Beginner’s Guide to 3D Model Specs: How AI Ensures Perfect Scale for Every Project
Modern Technology Has Changed the Way Homes Are Protected
How Modern Technology Has Changed the Way Homes Are Protected
Lever-Action Rifles: A Timeless Tradition in Modern Firearms
Lever-Action Rifles: A Timeless Tradition in Modern Firearms
List of the Best Crypto Liquidity Solutions in 2026
List of the Best Crypto Liquidity Solutions in 2026
Construction Landscape
How Mobile Cranes Are Reshaping the Modern Construction Landscape