I Can Hack Your Building. Stop Me.

Ryan LaFlamme

We estimate that there are currently 900,000 buildings and facilities in the US (conservatively) employing some kind of OT network managed by a BMS. But there’s a good chance many of them have exposed building controllers, security cameras and access control systems that any entry level hacker can get into.

Today, there are lots of companies marketing cyber security solutions specific to OT network vendors, system integrators, and facilities managers.

But why? Why are OT networks suddenly in the security spotlight? Understanding how to secure OT networks in smart buildings is more important than ever.

Turns out, they always should have been. OT networks have spent years sitting largely exposed to the internet at large, relying on the fact that no one knew they were there. Those days are long gone, and OT networks now represent one of the most vulnerable points for malicious actors to breach your networks.

But before you start shelling out dollars and contracts for solutions, let’s establish an understanding of the situation, what it is that makes the OT network vulnerable, and what options are available —full segmentation, full convergence, or a balance of the two—to get to a better security stance.

Motivations: Why Attack an OT Network?

Editor’s Note: I think it’s fair to say that many modern OT networks that work within IT systems are getting better at security coverage. As time has progressed, internal and external teams have become more aware of the risks, and built more integrated teams consisting of those with OT automation experience and those with ITsec skills (like the team at Dartmouth College).

Weak Security Infrastructure

OT networks often have legacy devices with outdated or non-existent security protocols and poor processing resources, making them significantly easier to penetrate compared to modern IT networks. This highlights the urgent need to learn how to secure OT networks in smart buildings effectively.

Many OT control systems were designed decades ago without contemporary cybersecurity considerations, presenting attractive vulnerabilities for attackers.

In 2018, Fred Gordy, then Director of Cybersecurity at Intelligent Buildings, spoke with Optigo Networks Co-Founder and CTO, Ping-Pook Yao, about how all it takes is access to one device to potentially gain access to the whole network. “We’ve moved past the 90s and 2000s, the days of security through obscurity” Fred explains. “In our efforts to make things more convenient and efficient, we exposed devices, like BBMDs, to the internet. Devices with no security whatsoever—not even a password. And every device below it is exposed now.”

In our webinar, Fred showed us how, with just a simple IoT search engine and free BACnet scanning software, how easy it is to get from a network segment considered lower-risk, like your HVAC controllers, into a high-security data center using a BBMD. “Access for the bad guy to the corporate network is the control system because he knows it’s not that well protected.”

Fun fact: before our webinar, Fred was able to ID 42 million IoT devices in the US, and a total of 500+ million worldwide. By 2025, that total number has grown to over 19 BILLION. The potential for vulnerable access points is only growing.

There’s also traditionally been a lag between cybersecurity coverage of OT connected systems, and that’s lead to additional advantages to bad actors, including:

Lower Detection Probability

On their own, OT networks typically have less sophisticated monitoring and intrusion detection compared to IT networks. This reduced visibility makes it easier for attackers to maintain persistent access and move laterally within the system without immediate detection, allowing for prolonged and strategic exploitation. “243. That’s the average number of days it takes before someone discovers they’ve been hit.” Fred points out.

Limited Cybersecurity Expertise

Many organizations managing OT networks lack specialized cybersecurity personnel who understand the unique architectural and technological nuances of BAS systems. This skills gap creates additional opportunities for sophisticated attackers to exploit complex network configurations.

OT Network Attacks Have Real-World Consequences

Unlike cyber attacks targeting digital domains, breaching OT networks allows attackers to potentially cause physical damage or dangerous operational scenarios. For instance, manipulating industrial machinery could lead to equipment destruction, safety system failures, or even potential human injury risks.

Critical Infrastructure Disruption: By breaching OT networks in sectors like healthcare, data centers, pharma manufacturing, energy, or utilities, malicious actors can cause widespread operational disruptions. Attacking power grids, manufacturing control systems, or water treatment facilities can create massive economic damage, potentially causing regional or national-level infrastructure paralysis.
High-Value Targeting: Successful breaches in OT networks can also result in significant financial extortion opportunities through ransomware, industrial espionage, or direct monetary demands.

To Separate or Converge?

To Separate or Converge? When considering how to secure OT networks in smart buildings, organizations face a crucial decision: should they segment IT and OT networks—physically, virtually—for maximum security, or converge them for better efficiency and oversight? Each approach has its advantages and drawbacks, making it essential to carefully weigh the pros and cons before deciding on the best strategy.

Dan Massimo, Director of Network and Cloud Architecture at Yale University, spoke with the Heavy Networking Podcast and discussed their experience with a fully segmented approach, and how they’ve collaborated with facilities to land on a new way forward.

The Case for Full Segmentation

Segmentation offers one route to enhanced security by isolating OT systems from IT networks. This separation works in both directions: it prevents cyber threats in the IT environment from compromising critical industrial infrastructure, and makes it virtually impossible for a hacker to use OT network devices as a backdoor to the larger corporate network.

Many cybersecurity regulations, such as NIST, IEC 62443, and NERC CIP, mandate or recommend network segmentation as a best practice. From a security management perspective, segmentation allows IT and OT teams to implement tailored security measures specific to their environments.

Despite its benefits, strict segmentation also presents some challenges. These include delayed real-time data exchange, more complex integrations, and increased overhead costs due to duplicate infrastructure and the need for specialized personnel.

Dan Massimo discussed Yale’s experience with a fully segmented approach. In short, they found it doubled their workload, making it unsustainable. “We did operate an OT network that was completely separate… and it was airgapped and [IT] network engineering did the stand up. [But] it was twice the management to maintain it, twice everything. Now, if you had 60 people on your team, you could probably handle [Yale’s] 300 buildings. But, you know, teams are not that big, so they have to make do with what they can.”

Check out Dan’s full interview here (lots of IT nerdiness ahead!)

What About Full Convergence?

A converged IT/OT network enables nearly seamless data integration between both environments, enabling real-time insights, predictive analytics, and enhanced operational efficiency. It also simplifies infrastructure, reduces hardware costs, and improves resource allocation.

But a single, integrated network creates a larger attack surface, making it easier for a security breach to spread across both IT and OT environments. For example, a fully converged OT network allows movement across segments with minimal resistance—BBMDs facilitate this— but can also be exploited by attackers.

Regulatory compliance may also preclude a converged network as an option, as many industries require strict separation between business and operational networks.

The Yale OT Solution? Virtual Convergence

When exploring practical strategies on how to secure OT networks in smart buildings, Dan found that by working alongside the facilities team, allowing them to operate and maintain the segments of the network that oversee OT, while incorporating stricter access for vendors through software-defined access (SD-Access) and VLANs, has so far been the best solution for Yale. “One of the nice things the SD-Access brings to us is now all those are converged onto a single physical platform, but they’re all virtual networks on top. So the OT network does have a separate virtual network. Yeah, that’s their own thing. And then within that virtual network we have separate subnets, in the same virtual network for the different vendors.”

“So our OT network on SD-Access is secured” he detailed. “The only way in and out is through a firewall. There’s no servers that we’re putting on that network. It’s just the IoT devices. And then when the technician needs to come in and maybe manually do some troubleshooting, they’re on a laptop somewhere, and we use Cisco AnyConnect to validate who they are, and force two-factor authentication. But otherwise you’re not getting into that network unless you have physical access. It does create a little bit of a little mini firewall without being a firewall. A break point.”

Want to know about leveraging VLANs on your OT network? We’ve got you covered.

What Can You Do Right Now, For Free?

If you’re wondering how to secure OT networks in smart buildings without a big budget, here are some practical steps you can take immediately. Securing your OT network should be a collaborative effort between the facilities team, who need access to the network, and the IT team responsible for keeping the entire network secure from threats. But not all of us have access to either the teams or the budgets to make this a major project. So what can you do?

Fred and Ping both agreed that there’s a number of steps you can take with little to no money and effort that can have some big returns:

Know what’s on your network right now. Even if that means taking a walk with a clipboard, you can’t protect what you can’t identify. Creating an up to date asset inventory is the starting point to defining the security needs of your OT network (aka building a risk assessment and management plan).
Audit your users. Only admins should have admin access. Review who has access to your systems, and at what level, and adjust as needed. Scrub old accounts that have been deactivated, and audit your logs.
Get firewalls in place ASAP. Software defined firewalls can be had for low costs these days, and should be considered table stakes for establishing any kind of external security posture.
Don’t forget the physical side of security. Can anyone just walk in and access your BMS servers? Have you forced password updates lately? Preventing physical access to control systems can be equally important to security, and potentially an easy fix.
Train up. If you’re a systems integrator or vendor, make sure you have at least one team member that understands security and can coach the customer
Create a response plan now, not after you get hit. There’s no shortage of guidance on how to create one online.

How to Help Secure Your OT Network with OptigoVN

For those looking for tools on how to secure OT networks in smart buildings, a strong cybersecurity posture starts with visibility, a strong cybersecurity posture starts with visibility, and OptigoVN provides exactly that for your OT network. With continuous monitoring, OptigoVN instantly detects anomalies, identifying traffic patterns or behaviors that fall outside expected trends. Whether it’s an unusual spike in broadcast traffic or unexpected communication between devices, real-time alerts help you act before small issues escalate into serious security threats.

Maintaining an up-to-date asset inventory is another critical component of OT security, and OptigoVN ensures you always know what’s on your network. Unidentified devices can be a major vulnerability, whether they result from unauthorized access, misconfigurations, or even rogue equipment that was never properly documented. With OptigoVN’s continuous asset tracking, you can quickly spot unknown devices and address them before they pose a risk.

Additionally, detailed logs and historical trends provide the data needed to recognize concerning patterns over time, allowing you to proactively address potential threats before they compromise your network. By providing deep network insight, OptigoVN helps secure your OT infrastructure, ensuring that vulnerabilities don’t go undetected.

Want to see what OptigoVN can do for you? There’s never been a better time to start with the industry’s most powerful OT network diagnostic tool. Sign up for free today or contact us to schedule a personalized demo and see how our platform can empower your team.

FAQ: How to Secure OT Networks in Smart Buildings

1. Why are OT networks suddenly in the cybersecurity spotlight?

OT networks have historically relied on “security through obscurity,” assuming that because they weren’t widely known, they weren’t at risk. However, the landscape has changed—attackers now actively seek out vulnerabilities in OT systems, making them prime targets. With more buildings integrating IT and OT networks, these systems need robust security to prevent breaches.

2. What makes OT networks so vulnerable?

Several factors contribute to OT network vulnerabilities:

Legacy devices: Many OT systems were designed decades ago without modern cybersecurity protections.
Lack of monitoring: OT networks often lack sophisticated intrusion detection systems.
Poor access control: Devices like BBMDs can be exposed to the internet without proper security.
Limited cybersecurity expertise: Many facilities teams lack dedicated security professionals trained in OT threats.

3. What are the real-world risks of an OT network attack?

Unlike IT cyberattacks that target data, OT network breaches can have physical consequences, such as:

Critical infrastructure disruption: Attacks on power grids, data centers, or manufacturing systems can halt operations.
Ransomware and extortion: Attackers may lock down systems, demanding payment to restore access.
Safety risks: Unauthorized control of HVAC, fire suppression, or access control systems can endanger people and property.

4. Should OT networks be fully segmented from IT networks?

Full segmentation enhances security by isolating OT systems, making it harder for cyber threats to spread. It also aligns with best practices outlined in regulations like NIST and IEC 62443. However, strict segmentation can create inefficiencies, increase management complexity, and require more personnel to maintain separate networks.

5. What are the risks of full IT/OT convergence?

While convergence improves operational efficiency and data integration, it also expands the attack surface. A single security breach could compromise both IT and OT environments, and compliance requirements may prohibit convergence in certain industries.

6. What is a middle-ground approach to IT/OT security?

Some organizations, like Yale University, have adopted a virtual convergence model. This approach keeps OT networks isolated within a software-defined environment while maintaining strict access controls. VLANs, firewalls, and multi-factor authentication ensure that only authorized personnel can interact with OT systems.

7. What can I do right now to improve OT security for free?

Identify what’s on your network: Conduct an asset inventory to understand potential vulnerabilities.
Audit user access: Ensure only necessary personnel have admin privileges and remove outdated accounts.
Implement firewalls: Even low-cost, software-defined firewalls provide essential protection.
Enhance physical security: Restrict physical access to OT network devices and enforce strong password policies.
Provide security training: Educate staff and vendors on best practices for securing OT systems.
Create a response plan: Establish an incident response plan before a breach occurs.

8. How does OptigoVN help improve OT security?

OptigoVN enhances OT security through:

Continuous network monitoring: Detects anomalies and unusual traffic patterns.
Real-time alerts: Provides instant notifications about potential threats.
Asset tracking: Ensures visibility into all connected devices, reducing the risk of undetected intrusions.
Historical data analysis: Helps identify trends and potential vulnerabilities before they become major issues.

By improving visibility and control over OT networks, OptigoVN helps organizations proactively secure their infrastructure and prevent cyber threats before they escalate.

*FAQs are created with the aid of generative AI

Share This Post

An illustration of a figure standing between two domino pieces that are tipping in, trying to hold them up.

Network Management

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

I Can Hack Your Building. Stop Me.