WHAT IS OT CYBERSECURITY?

^{Operational Technology refers to the hardware and software that monitors and controls physical equipment—in a building context, this includes:}

^{• Building Management Systems (BMS)}

^{• Access Control Systems (ACS)}

^{• CCTV and Video Management Systems}

^{• Lighting Control Systems}

^{• Lift and Vertical Transportation Systems}

^{• Energy Metering and Sub-metering}

^{• Integration Platforms and Smart Building Software}

^{Unlike traditional IT systems (laptops, servers, business applications), OT systems control physical processes. A compromised BMS could disable heating or cooling. A breached access control system could lock—or unlock—every door in a building. A ransomware attack on a lift system could halt vertical transportation across an entire tower.}

^{OT cybersecurity is about protecting these systems from unauthorised access, disruption, and manipulation.}

Why Are Buildings Being Targeted?

^{Several factors make buildings attractive targets:}

^{1. Increased Connectivity Modern buildings connect dozens of systems to IP networks. Many now offer remote access for vendors, cloud-based analytics platforms, and integration with tenant systems. Every connection is a potential entry point.}

^{2. Legacy Systems Many building systems were designed before cybersecurity was a concern. Controllers running outdated operating systems, default passwords never changed, and unencrypted communications are common—even in premium assets.}

^{3. Fragmented Responsibility Building technology often falls between IT and Facilities Management, with neither team taking full ownership. Security gaps emerge when no one is clearly accountable.}

^{4. High Impact, Low Profile A cyber attack on a building may not make headlines, but it can cause significant operational disruption, tenant dissatisfaction, safety risks, and reputational damage. Attackers know this—and know that many owners will pay to make the problem go away quietly.}

^{5. Supply Chain Exposure Buildings rely on multiple vendors for system maintenance. Each vendor with remote access is a potential vector. If a contractor's credentials are compromised, attackers can move laterally into building systems.}

Real-World Incidents

^{Cyber attacks on building systems aren't theoretical. Examples include:
‍}

^{• Ransomware on BMS: A European building owner had their BMS encrypted, disabling HVAC control during a heatwave. Operations were restored only after paying a ransom.}

^{• Access Control Breach: An attacker exploited default credentials on an access control system, gaining the ability to unlock doors remotely across multiple sites.}

^{• CCTV Botnet: Thousands of networked CCTV cameras with weak security were compromised and used as part of a distributed denial-of-service (DDoS) attack.}

^{• Vendor Compromise: Attackers breached a facilities management contractor's systems and used their VPN credentials to access building networks across a national portfolio.}

^{These incidents highlight a consistent theme: attackers exploit weak credentials, unpatched systems, and poorly segmented networks.}

Where to Start

^{For property owners who haven't yet addressed OT cybersecurity, the path forward can seem daunting. Here's a practical starting point:}

^{Step 1: Understand What You Have Conduct an inventory of all networked building systems. Identify who has access—both internal teams and external vendors.}

^{Step 2: Assess Current State Evaluate existing security controls against a recognised framework. Identify gaps and prioritise based on risk.}

^{Step 3: Address Quick Wins Some improvements are low cost and high impact:}

^{• Change default passwords}

^{• Disable unnecessary remote access}

^{• Enable MFA where available}

^{• Review and revoke unused vendor credentials}

^{Step 4: Develop a Roadmap Create a prioritised plan to address remaining gaps. This might include network segmentation, new remote access platforms, or upgraded systems.}

^{Step 5: Embed Ongoing Governance Cybersecurity isn't a one-time project. Establish clear responsibilities, regular reviews, and processes for managing change.}

The Role of Advisory Support

^{OT cybersecurity sits at the intersection of building technology, network infrastructure, and security expertise. Few property owners have all three capabilities in-house.}

^{An experienced advisor can help by:}

^{• Conducting independent assessments without vendor bias}

^{• Developing frameworks and policies tailored to building environments}

^{• Specifying security requirements for new projects and upgrades}

^{• Supporting vendor negotiations and contract reviews}

^{• Providing ongoing governance and review support}

^{At Datafied, we've supported some of Australia's leading property owners develop and implement OT cyber security frameworks across commercial office and retail portfolios. Our approach is practical, aligned to recognised standards, and designed for building environments—not generic IT solutions.}