Smart buildings promise better comfort and lower energy use. They make it easier to see equipment performance, and speed up troubleshooting.

In a smart building, controls are easier to access, and there’s smoother automation throughout HVAC, lighting, cameras, and building management systems.

But there are also risks that contractors and tradespeople are only beginning to encounter.

The problem is that, in many projects, all the participants regard cybersecurity as someone else’s department. The owner assumes it’s the IT team’s responsibility. The controls contractor believes that the manufacturer has taken care of it. The service company thinks the network vendor has it covered.

In reality, however, risk in connected buildings is distributed across physical systems, software, remote access, and operational technology. And when responsibility gets murky, the risks grow greater. 

Smart buildings and the OT threat.

A connected HVAC controller or building management system is more than mechanical infrastructure with a screen attached. It’s part of operational technology (OT). The U.S. National Institute of Standards and Technology (NIST) defines OT as programmable systems and devices that interact with the physical environment —which includes building automation and physical access control systems. 

NIST explains that OT security has to account for performance, reliability, and safety requirements that differ from traditional IT. The threat becomes immediately apparent when you consider the number of devices in a smart building that can affect doors, air handling, temperature, cameras, alarms and energy loads.

A cybersecurity breach can quickly escalate from a data issue to a problem that threatens operations, business continuity, or even personal safety. 

Contractors are closer to the risk than many realize.

At this very moment, a contractor working on connected HVAC, access control, cameras, lighting, or a building automation system (BAS) integration may be making choices that affect cyber risk—even if cybersecurity isn’t in the contract language. Default passwords, remote access settings, exposed ports, network assumptions, vendor account permissions, and update practices all determine how secure the finished building really is.

The American Society of Heating, Refrigeration and Air-Conditioning Engineers (ASHRAE) states that securing BAS is a critical aspect of building design—and that owners, network designers, contractors, and suppliers all have to account for both physical and logical security. 

That’s a seismic shift for many service businesses. The contractor is no longer only judged on whether the system works, but whether their particular specialty may be the weak link that makes the system vulnerable.

Internet exposure is the shortest route to trouble.

A great deal of OT cyber guidance focuses on one issue: systems that should never be directly exposed to the public internet still show up on the public internet.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is very blunt about this. Its guidance states that critical infrastructure operators face heightened risks from internet-exposed systems, and urges them to reduce exposure to public internet. CISA also stresses that secure connectivity has to be deliberate, segmented, and controlled. 

For example, a controller, camera, or BAS front end that can be reached in the wrong way can become an entry point. A recent CISA advisory states firmly that building automation systems in general should not be directly accessible from untrusted networks, especially the internet, and require defense-in-depth. 

That’s a whole new world for many contractors. And it means “it works remotely” is no longer a sufficient test of success.

Asset visibility is now a basic requirement.

One of the hardest parts of smart building cybersecurity is knowing what’s actually installed, connected, and reachable.

CISA calls a complete and accurate OT asset inventory the essential first step toward a defensible architecture and more resilient operations. It also notes that OT systems are increasingly connected to business operations and applications.

That creates new openings for cyberattacks unless they’re assembled and integrated securely. 

At this point, responsibility falls on building contractors and service firms. In a smart building, documentation matters as much as installation quality. If no one keeps a detailed record of controllers, gateways, cameras, access panels, remote accounts, firmware versions, and network dependencies, the building owner will be vulnerable from day one.

And a smart building with weak asset visibility is harder to secure, harder to update, and harder to recover when something goes wrong.

Convenience can open attack paths.

The market demands ever more connectivity.

Remote diagnostics help technicians. Cloud dashboards help owners. Mobile access helps facility teams. Integrated platforms promise smoother building operations. CISA’s 2026 joint guidance on OT zero trust notes that organizations face growing business and regulatory pressure for increased connectivity into OT networks. 

That convenience, however, comes with significant tradeoffs. Every remote connection, vendor portal, integrator account, and bridge between IT and OT requires a new decision about trust, access, and segmentation. In a smart building, those decisions often get made during construction or service work—long before a cyber breach reveals whether those decisions were good ones.

Contractors don’t have to become cybersecurity firms, but …

Contractors do need to recognize that connected building work now carries cyber responsibilities. At minimum, that means:

• avoiding internet exposure by default

• thoroughly documenting assets 

• coordinating with the building owner’s IT or security team

• limiting remote access

• changing default credentials

• understanding which systems are operationally sensitive

• 
  

NIST’s OT guidance emphasizes that OT security requires different risk management choices than traditional IT because availability, reliability, and safety often take priority. And as contractors work with the physical systems that keep the building running, they’ll bear even more responsibility as the smart-building market grows.