Skip to content

For Immediate Service:

800-864-7717
    July 7, 2026

    Is Your Building Automation System a Cyber Target?

    Building automation used to be simple and mostly standalone: local controllers, limited integration, and little to no connection to the outside world. Today, your building automation system (BAS) almost certainly talks to your corporate network, cloud platforms and a handful of vendor tools you may not even have any visibility into. The moment your system extends outside your facility, it becomes a target for cyberattacks. Many facilities are highly exposed to these threats and may also rely on older, harder-to-secure systems that require investment and a well-segmented architecture with modern security controls.

    Industry research from Claroty has found that a majority of building automation systems contain known vulnerabilities, with a small but significant portion of critical devices considered high risk. For facility owners and managers, those findings underscore a growing concern: An unsecured or improperly maintained BAS can become an unexpected entry point for cyberattacks.

    In Dallas, a premier office tower experienced firsthand how vulnerable legacy building systems can be. After repeated ransomware incidents disrupted operations, the owner turned to the expertise of TD Controls to help secure and modernize its building automation system. Their experience highlights how quickly an overlooked BAS can become a serious business risk, and what it takes to fix it.

     

    Why BAS Cybersecurity Should Be on Your Radar

    Today’s building automation systems manage far more than basic HVAC controls. A modern BAS may oversee HVAC equipment, lighting systems, access control, building entry security and, in some cases, water, fire and life safety systems. Many platforms also integrate with occupancy sensors, demand response tools and energy analytics platforms to support sustainability and operational efficiency goals.

    Because these systems are networked and often remotely accessible, they can be targeted by cybercriminals. A successful attack may result in system downtime, disrupted tenant operations, safety concerns and reputational damage. In critical facilities, outages can even halt production.

    Older systems face the greatest risk. Many legacy BAS platforms were installed before internet connectivity and modern cybersecurity practices were standard. They often lack modern encryption, strong authentication and proper separation between business and OT networks. When manufacturers no longer support these systems, security patches and updates stop, leaving known vulnerabilities exposed.

     

    Case Study: Securing a Dallas Office Tower

    Before its upgrade, a luxury Dallas office tower relied on a legacy building automation system connected to an open, shared business operations network where day-to-day business is conducted (Email, file sharing, internet access, etc.). The BAS environment included improperly configured firewalls, limited network segmentation, outdated firmware and unsecured remote access tools that increased exposure.

    The system was compromised and shut down through a ransomware attack. Although the original controls contractor replaced the server and restored temporary functionality, the underlying security issues remained, and the building was attacked again.

    TD’s Controls team was engaged to deliver a long-term solution. The team began with a detailed cybersecurity risk assessment and coordinated closely with the customer’s IT staff. Key steps included:

    • Implementing clear segmentation between business and OT networks to protect controller-level functionality.
    • Installing a new BAS server with a properly configured firewall.
    • Replacing unsupported, at-risk controllers with secure, “out-of-the-box” modern hardware.
    • Establishing hardened, secure remote access methods instead of open remote boxes.
    • Training facility staff on BAS cybersecurity best practices and credential management.

    Beyond improving security, TD’s team optimized the HVAC system using current industry standards, improving performance and helping the owner recover costs associated with system disruptions. The upgraded system provided stronger protection, better visibility and greater confidence in daily operations.

     

    Five Signs Your BAS Might Be Vulnerable
    1. Outdated firmware or unsupported devices.
      • Legacy controllers often run firmware with known bugs and security gaps. Without updates, these devices remain exposed and can limit future system improvements.
    2. Weak security protections.
      • Attackers don't need sophisticated exploits when default passwords are still in use or when remote access runs without multi-factor authentication and encryption. These are some of the easiest ways for attackers to gain access.
    3. No segmentation between your business operations and OT networks.
      • When BAS traffic shares the same network as business systems, a breach on the business operations side can impact controller programming and equipment operation.
    4. Infrequent cybersecurity assessments or audits.
      • Without regular reviews, risky configurations, outdated software and improper user access often go unnoticed until an incident occurs.
    5. No qualified partner supporting your building systems.
      • Many BAS environments are maintained by teams that lack the necessary skill sets rather than by a partner with current cybersecurity expertise. Without a qualified controls provider who understands both the operational side of your building and modern OT security practices, vulnerabilities go unidentified and unaddressed.

     

    How TDIndustries Controls Can Help

    TD’s Controls team approaches BAS cybersecurity with a practical mindset: Keep facilities running securely while upgrading systems in a thoughtful, phased manner. Services include cybersecurity assessments, system upgrades and integrations, secure network design, system hardening and staff training.

    The Dallas office tower project reflects TD Controls’ broader approach – combining security, system optimizations and long-term value to support both operational reliability and return on investment.

     

    BAS Cybersecurity Quick Checklist

    Update firmware regularly

     Ensure strong passwords, MFA and encryption

    Segment OT from business operations networks

    Schedule routine cybersecurity audits

    Maintain the right skill sets and partnerships

     

    Take a Proactive Approach

    Cyber threats targeting building automation systems are becoming more common as buildings grow more connected. Addressing vulnerabilities early can prevent costly disruptions and protect both occupants and operations.

    Facility owners who want to understand their risk – and their options – can start with a professional BAS cybersecurity assessment. TD’s Controls team helps organizations take proactive steps to secure their systems today and prepare for what’s next. 

    LET'S WORK TOGETHER

     


    Your Partner for Smarter, Connected Facilities

    TDIndustries delivers building operations and maintenance services that keep BAS, HVAC, plumbing, electrical and other critical systems running reliably while aligning with your budget and performance goals. With integrated expertise in mechanical construction, building maintenance, facilities management and building automation, TD provides the expertise to make your BAS a long-term operational asset.

    Lance Jackson

    Lance Jackson is a Senior Software Applications Specialist with TDIndustries’ Controls team and has more than 19 years of experience in the controls and electrical industry, including more than 13 years with TDIndustries. Throughout his career, Lance has held a variety of roles across electrical operations, controls...

    More from the Blog