Building automation used to be simple and mostly standalone: local controllers, limited integration, and little to no connection to the outside world. Today, your building automation system (BAS) almost certainly talks to your corporate network, cloud platforms and a handful of vendor tools you may not even have any visibility into. The moment your system extends outside your facility, it becomes a target for cyberattacks. Many facilities are highly exposed to these threats and may also rely on older, harder-to-secure systems that require investment and a well-segmented architecture with modern security controls.
Industry research from Claroty has found that a majority of building automation systems contain known vulnerabilities, with a small but significant portion of critical devices considered high risk. For facility owners and managers, those findings underscore a growing concern: An unsecured or improperly maintained BAS can become an unexpected entry point for cyberattacks.
In Dallas, a premier office tower experienced firsthand how vulnerable legacy building systems can be. After repeated ransomware incidents disrupted operations, the owner turned to the expertise of TD Controls to help secure and modernize its building automation system. Their experience highlights how quickly an overlooked BAS can become a serious business risk, and what it takes to fix it.
Today’s building automation systems manage far more than basic HVAC controls. A modern BAS may oversee HVAC equipment, lighting systems, access control, building entry security and, in some cases, water, fire and life safety systems. Many platforms also integrate with occupancy sensors, demand response tools and energy analytics platforms to support sustainability and operational efficiency goals.
Because these systems are networked and often remotely accessible, they can be targeted by cybercriminals. A successful attack may result in system downtime, disrupted tenant operations, safety concerns and reputational damage. In critical facilities, outages can even halt production.
Older systems face the greatest risk. Many legacy BAS platforms were installed before internet connectivity and modern cybersecurity practices were standard. They often lack modern encryption, strong authentication and proper separation between business and OT networks. When manufacturers no longer support these systems, security patches and updates stop, leaving known vulnerabilities exposed.
Before its upgrade, a luxury Dallas office tower relied on a legacy building automation system connected to an open, shared business operations network where day-to-day business is conducted (Email, file sharing, internet access, etc.). The BAS environment included improperly configured firewalls, limited network segmentation, outdated firmware and unsecured remote access tools that increased exposure.
The system was compromised and shut down through a ransomware attack. Although the original controls contractor replaced the server and restored temporary functionality, the underlying security issues remained, and the building was attacked again.
TD’s Controls team was engaged to deliver a long-term solution. The team began with a detailed cybersecurity risk assessment and coordinated closely with the customer’s IT staff. Key steps included:
Beyond improving security, TD’s team optimized the HVAC system using current industry standards, improving performance and helping the owner recover costs associated with system disruptions. The upgraded system provided stronger protection, better visibility and greater confidence in daily operations.
TD’s Controls team approaches BAS cybersecurity with a practical mindset: Keep facilities running securely while upgrading systems in a thoughtful, phased manner. Services include cybersecurity assessments, system upgrades and integrations, secure network design, system hardening and staff training.
The Dallas office tower project reflects TD Controls’ broader approach – combining security, system optimizations and long-term value to support both operational reliability and return on investment.
✔ Update firmware regularly
✔ Ensure strong passwords, MFA and encryption
✔ Segment OT from business operations networks
✔ Schedule routine cybersecurity audits
✔ Maintain the right skill sets and partnerships
Cyber threats targeting building automation systems are becoming more common as buildings grow more connected. Addressing vulnerabilities early can prevent costly disruptions and protect both occupants and operations.
Facility owners who want to understand their risk – and their options – can start with a professional BAS cybersecurity assessment. TD’s Controls team helps organizations take proactive steps to secure their systems today and prepare for what’s next.
TDIndustries delivers building operations and maintenance services that keep BAS, HVAC, plumbing, electrical and other critical systems running reliably while aligning with your budget and performance goals. With integrated expertise in mechanical construction, building maintenance, facilities management and building automation, TD provides the expertise to make your BAS a long-term operational asset.