OT-focused cyberattacks on building systems grew 30% year-over-year, and 26% of all BAS threats enter directly from the internet. Smart buildings now run HVAC, access control, lighting, fire suppression, and security cameras on interconnected IP networks where every connected device is a potential entry point. In 2013, attackers breached Target's financial network through a third-party HVAC vendor connection. In 2021, a German engineering firm lost control of hundreds of field devices after an attacker entered via an exposed UDP port in the BAS. BACnet, the dominant building automation protocol with over 60% market share, was not designed with authentication or encryption, and most BACnet devices still lack both today. FM teams are now on the front line of OT security, responsible for systems that traditional IT departments do not manage, understand, or monitor. This guide defines the specific vulnerabilities in smart building infrastructure, the network segmentation and device hardening controls that close them, and how Oxmaint's cloud platform provides the asset-level audit trail that cyber insurers and NIST CSF 2.0 compliance assessors require. Sign up free to begin mapping your building's connected asset register, or book a demo to see how Oxmaint tracks OT device access, firmware versions, and maintenance records in one auditable platform.
Map Every Connected OT Asset, Track Firmware Versions and Build Your BAS Audit Trail
Oxmaint gives FM teams a single platform to register every connected building asset, log access and maintenance records, and generate the asset-level documentation that cyber insurers and NIST CSF 2.0 assessors require.
What Smart Building Cybersecurity Means for FM Teams
Smart building cybersecurity is the discipline of protecting operational technology (OT) networks, building automation systems (BAS), and IoT device infrastructure from unauthorized access, manipulation, and disruption. It differs from IT security because building systems control physical environments, not just data. A compromised BAS does not only leak information. It can disable fire suppression, unlock access control panels, disable HVAC in a server room, or create direct occupant safety risks. FM teams are responsible for the physical consequences of cyber incidents that IT departments rarely plan for, yet BAS networks are almost never part of a corporate IT security programme.
What IT teams manage
- Corporate servers, workstations, and employee laptops
- Email, identity management, and cloud application access
- Data protection, encryption, and backup policy enforcement
- Software patching on standard Windows and Linux systems
- Perimeter firewalls and endpoint detection and response tools
- Security events measured in data breach and exfiltration terms
What FM teams must now protect
- BACnet, KNX, Modbus, and LonWorks protocol devices on building networks
- HVAC controllers, VAV boxes, chillers, boilers, and energy meters
- Access control panels, IP security cameras, and intercom systems
- Fire suppression controllers, smoke detectors, and life safety systems
- Lighting controllers, elevators, and parking management systems
- Security events with direct physical and occupant safety consequences
Six Attack Vectors That Target Smart Building Infrastructure
BAS attacks do not require sophisticated exploits. Most successful intrusions exploit the same structural weaknesses that have existed in building systems since their initial network connection: default credentials, unencrypted protocols, unpatched firmware, and inadequate network boundary controls. Understanding each vector is the first step toward closing it.
Register Every BAS Device, Log Every Vendor Access Session, and Generate Audit-Ready OT Records
Oxmaint's asset register captures every connected building device, tracks firmware patch status, and logs all vendor access events with timestamps and technician attribution, producing the documentation that NIST CSF 2.0 and cyber insurers require. Book a demo to see OT asset tracking for your building portfolio.
BAS Cyber Risk vs Hardened State: Operational Comparison for FM Teams
| Security Area | Unprotected BAS State | Hardened BAS State |
|---|---|---|
| Device Credentials | Default factory credentials on BACnet and KNX controllers. Shared passwords across device classes. No credential rotation policy or documented ownership. | Unique credentials per device. MFA enforced on all remote access sessions. Credential rotation scheduled as a PM task in Oxmaint with compliance tracking. |
| Protocol Security | Legacy BACnet/IP with no encryption or device authentication. All commands readable and injectable by any device on the same network segment. | BACnet/SC with TLS 1.3 and X.509 device certificates. KNX Secure with AES-128 on new installations. Legacy protocol devices isolated in separate VLAN. |
| Network Segmentation | BAS network flat with corporate IT network. A single compromised workstation provides access to all building controllers, HVAC, and access control systems. | OT network fully segmented from IT via firewall. BAS VLAN separated from IP cameras, access control, and corporate LAN. East-west traffic monitored by IDS. |
| Vendor Remote Access | Always-on VPN tunnels for building system vendors. No logging, no time limits, no FM team visibility into active sessions or commands executed. | Time-limited vendor access via jump server with session recording. Every vendor access event logged as a work order activity in Oxmaint with technician attribution and timestamp. |
| Firmware and Patch Management | BAS device firmware never updated after commissioning. Legacy operating systems with known CVEs running on HVAC controllers and access control servers. | Firmware version tracked per device in Oxmaint asset register. Patch availability triggers automated work order. Critical CVE patches scheduled as priority PM tasks. |
| Asset Visibility | No complete register of connected BAS devices. Shadow devices added by contractors not documented. IP camera and IoT sensor inventory maintained in separate spreadsheets. | Every OT and IoT device registered in Oxmaint with make, model, firmware version, network address, and last maintenance date. Device discovery scan reconciled against register quarterly. |
| Incident Response | No documented BAS incident response plan. FM team learns of breach from occupant complaints or physical system failure. Average detection-to-containment: weeks to months. | Documented OT incident response playbook. Anomaly detection alerts trigger Oxmaint work orders. Critical system isolation procedures tested in quarterly tabletop exercises. |
OT Network Segmentation Architecture for Smart Buildings
Network segmentation is the single most effective control for limiting the blast radius of a BAS compromise. A flat network where building controllers share a broadcast domain with corporate laptops means a single phishing email can give an attacker control of HVAC, access panels, and fire systems. Proper segmentation creates containment boundaries that stop lateral movement even after initial compromise. The four-zone architecture below is aligned with ISA/IEC 62443 and is the reference design for FM teams implementing OT security programmes in 2026.
Regulatory Compliance Frameworks Requiring BAS Cybersecurity Documentation
FM teams face a growing compliance obligation for OT cybersecurity documentation across multiple regulatory frameworks. NIST CSF 2.0, NIS2 in Europe, and the UK PSTI Bill all explicitly extend cybersecurity requirements to OT and IoT systems in commercial buildings. Cyber insurance carriers now require documented OT asset registers and patch management programmes as a condition of BAS coverage. The table below maps each framework to its specific FM team requirement.
| Framework | Jurisdiction | FM Team Requirement | Oxmaint Coverage |
|---|---|---|---|
| NIST CSF 2.0 | USA | Asset inventory for all OT devices, documented vulnerability management, and vendor access controls with audit logs. | OT asset register, firmware version tracking, vendor access work order logging, and on-demand compliance export. |
| NIS2 Directive | European Union | Risk management measures for all network and information systems including BAS. Incident reporting within 24 hours. Supply chain security obligations for building system vendors. | Connected asset register with risk tagging, maintenance record timestamping for incident response documentation, and vendor access logging. |
| PSTI Bill | UK | Minimum security requirements for all consumer IoT devices including building-connected sensors, cameras, and smart meters. Default password prohibition and vulnerability disclosure requirements. | IoT device register with default credential flag, firmware update PM scheduling, and device-level security posture tracking in asset record. |
| California IoT Law SB-327 | California, USA | Unique pre-programmed password per device or security feature requiring authentication before initial use for all IoT devices connected to the internet. | IoT device commissioning checklist in Oxmaint work order system enforces credential change at device installation and logs compliance evidence. |
| ISA/IEC 62443 | International | Zone and conduit model for OT network segmentation. Security level targets for each zone. Documented security management system for industrial automation and control. | Asset register by zone and conduit, security-level PM templates, and compliance documentation export for third-party audit against IEC 62443-2-1 requirements. |
| Cyber Insurance Requirements | All regions | Complete OT asset inventory, documented patch management programme, vendor access controls, network segmentation evidence, and incident response plan as policy conditions. | Full OT asset register with firmware versions, patch PM schedule with completion audit trail, vendor access logs, and exportable compliance documentation for underwriters. |
How Oxmaint Closes the OT Security Gap for FM Teams
Oxmaint maintains a complete, searchable register of every connected building device with make, model, firmware version, network address, zone assignment, and last maintenance date. Asset discovery scans can be reconciled against the register to identify shadow devices not in the inventory. This register is the foundational requirement for NIST CSF 2.0, NIS2, and cyber insurance OT coverage.
Firmware versions are tracked per device in the Oxmaint asset record. When a vendor releases a critical security patch or a CVE is published for a device model in your register, Oxmaint generates a scheduled PM work order for the patch deployment. Patch completion is logged with technician attribution and timestamp, producing the patch management audit trail that cyber insurers require as a condition of OT coverage.
Every vendor and contractor access event is logged as a work order activity in Oxmaint with the vendor identity, access start and end time, systems accessed, and work performed. This replaces the unmonitored permanent VPN sessions that enabled the Target HVAC breach and provides the vendor access control documentation required by NIS2 supply chain security obligations and NIST CSF 2.0 govern function requirements.
Oxmaint generates on-demand compliance documentation exports covering the OT asset register, patch management history, vendor access logs, and PM completion records. These exports are formatted for cyber insurance underwriter submissions, NIST CSF 2.0 self-assessments, NIS2 incident reporting, and ISA/IEC 62443 third-party audits. No manual compilation. No spreadsheet consolidation. A single export covers the full OT security evidence package. Book a demo to see the compliance export in action.
Smart Building Cybersecurity Performance Benchmarks
Frequently Asked Questions: Smart Building Cybersecurity for FM Teams
QWhy is FM responsible for BAS cybersecurity if IT manages the corporate network?
QWhat is the most common entry point attackers use to compromise a BAS?
QHow does Oxmaint help FM teams meet cyber insurance OT documentation requirements?
QDoes BACnet/SC replace the need for network segmentation in smart buildings?
Protect Your Building OT Assets, Log Every Vendor Session, and Pass Every Cyber Audit
Oxmaint connects your building's connected asset register, vendor access logs, firmware patch history, and OT maintenance records into one auditable platform. No manual documentation. No compliance gaps. One export covers NIST CSF 2.0, NIS2, ISA/IEC 62443, and cyber insurance requirements simultaneously. Book a 30-minute demo to see OT security documentation configured for your building portfolio and compliance jurisdiction.
