The Overlooked Threat: How Legacy Building Systems Pose New Cyber Risk

There’s a hidden risk humming quietly inside the walls of your buildings, and no, it’s not just your HVAC system. It’s the convergence of physical infrastructure with digital systems, and it’s happening whether we’re ready or not. From building management systems (BMS) to access control panels and operational technology (OT), the systems we once thought of as isolated, mechanical, and harmless are now connected to the network. And where there’s connectivity, there’s risk—especially for legacy building systems.

For years, legal teams have focused on the cybersecurity risks of traditional IT systems: laptops, servers, email, cloud. That’s understandable. That’s where the headlines, governance, risk and compliance regimes and security frameworks usually point. But increasingly, the initial compromise doesn’t start in the server room, it starts in a boiler room, or a maintenance closet, or a rooftop HVAC unit with systems that were never designed with security in mind.

Old tech, new problems

Roughly 75% of commercial buildings in the US were built before 2000, according to Veridify Security. Most of them weren’t born “smart.” Instead, they’re being retrofitted with internet-enabled sensors, controllers, and platforms. The problem? These upgrades often connect insecure, decades-old OT systems, like fire alarms, lighting controls, or badge readers, to modern IT networks.

It’s a Frankenstein situation: legacy protocols like BACnet and Modbus get stitched into modern architecture, sometimes without segmentation or authentication. Suddenly, a threat actor with access to your access control panel also has a potential pivot into your business network.

These aren’t hypothetical attacks. They’re playbooks.

A cautionary tale: The Target breach

In one of the most well-known breaches in cybersecurity history, attackers gained access to Target’s network through a compromised HVAC vendor in 2013.  That vendor had legitimate access to internal systems. Once inside, the attackers moved laterally, eventually planting malware on point-of-sale terminals. The cost? Over 100 million records compromised, and estimated $290 million in fines and fees, and an enduring cautionary tale in vendor and OT risk.

The lesson is simple: if it’s connected, it’s exploitable.

Quiet systems, loud consequences

OT environments were never meant to be secure, they were meant to be reliable. And that’s part of the problem. These systems often run on outdated software, with hardcoded credentials, poor patching practices, and little to no network segmentation. For years, they’ve flown under the radar of cybersecurity programs.

But they haven’t flown under the radar of attackers.

Recent breaches involving utility systems, industrial controllers, and building access panels all follow a familiar pattern: exploitation of overlooked systems to establish footholds. Once inside, attackers use the same tactics they’d use in a traditional IT environment, credential dumping, lateral movement, and data exfiltration.

A recent joint advisory from the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigations (FBI) highlights how even unsophisticated attackers are exploiting exposed OT systems to disrupt operations or plant ransomware. In one example, a threat actor exploited publicly accessible remote access software with default credentials. No zero-days. No sophistication. Just basic oversight with massive consequences.

This isn’t just a smart building problem

While smart buildings with high-end integrations get much of the attention, the real risk might be in the older ones. Buildings that were never designed to be digital are being dragged into the 21st century with retrofits that prioritize convenience over security. And with the growing adoption of remote management tools, many of these systems are now exposed to the public internet, and as previously stated, with default credentials still intact.

The risk is clear. Awareness isn’t.

The White House has increasingly acknowledged the risks posed by the convergence of cyber and physical systems. In June 2025, former Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger warned that U.S. infrastructure remains vulnerable to cyberattacks, noting that operational systems still lag behind traditional IT in security protections. For the commercial real estate sector, this includes building management technologies such as HVAC, lighting, elevators, and access controls. 

Federal agencies, including the Environmental Protection Agency (EPA), Federal Communications Commission (FCC), and the Department of Health and Human Services (HHS), continue to expand sector-specific cybersecurity regulations, while policymakers emphasize stronger private-sector accountability in securing interconnected building systems that directly affect tenants and investors.

CISA and the FBI are paying attention

CISA and the FBI have issued multiple joint advisories in 2025 warning about threats targeting OT, BMS, and converged environments. The guidance is blunt: these systems are actively being targeted, not just by sophisticated nation-state actors, but by low-skill attackers exploiting default passwords and outdated software.

Among the key takeaways:

• OT systems are being used as entry points for ransomware operations.
• Nation-state groups, particularly Iranian-affiliated actors, are targeting critical infrastructure through exposed building systems.
• There’s an urgent need for secure-by-design principles in retrofit and new construction alike.

Why legal needs to lean in

Legal teams have a critical role to play, not only in responding to breaches after they occur, but in proactively shaping how organizations manage cyber-physical risk. This begins with contract review: ensuring that third-party vendors responsible for building systems are held to appropriate cybersecurity standards. It also extends to policy alignment, verifying that incident response plans account for OT and physical infrastructure, not just traditional IT. Insurance policies should be reviewed to confirm they cover losses stemming from building management system (BMS) or OT compromise. 

Just as importantly, governance must evolve to include the security function in conversations around facilities, construction, and retrofit planning. Many of these systems are procured and operated outside of IT’s oversight, often by facilities teams, developers, or external integrators. Legal departments are uniquely positioned to bridge these operational silos, drive accountability, and embed cybersecurity considerations into all corners of the organization’s risk posture.

Closing the gap

Cybersecurity is no longer just about IT. It’s about doors, cameras, HVAC units, elevators, and lighting systems. The line between cyber and physical has all but disappeared, and with it, the illusion that some systems are too niche or too obscure to be targeted.

Organizations that continue to treat OT and building systems as “separate” from cyber risk are ignoring one of the most common attack vectors in today’s threat landscape. It’s not just the smart buildings that are vulnerable. It’s every building, and every device with an IP address.

The convergence is here. And the organizations that will weather it best are the ones that start treating every connected system, no matter how old, obscure, or operational, as part of their threat landscape.

Because the next breach may not come through a phishing email.  It may come through your thermostat.