State-backed threat actors involved with the Iran conflict are targeting unsecured cyber-physical building systems, security specialists say.
A surge in smart building technology and dated technology in older assets have increased the attack surface for real estate, according to a 2026 resiliency insights report by WiredScore, a global certification body for digital connectivity and smart building performance.
Commercial real estate is “sleepwalking towards more frequent cyber security breaches,” the company says in the report. “The industry must recognize that cyber risk is not simply an IT issue or an engineering issue, but a core asset management responsibility.… Attacks no longer sit only in the abstract world of servers and stolen data. Increasingly, they land in the physical world and disrupt tenants, operations, cashflow and insurance, ultimately affecting the value and standing of the landlord.”
Cybercrime is forecast to cost $23 trillion globally by 2027, a 175% increase from 2022, according to the International Monetary Fund.
Attacks on building management systems could cost hundreds of thousands of dollars, plus the cost of every hour that tenants can’t use a building if it is affected by a cyberattack, WiredScore says.
The WiredScore report says “a single mis-click on what looked like an innocuous photo” by an engineer in North America triggered malware that crept into a building management system, resulting in a 90-day recovery period to restore building operations. Occupiers had to be relocated and the BMS needed to be replaced as well, the report states.
Operational technology — the systems that run access control, closed-circuit cameras, lighting, HVAC, metering, ventilation and more — is now deeply intra-connected and internet connected, according to WiredScore.
Claroty, a firm that specializes in industrial security, also reported this month that threat groups are targeting critical infrastructure for malicious attacks by using direct access to cyber-physical systems.
Attackers, including those that are state sponsored or part of hacktivist groups, are often targeting human-machine interfaces or supervisory control and data acquisition systems that are used to control industrial processes in factories and building control systems, the Claroty report says.
“We are seeing a very big influx with less-sophisticated attackers that, essentially, exploit these insecure-by-design mechanisms,” Noam Moshe, head of Claroty’s Team82, told Facilities Dive. Team 82 conducts threat vulnerability research. “We see it so much in critical infrastructure and building management systems and critical environments where devices were not built with security in mind.”
Geopolitical tensions, including the conflict in Iran and the war in Ukraine, are causing cyber ripples that are resulting in innocent parties — building, data and asset owners — being targeted, Moshe said.
“There’s a big shift,” he said. “In the past, we would think about an attack on critical infrastructure as very pinpoint, looking for a specific target.… We are now seeing a different approach of [attackers] essentially going [after] whomever is exposed. Attackers don’t care anymore who their target is, except for it being in a specific country.”
Even if an organization doesn’t seem like a target and is in the private sector, it could get caught in the crossfire because its IP address is associated with a specific country, according to Moshe.
This is often the case with human-machine interfaces, which are essentially the screens that monitor and govern physical processes and provide tools for operators to control parameters in the physical environment, Moshe said. “Now attackers are exploiting these devices and looking for internet-exposed devices that are left insecure in order to actually cause the physical damage,” he said. “The HMI is, first and foremost, the screen that chokes the entire physical process. It [showcases] the critical infrastructure environment that they’re exploiting.”
Moshe calls attention to building systems in older facilities that have been updated so they can be accessed via the internet. These often rely on serial bus connections — shared communication pathways — that introduce security issues, he said.
“Many times these systems were not built with this kind of attack surface in mind, and that’s why we see so many exposed and vulnerable devices,” Moshe said. “Now, it’s not only a question of when the device was built, but what is the security posture and security awareness and readiness of the vendors. … And obviously what kind of best practices and counter-measurements you are taking in order to better protect yourself.”
The WiredScore report also notes the vulnerability of what once were standalone systems maintained locally by engineers and are now are remotely monitored and tied into wider digital ecosystems. “The speed of digitization is far outpacing the speed of cybersecurity enhancements,” the report states.
Protecting critical infrastructure
WiredScore recommends practices that can limit the likelihood of successful attacks by removing points of origin or making them inaccessible to unauthorized users. These include keeping systems updated, enabling two-factor authentication, working with the IT team to disable or remove sensitive hardware and regularly backing up systems.
In addition, facility managers should work with IT teams to segment IoT sensors from building management systems, limit third-party access to IoT systems by default and ensure computers have regular password changes.
Moshe pointed to three areas where facility managers can protect their buildings: asset inventory, segmenting networks and applying best practices for cybersecurity.
“At the end of the day, you can’t protect what you’re not aware of,” he said. “Many times we don’t actually know what’s sitting in our networks. It could be a sensor or small device that someone installed 50, 15 or two years ago that we’re simply unaware of.”
Operators should also practice good network hygiene, he said. “Don’t expose devices online,” he said. “Attackers are looking for these devices, hunting them and exploiting them. If we have a device that might be insecure, we might use some kind of network segmentation to limit it [and] to make sure that if it is compromised, attackers won’t be able to move laterally” into other building systems.
The most important steps are applying software patches when they come out, regularly changing passwords and disabling insecure protocols, he said. “Simply, people do not apply these patches,” he said. “By using a one-day vulnerability, [bad actors] could gain access in a network and fully compromise it.”
