Skip to main content
close search
site logo

IT losing ability to secure networks without FMs’ help, report shows

Tech leaders know breach prevention but facilities managers know the building systems that bad actors are increasingly targeting, says a cybersecurity specialist. The two must work together.

Published Sept. 25, 2025
By Ramona Dzinkowski
Claroty, building systems, cybersecurity
Engineer inspecting pipe fittings and chillers. As building systems get smarter with digital technology, facilities managers must work with IT to protect systems from attack. Anusak Rojpeetipongsakorn via Getty Images

Cyberattacks on critical building systems like HVAC, lighting and energy have exploded in recent years, putting facilities managers in the unfamiliar position of having to think about network vulnerabilities. 

Cybersecurity “shouldn't be a part of their day-to-day life, but they have all the context to what's happening on a device,” Sean Tufts, field chief technology officer at cybersecurity firm Claroty, said in an interview. 

That contextual knowledge is critical as IT specialists try to devise ways to protect their organization’s infrastructure, said Tufts. 

“The people in the IT department … typically have no idea what's happening … on a badge reader, on a camera system,” he said. “They need that context. So we need to build that cultural bridge.”

In its latest analysis of building management systems, Claroty found that 75% of the 500 organizations studied — each with building systems that have cyber components like embedded computers and networked controls — were vulnerable to breaches or cyberattack. 

In a survey conducted in the U.K. earlier this year, more than a quarter of facilities managers said their building management system had been targeted in a cyberattack, up from 16% the previous year. The Royal Institution of Chartered Surveyors, which conducted the survey, said cybersecurity now ranks highest among the most significant and fastest-growing threats facing building owners and occupiers.

"Buildings are no longer just bricks and mortar,” Paul Bagust, head of property practice at RICS, said in the survey report. “They have evolved into smart, interconnected digital environments embracing increasingly sophisticated and ever-evolving technologies to enhance occupier experience.”

Risks to building management systems will only grow as companies upgrade legacy systems, Claroty said in its report. “As buildings get ‘smarter,’ building management and automation systems are going to be connected online with greater frequency,” it said. “Many of these systems do not support cybersecurity features.”

IT and facilities management need to come together if organizations are to keep a lid on risks, Tufts said. “No one knows that facility better than the facility manager and their team,” he said. “So, they are the business. We cannot do anything without them.”  

To bridge what he called a cultural gap between the two sides, Tufts recommended a five-step action plan for IT and facilities management to work together. 

  • Scoping. Map out your organization’s operational processes, determine which building systems support them and rank these processes by business impact, like financial loss, operational downtime, reputational harm, regulatory non-compliance, and safety risks. 
  • Discovery. Create a context-rich asset inventory of building systems that operate alongside network infrastructure, like HVAC, lighting and security, so there’s visibility into how these systems connect. 
  • Prioritization. Rank which processes, if compromised, would result in meaningful consequences such as financial losses, operational downtime, safety incidents, or compliance failures.
  • Validation. Show exposures are real and externally reachable by tracing how building management assets within the network communicate. It’s possible that not all communication points, which create potential attack paths, should be there.  
  • Mobilization. Work with security vendors that partner with original equipment manufacturers to support onsite remediation, especially when updates or configurations affect legacy systems. Coordinate remediation efforts around maintenance windows and operational schedules to minimize disruptions to critical processes. Establish KPIs and reporting mechanisms to demonstrate risk reduction and validate the ROI of security efforts over time.

“Oftentimes, building management systems and building automation systems are being operationalized on the network without thinking about the cybersecurity implications,” Grant Geyer, chief strategy officer at Claroty, said in the company’s report. “What’s being gained in efficiency and convenience might be coming at a real risk if not effectively secured.”

Recommended Reading

Filed Under: Technology

Editors' picks

Company Announcements

View all | Post a press release
Work Wizard Software Launches as First-of-Its-Kind Platform to Revolutionize Facilities Operat…
From Work Wizard Software
September 22, 2025
Work Wizard Software logo

Want to share a company announcement with your peers?

Get started

Editors' picks
Latest in Technology
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.