Skip to main content
close search
site logo

Put building systems on separate VLAN, cyber specialist says

By separating the HVAC, generator and other building systems from the main network, disruption risk drops, according to Troy Cruzen of Fortified Health Security.

Published Oct. 14, 2025
Robert Freedman's headshot
Lead Editor
Building system, cyber risk, Cruzen
Technical floor of smart building with HVAC piping system. Smart building systems are at risk of cyber attacks. Getty Images

When smart light bulbs and Wi-Fi-connected coffee cup warmers were popular a few years ago, researchers learned they could provide hackers easy access to an organization’s network. Now there is growing concern over vulnerabilities within HVAC systems, generators and building management systems, among other network-connected devices and tools. 

“Buildings are no longer just bricks and mortar,” Paul Bagust, head of property practice at a U.K. building engineers group, the Royal Institution of Chartered Surveyors, said in a report the group released earlier this year. “They have evolved into smart, interconnected digital environments.”

The number of internet-exposed industrial control systems increased 13% last year, from 160,000 at the beginning of 2024 to more than 180,000 at the end of 2024 and are expected to hit 200,000 by the end of this year, according to cybersecurity company Bitsight. 

A hospital in Burbank, California, learned what happens when its HVAC system goes out because of a hack when a parts distributor’s ordering system was shut down. The incident disrupted delivery of compressor control modules that the hospital needed to keep its HVAC system operational. 

“It never occurred to [the distributor] that he was a target for cyber criminals,” Fast Company said in a report on the hack and its consequences.  

Without a working HVAC, the hospital was forced to cancel surgeries, costing it hundreds of thousands of dollars. “And this all traced back to one small company with no cyber-disruption plan,” the report said. 

Hackers are likely to look increasingly at HVAC and other building systems as access points into an organization’s network because they were never designed to be secure, Troy Cruzen, virtual chief information security officer at Fortified Health Security, said in an interview. The company specializes in cyber threats against healthcare organizations.  

“They were just designed to provide HVAC capabilities,” he said. “That’s just the reality of hackers. They can leverage those vulnerabilities and make it a bigger deal than they were designed to be.”

For organizations that have in-house IT capabilities, making building systems more secure doesn’t have to be expensive. But absent a push by an organization’s leadership, hardening the system tends to be a low priority, Cruzen said. 

“There are a hundred things in IT’s queue that need a response,” he said. “If it’s not a top-down priority from leadership, with time and resources provided, it doesn’t get done.” 

The most straight-forward way to secure building systems is to segment them off the main network by creating their own virtual local area network, or VLAN, Cruzen said. The system still has connections to the main network, so it can send alerts and operate other functions that require connectivity, but the access points are minimized. That means if a hacker enters through the HVAC system, they’re largely cut off from the main network. 

“Isolating it takes it away from the front door and puts it more in the attic,” Cruzen said. “You have to come through the attic to get into the house.”

After you segment the building systems off the network you can add visibility into what’s happening in the VLAN, giving you and the IT team a heads up if there’s been an intrusion, Cruzen said. “You might not be able to stop it, but at least you can see it and adjust from there,” he said.

Cruzen recommends facilities managers reach out to the organization’s IT team to have a scan done of all the building systems – the HVAC system, generators, smart lights, sensors and other devices that are part of a building management system – so they can see what is and isn’t connected to the network and how secure the ports and protocols are. Armed with that information, they can work with IT to create a roadmap for shoring up security. 

“It provides a lens into what can be patched today and what can wait until end of life or end of service,” he said. 

There isn’t systematic targeting of HVAC and other building systems at this point but it’s just a matter of time before hackers see these vulnerable systems as easy-access points to networks, Cruzen said. 

“There are predictions out there of these systems becoming more of a leveraged target,” he said. “As they become more of a focal point, you open a can of worms and that will flip and it will become more prioritized – more focus on security will be put on them. Until that happens, there are going to be some organizations that unfortunately get burned by this.”

Recommended Reading

Filed Under: Technology

Editors' picks

Company Announcements

View all | Post a press release

Want to share a company announcement with your peers?

Share your announcement

Editors' picks
Latest in Technology
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.