A modern building automation system is a networked computer system connected to the internet — which makes it a cybersecurity concern, not just a comfort system. The good news is that the basics are straightforward: segment the controls network, secure remote access, change default credentials, keep software updated, and control who has access. Owners do not need to be security experts, but they should expect their controls to be installed with these protections, not left wide open.
Older controls were islands — no internet, no risk. Modern building automation is connected: operators log in remotely, contractors service systems online, and dashboards live on the network. That connectivity is genuinely useful, but it also means the control system is reachable, and anything reachable can be attacked.
This is “operational technology” (OT) security — the systems that run physical equipment — and buildings have become part of the conversation as their controls came online.
The realistic risks for a commercial building range from nuisance to serious: an attacker disrupting comfort or equipment, using an exposed controls device as a foothold into the building’s broader IT network, or exploiting unpatched devices and default passwords. The most common real-world exposures are mundane — controls left on the open internet with default credentials.
The point is not fear; it is that basic hygiene prevents the great majority of problems, and skipping it leaves easy doors open.
The single most important measure is keeping the controls network separate from the rest of the building’s IT — segmented behind a firewall, on its own VLAN, not flat on the same network as office computers and guest Wi-Fi. Segmentation means a problem on one network does not automatically reach the other.
This is coordinated with the building’s IT team, and it is a basic expectation of a competent controls installation. The network architecture should reflect it.
Remote access is valuable — it is how problems get diagnosed without a truck roll — but it must be secured: through a VPN or a secure connection, not a controller exposed directly to the internet; with strong, unique credentials and multi-factor authentication where possible; and with access promptly revoked when a contractor relationship ends.
An exposed controller with a default password is the classic avoidable failure. Securing the remote path closes it.
The rest of the basics are housekeeping: change default passwords on every device, keep controller and supervisory software reasonably updated, and control who has accounts — with each person having their own credentials so access can be tracked and revoked. When a contractor or employee leaves, their access goes with them.
This also connects to ownership: you should hold your own administrative credentials, not depend on a single vendor who alone can access your system.
An owner does not run the security program, but should expect a controls partner to install the system with segmentation, secured remote access, changed defaults, and documented credentials handed to the owner — and to coordinate with the building’s IT team. These are baseline professional practices, not premium add-ons.
We install and service the HVAC controls with these basics in place and coordinate with IT and, where a project warrants dedicated OT-security work, the appropriate specialists — within one accountable scope, claiming only what we self-perform.
Because modern BAS are networked and internet-connected — operators and contractors access them remotely and dashboards live on the network. That connectivity is useful but makes the control system reachable, and anything reachable can be attacked. It is part of operational technology (OT) security.
Network segmentation — keeping the controls network separate from the rest of the building’s IT, behind a firewall on its own VLAN rather than flat on the same network as office and guest devices. Segmentation prevents a problem on one network from automatically reaching the other.
Through a VPN or secure connection rather than a controller exposed directly to the internet, with strong unique credentials and multi-factor authentication where possible, and access revoked when a contractor relationship ends. An exposed controller with a default password is the classic avoidable failure.
A controls partner should install the system with network segmentation, secured remote access, changed default passwords, and documented credentials handed to the owner, coordinating with the building’s IT team. These are baseline professional practices, not premium add-ons, and owners should hold their own administrative credentials.
Suncoast Cold Systems installs, wires, and configures the HVAC controls integral to the mechanical systems we provide — and specifies open protocols (BACnet, Modbus, open supervisory platforms) so you own your building’s controls and data, with no proprietary dealer lock-in. Where a project calls for certified systems integration, we coordinate it within one accountable mechanical scope. Licensed Florida Class A Air Conditioning Contractor (FL #CAC1824642).