The commercial building you manage in Tysons, Reston, or Arlington is not just bricks, steel, and glass anymore. It is a networked system of interconnected devices: HVAC controllers, electronic access control panels, IP security cameras, elevator management systems, smart lighting, and building automation platforms — all connected to your network, and increasingly, to the internet. Each one of those connected systems is a potential entry point for an attacker.

For property management firms operating across Northern Virginia, building systems cybersecurity represents a new category of risk that traditional IT security programs do not address. Your office computers might be well-protected, but the BACnet controller managing your HVAC — running firmware from 2019 with a default password — is an open door that most security assessments never examine.

57%
of building automation systems have known vulnerabilities that have not been patched (Claroty Research 2025)

Why Building Systems Are Under Attack

Attackers target building systems for several reasons. First, these systems often provide a pathway into the broader corporate network — the infamous Target breach in 2013 started through an HVAC vendor's credentials. Second, building systems can be held for ransom: imagine a July heatwave in Northern Virginia with your HVAC locked out by ransomware. Third, compromised access control systems create physical security risks that no property manager can tolerate.

For property management companies in the Washington DC metro area, the convergence of IT (Information Technology) and OT (Operational Technology) creates a security gap that neither your traditional IT provider nor your building automation vendor typically owns. Someone needs to bridge that gap — and that responsibility ultimately falls on the property manager.

Key Point: Building automation systems were designed for reliability and longevity, not security. Many devices running in NoVA commercial buildings today use protocols (BACnet, Modbus, LonWorks) that have zero built-in authentication or encryption. Security must be layered around these systems since it cannot be added to them natively.

Step-by-Step: Securing Building Systems

1. Inventory All Connected Devices

You cannot secure what you do not know exists. Conduct a comprehensive inventory of every networked device in your building: HVAC controllers, access control panels, IP cameras, elevator systems, lighting controllers, parking systems, fire alarm communicators, and any IoT sensors. Document the manufacturer, firmware version, network address, and who has administrative access to each device.

2. Segment Your Network

The single most impactful security measure for building systems is network segmentation. Building automation systems should operate on a completely separate network from tenant Wi-Fi, management office computers, and the public internet. Use firewalls and VLANs to create strict boundaries. If your BMS is compromised, segmentation prevents the attacker from reaching tenant data or your business systems.

3. Eliminate Default Credentials

This sounds basic, but it is the most common vulnerability we find in Northern Virginia commercial properties. HVAC controllers with "admin/admin" passwords, cameras using "root/12345", and access control panels with factory default PINs. Change every default credential. Use unique, complex passwords. Store them in a password manager — not on a sticky note in the mechanical room.

4. Control Vendor Access

Your HVAC technician, elevator service company, and security system integrator all need remote access to their respective systems. That access must be controlled, monitored, and limited. Implement time-limited access sessions (not 24/7 open VPN tunnels), require multi-factor authentication for vendor logins, and log all vendor activity for review.

5. Update Firmware Regularly

Building system manufacturers do release security patches — but most property managers never install them because "the system is working fine." Establish a quarterly firmware review process: check each manufacturer's site for updates, evaluate security patches, and schedule maintenance windows for installation. Prioritize internet-facing devices and access control systems.

6. Monitor for Anomalies

Building systems behave predictably — HVAC cycles follow schedules, access badges are used during business hours, cameras record continuously. Deploy monitoring that alerts you to anomalies: unusual after-hours access attempts, unexpected network traffic from building devices, firmware changes outside maintenance windows, or new devices appearing on the OT network.

Building Systems Security Checklist

Insurance Note: Commercial property insurance and cyber insurance policies increasingly ask about building system security as a coverage condition. If you cannot demonstrate reasonable security measures for connected building systems, your claim may be denied in the event of a cyber-physical incident. Review your policy language with your broker.

Common Building Security Mistakes

After assessing commercial properties across Northern Virginia and the Washington DC metro area, we find the same critical gaps in building systems security:

  1. Flat networks connecting everything. When your building management system, tenant Wi-Fi, security cameras, and management office all share one network, a compromise of any single system gives the attacker access to everything. This is the most dangerous and most common configuration we encounter.
  2. Vendor VPN tunnels running 24/7. Your elevator company does not need permanent remote access to your building. A VPN tunnel that is always active is a permanent open door. Require vendors to request access for specific maintenance windows and terminate connections when work is complete.
  3. Ignoring end-of-life equipment. Building controllers that no longer receive firmware updates from the manufacturer are permanently vulnerable. If a device cannot be patched, it must be compensated with additional network controls — or replaced. Many NoVA properties still run controllers with Windows XP embedded or unsupported firmware.
  4. No backup of system configurations. If ransomware encrypts your BMS controller, can you rebuild it? Without backed-up configurations (schedules, setpoints, programming), recovery means weeks of manual recommissioning. Back up controller configurations monthly and store them off-network.
  5. Physical security gaps for network infrastructure. Network switches, controllers, and access panels in unlocked closets or accessible ceiling spaces allow physical attacks that bypass all digital security. Lock down physical access to network infrastructure with the same rigor you apply to electrical rooms.

What Should You Do Next?

Start with a focused assessment by asking these three questions about each property in your portfolio:

  1. Do we have a complete inventory of every networked device in this building — not just IT equipment, but HVAC, access control, cameras, and IoT?
  2. Are building automation systems on a separate network from our management office and tenant systems?
  3. When was the last time firmware was updated on any building controller or IoT device?

If those questions reveal uncertainty — and they almost always do — your properties have unmanaged risk. JPert INC works with property management firms across Northern Virginia — from Class A office buildings in Tysons to mixed-use developments in Reston and Arlington — to secure the operational technology that keeps buildings running safely.

Schedule a free building systems security assessment and we will identify your most critical vulnerabilities before an attacker does.