The Regenerative Strategist
Welcome and thank you for reading The Regenerative Strategist. A weekly update on harnessing the power of decarbonization, digitization, and enhanced data collection, delivering buildings of the future powered by renewable energy & automation.
Want to stay informed?
Subscribe to this series using the button above and let us know what you want to hear about next week using #UrbanAO in the comments below.
Introduction
Picture the modern building tour. The lobby is spotless. The mechanical room looks like a catalogue. The marketing deck says: smart, efficient, sensor rich, future ready.
And then you open the small IT closet that nobody tours.
Inside is a workstation that runs the Building Management System. It might also host the access control front end, a camera viewer, or the energy dashboard. It is not glamorous, but it is the building’s nervous system. If that computer is out of support, the building can be new and already behind. 🧠🏢
Microsoft ended support for Windows 10 on October 14, 2025. Many BMS workstations and controller management tools still sit on Windows 10, or older, because they were installed for commissioning and never treated like a lifecycle asset. The hardware keeps running, but the security fixes stop. That is the cyber clock. ⏳
Now zoom out.
Memoori, a smart building research firm, estimates commercial buildings already carry just under 2 billion connected IoT devices by the end of 2024, and projects an installed base of about 4.12 billion by 2030. Each of those devices is a tiny computer with firmware, network access, and an eventual end of life date. 📈
This matters because of one simple concept: attack surface.
Attack surface is the total number of doors someone can try. Every device adds at least one door, sometimes several. Every remote connection adds another. Every account, port, gateway, protocol bridge, and forgotten vendor laptop adds another. The floor plan stays fixed, but the number of doors keeps rising. 🧩
Researchers are tracking what that looks like in the wild.
BitSight’s 2024 research on exposed industrial systems found global ICS and OT exposure jumped 12% and surpassed 180,000 monthly unique IPs, with the trend line pointing toward 200,000 in 2025. Building automation shows up in that internet facing footprint, right alongside energy and water. 🌐
Claroty’s Team82 looked specifically at building management system exposures across hundreds of organisations and found that 75% had BMS devices affected by known exploited vulnerabilities. 69% had BMS devices with vulnerabilities linked to confirmed ransomware attacks. 51% had BMS that combined all the worst ingredients, known exploited vulnerabilities, ransomware linkage, and insecure internet connectivity. ⚠️
The uncomfortable upgrade is this. We now build assets that behave like software, but we still hand them over like masonry.
This edition is a field guide to closing that gap in a way owners, developers, operators, and designers can actually use. No theatre. No tech circus. Just the practical logic of how to keep a building modern after day one. 🧰
This edition breaks the idea down in four parts, without the jargon:
- The Device Flood 📡 Why smart buildings keep getting larger after handover, and why the lifecycle mismatch is the real risk.
- Where Entry Happens 🌐 The ordinary pathways that turn building systems into internet targets.
III. Ransomware Meets Real Estate 💸 Why disruption, uptime, and safety now sit inside cybersecurity.
- The Fix 🔧🧾 How to make buildings patchable, auditable, and governable, using requirements that survive contractor turnover. A building is not just a place anymore. It is a running system. Let’s treat it like one.
1. The Device Flood: the building keeps growing after you open it 📡
We keep talking about a smart building rollout as if it ends when the ribbon is cut. In practice, most connected deployments are continuous. The building is finished, but the digital layer keeps accreting.
Here are the common growth forces that quietly add devices after handover:
First, tenants. A new tenant brings their own access control preferences, additional cameras, occupancy sensors, meeting room analytics, indoor air quality monitors, smart thermostats, and sometimes an entire parallel control stack. The landlord may never see the full inventory, but the network sees it.
Second, energy programmes. Utility incentives and performance contracts add submeters, wireless current sensors, fault detection packages, smart lighting controls, demand response gateways, and increasingly EV charging management. Decarbonisation and digitisation are now entangled. The path to lower carbon almost always passes through more connectivity.
Third, compliance and insurance. Requirements for monitoring, logging, and reporting push buildings to add more instrumentation. Carbon reporting, indoor air standards, grid interconnection rules, cyber insurance questionnaires, they all nudge the device count upward.
Fourth, vendor sprawl. Every specialised subsystem is sold with its own cloud portal, its own gateway, and its own remote access expectations. HVAC controls, lighting, elevators, fire monitoring, security, water, and microgrid systems are often delivered as separate islands that only become integrated later.
That is the device flood. It is not a single wave. It is a permanent weather pattern. 🌧️
The hidden risk is not that devices exist. It is that devices age.
Most buildings are financed and designed on a multi decade horizon. Many digital components ship with support windows measured in single digits. Firmware updates stop. Operating systems go end of support. Integrators disappear. Contractors change. Passwords get lost. And suddenly the building has systems you cannot patch, but still depend on every day.
This is where attack surface becomes permanent. A door you cannot lock is not a door, it is a liability.
Owners already understand lifecycle in physical terms. Roofs. Boilers. Facades. Those assets come with service intervals, replacement planning, and capital reserves. The same logic has to apply to digital components, but we rarely write it into delivery.
One simple mental model helps. Every connected device is a micro-asset with its own service life curve. If you do not plan its replacement path, you will eventually be forced to choose between insecurity and expensive disruption.
A short timeline shows how this happens in real life:
Year 0: commissioning adds remote access so the integrator can tune sequences. The access is meant to be temporary. It stays.
Year 2: a tenant asks for more sensors and analytics. A vendor installs a gateway and a cloud connector. The inventory is not updated.
Year 4: the BMS workstation is still doing its job. Nobody touches it because it works. The security baseline drifts.
Year 7: a controller line reaches end of support. Replacement parts exist, but patches do not. The system becomes a permanent weak spot.
Year 10: the building is physically in its prime. Digitally, it is carrying legacy debt.
This is why a brand new building can be out of date. The building’s physical age and its digital age are no longer the same thing.
What do you do about it without turning your project into an IT project?
Start by naming the problem in the same language real estate already respects: service life and governance.
A practical move is to require a living digital asset register at handover. Not a PDF that dies in a folder. A register that lists every connected device, firmware version where available, network zone, remote access method, and owner of responsibility. The goal is not perfect data on day one. The goal is an updateable system.
Then pair that register with a lifecycle plan. Which components are expected to be replaced in 5 years, 10 years, 15 years? What is the support policy for controllers and supervisory servers? What does the vendor commit to? If the answer is not written, assume the building will carry the risk.
Smart buildings do not fail because they have technology. They fail because nobody owns the updates.
2. Where Entry Happens: how buildings get exposed in the wild 🌐
Most building compromises are not Hollywood hacks. They are ordinary pathways left open. An exposed port. Default credentials. A remote desktop tool installed for commissioning and never removed. A vendor account that survives three contractor swaps. A BACnet gateway sitting on a flat network because segmentation felt inconvenient. 🔑
Attack surface is about doors. Exposure is about which doors are visible from the street.
BitSight’s work is useful here because it measures the internet, not the marketing deck. Their research shows that industrial systems are increasingly visible from the public internet again. When a building system is reachable from the outside, it becomes a low effort test target. Not because it is famous, but because it is there.
In buildings, exposure tends to cluster into four recurring patterns.
1) Direct internet exposure of OT protocols
Building automation protocols like BACnet and Modbus were designed for trusted environments. Claroty notes that these legacy designs often lack native encryption and strong authentication. When gateways or supervisory devices are placed directly on internet routable networks, the system can become reachable in ways the original designers never intended.
This is one reason the industry has pushed newer approaches like BACnet Secure Connect, which uses modern security techniques such as TLS and mutual authentication. The standards are evolving. The installed base is not. That gap is where risk lives. 🧱
2) Remote access that outlives commissioning
Remote access is the most common convenience that turns into permanent vulnerability. Integrators need it during installation. Vendors want it for maintenance. Operators accept it because it keeps things running. The problem is not remote access itself. The problem is unmanaged remote access: shared accounts, no multi factor authentication, no logs, and no clear revocation path.
If you can’t answer who has access today and how quickly you can remove it, you do not have control. You have permission drift.
3) Weak identity and credential hygiene
Default passwords and hardcoded credentials show up repeatedly in building systems. So does credential reuse, because it feels operationally efficient. Attackers love efficiency. Every reused password is a master key.
This is not a moral failure. It is a procurement failure. If secure identity is not required in specifications, systems will arrive insecure by default.
4) Flat networks and lateral movement
Many buildings still run IT and OT on networks that are too flat. Once an attacker lands on any part of the network, often via phishing or compromised credentials, they can move laterally into building systems. Segmentation is the difference between a small incident and a building wide incident.
Architects already understand compartmentation in fire design. You do not rely on one wall. You create zones so problems do not propagate. Network segmentation is the cyber equivalent of fire compartments.
So what reduces exposure in practice?
Asset inventory is the first real control. If you cannot answer what is connected, who can access it, and how it is segmented, you cannot reduce exposure. You can only hope your building is boring enough to be ignored. Hope is not a security strategy. 🧠
Then apply a simple rule: building systems should not be directly reachable from the public internet. Ever. If remote access is needed, it should go through controlled gateways, with multi factor authentication, logging, and tight time bounds.
This is not about perfection. It is about removing the easy wins that attackers exploit at scale.
Exposure is the part of cyber risk you can often fix without touching a single controller. It is mostly about architecture, access pathways, and discipline.
3. Ransomware Meets Real Estate: downtime is the real payload 💸
Ransomware used to be framed as an IT problem. In buildings, it becomes an operations problem.
Because once an attacker can reach systems that run HVAC, access control, cameras, lighting, elevators, or energy management, they can cause disruption without touching a tenant’s laptops. ⚡
In cybercrime, disruption is leverage. The building is leverage.
Claroty’s numbers are a reality check because they are not about theoretical flaws. They are about known exploited vulnerabilities, and many are tied to confirmed ransomware activity. Combine that with insecure internet connectivity, and the gap between flaw and incident shrinks fast. ⏱️
To understand why this matters for real estate, look at the risk in the language owners and operators already live with:
1) Business interruption
A building is a service. Its product is uptime: comfort, access, safety, and predictable operations. If the control layer is disrupted, tenant experience degrades immediately. Complaints spike. Work orders explode. Critical tenants, hospitals, labs, data centres, can face mission impact.
2) Safety and liability
Building systems touch physical conditions. Temperature control, ventilation, pressurisation, smoke management, elevator monitoring, and security are not just conveniences. They are safety relevant. An incident that interferes with those systems is not only a cyber issue. It is a duty of care issue.
3) Energy and decarbonisation performance
When building controls are compromised or disabled, operators often fall back to manual overrides and conservative setpoints. Energy use rises. Demand response participation fails. Performance guarantees can be missed. The same digital layer that enables decarbonisation can also become the bottleneck if it is not resilient.
4) Reputational signal and insurability
Cyber hygiene is becoming a condition of doing business. Insurers are already asking about controls, access pathways, segmentation, and incident response readiness. Increasingly, tenants and lenders will ask too. A building that cannot demonstrate basic cyber governance will be treated like a building that cannot demonstrate fire safety.
This is why the question is not, will cyber events happen. The question is, can the building keep operating when they do.
One scenario makes it concrete.
Monday, 8:10am. The BMS workstation shows a ransom note. The operator cannot see alarms or trends. HVAC zones drift. A few areas overheat because VAV control loops are blind. The helpdesk is flooded. Security cannot confirm camera feeds. A vendor account that nobody remembers is still active and might be the entry point. The facility team is improvising under pressure.
That is the real payload: time, disruption, and chaos.
Guidance from public agencies increasingly reflects this operational framing. The CISA, FBI, and NSA StopRansomware guidance emphasises that compromised credentials and unmanaged access pathways remain common initial infection vectors. In buildings, that often maps directly to vendor access and weak identity governance.
The practical conclusion is not to panic. It is to plan like an operator.
If you want resilience, you need three things: clear roles, rehearsed response, and a control layer that can be isolated and restored.
Cybersecurity in buildings is not a separate program. It is part of operational continuity
4. The Fix: make the building patchable, auditable, and governable 🔧🧾
The goal is not to turn architects into cybersecurity engineers. The goal is to make cyber maintainability part of building reality, the same way drainage, fire egress, and commissioning are.
A patchable building is a building that can be updated safely over time. It is built for change, not just for day one.
Here is a playbook that consistently changes outcomes, written in owner language.
1) Design for segmentation early 🧱
Treat building systems as their own zones. Separate OT networks from corporate IT. Control the gateways between them. Make remote access go through monitored, authenticated paths. This is an architecture decision. It is easiest to do on paper, and hardest to retrofit.
2) Require a living asset inventory 📋
Every device, firmware version where possible, network zone, and remote account should exist in a handover register that can be updated. Claroty’s research makes the point brutally: you can have a small percentage of devices driving most of the risk. You cannot find those devices if you do not know what you have.
3) Contract for support, patching, and replacement 📆
If a vendor sells you a system, they should be obligated to support it, update it, and replace end of life components on a defined schedule. This is where real estate often loses. We buy systems like equipment, then discover they behave like subscriptions. Put the support obligations in the deal, not in goodwill.
Useful contract language tends to cover: minimum support term, maximum response time for critical vulnerabilities, defined patch windows, and a clear process for end of life replacement, including compatibility requirements.
4) Treat remote access as a privilege, not a convenience 🔐
Time bound access, multi factor authentication, logging, and the ability to revoke quickly should be non negotiable. If you do not have the ability to shut off third party access fast, you do not have control. You have a dependency.
5) Add cyber commissioning ✅
Commissioning is already the moment we verify that systems work as designed. Cyber commissioning adds a small set of checks: default credentials removed, unused services disabled, ports closed, segmentation implemented, backup and restore validated, documentation delivered, and the asset register populated.
This is not theoretical. It is the difference between an operable building and a fragile building.
6) Govern it like infrastructure 🧠
The missing piece in many buildings is not technology. It is ownership. Who is responsible for updates, and with what budget? Who reviews remote access? Who keeps the inventory current when tenants change? Who tests restores?
Governance can be light, but it must exist. A simple model is to assign a building digital owner, define quarterly hygiene reviews, and align patch windows with operations. The building already has scheduled downtime for filters and inspections. Patching becomes part of that rhythm.
Standards help here because they formalise responsibilities. NIST SP 800-82 Rev. 3 frames OT security in terms of typical system topologies, threats, vulnerabilities, and recommended safeguards, and it aligns security controls with risk impact. ISA and IEC 62443 provides a lifecycle framework that explicitly distributes responsibility across asset owners, integrators, and product suppliers. Use standards as a backbone for requirements, not as paperwork afterthoughts.
Finally, remember the mindset shift.
Buildings have Patch Day now. They just do not know it.
If we design handover so the building can be patched, audited, and governed, digitisation becomes an advantage instead of a slow liability. 🏢🔒
Conclusion
The future smart building is not defined by how many devices it has. It is defined by whether those devices can be managed safely over time. 📅
Memoori’s device curve tells you scale. BitSight’s exposure curve tells you visibility. Claroty’s BMS findings tell you exploitability. Put together, the message is simple: the built environment is becoming a cyber physical system at planetary scale. 🌍
The strategic takeaway is not paranoia. It is governance.
Treat digital infrastructure like building infrastructure. Budget for updates. Design for access. Write requirements that survive contractor turnover. Measure what is connected, then keep measuring. That is how you keep a building modern after day one. 🧠
One final note for the regenerative crowd. Decarbonisation is increasingly software mediated. If the control layer is fragile, the carbon strategy is fragile too. Cyber hygiene is not separate from performance. It is a prerequisite for it.





