Many building decision-makers are turning to automation to gain a competitive edge – driving greater operational technology (OT) efficiency, cost savings and improved experiences for both operators and occupants. However, as the number of autonomous and connected buildings has increased, so too has the frequency of cyber-attacks.

A global report from Palo Alto Networks found that nearly 70 percent of organisations polled experienced a cyberattack on their OT environment in the past year, with almost a quarter forced to halt operations as a result. The repercussions of such incidents can persist for weeks or even months, disrupting business continuity, safety and security.

Today, the risks extend beyond cyber-attacks. If exploited, OT data can reveal building usage patterns, allowing bad actors to determine when properties are unoccupied and more vulnerable. This can create serious physical security risks, particularly for remote or unmanned sites.

Now, more than ever, building operators need to take a proactive, integrated approach to safeguarding their security infrastructure.

Take stock of the building’s cybersecurity posture

Modern building management systems (BMS) rely on massive amounts of data to optimise lighting, HVAC, plug loads and other building functions. While this data is essential for automation, it must be stored and accessed securely to prevent unauthorised access.

Conducting a cybersecurity assessment can help building operations understand their vulnerabilities. This process should include:

• Discovery and inventory of assets to map out the control network’s OT and IoT devices and communication patterns – what they are and where they are. If an asset is not properly documented, it is likely an unmanaged liability.

• Identification of anomalies, vulnerabilities and threats that may affect or are currently affecting the BMS and associated OT network. These could present an open window for bad actors to infiltrate, and no one would know until it is too late.

• Tracking the version of operating systems or firmware on each asset and determining when updates or patches are required. This can help building operators stay on top of security updates and schedule upgrades and migrations well in advance to reduce vulnerability.

Many organisations opt for third-party cybersecurity assessments, which provide a clear, actionable roadmap for improving security and minimising risk. Once this fundamental assessment is complete, building operators can detect threats more quickly and prioritise the aspects that need urgent attention.

Monitor for threats as they happen

Autonomous buildings operate around the clock, making real-time security oversight essential. Threats are not only digital – physical security risks, such as unauthorised personnel attempting to access restricted areas, must also be addressed. The risk is even greater in remote or unmanned locations, where traditional security measures may be insufficient.

A multi-layered security approach that combines cyber and physical security can help mitigate these risks. Cloud-connected access control solutions, such as LenelS2 and Honeywell's OnGuard Cloud and Elements, allow security teams to monitor activity across multiple locations in real time. These technologies enhance threat detection and response capabilities by providing visibility over both digital and physical security events.

For instance, a building's security framework can be strengthened by implementing zoned security levels with different access permissions. By integrating perimeter security with video surveillance and AI-powered anomaly detection, operators can be alerted to suspicious activity the moment it occurs.

In locations where security personnel are not always present, cloud-based platforms enable remote monitoring and automated incident response, ensuring sites remain protected at all times.

Expect the unexpected

Attacks can come from anywhere. In fact, there’s a threat that many building operators may not consider, and it may be sitting right in their pockets: a USB device.

According to Honeywell’s 2024 USB Threat Report, 51 percent of malware attacks are designed for USB devices, representing a nearly six-fold increase since the 2019 report.

Removable media is increasingly used in targeted attack campaigns, demonstrating how attackers are relying on “living off the land” (LotL) strategies to use legitimate tools for malicious activities.

Building operators should be aware of these evolving threats and establish a clear USB security policy as part of their OT cybersecurity effort. Additionally, organisations must consider where other LotL entry points exist in and around their specific buildings.

Plan for the worst-case scenario

Even with the best preventative measures in place, no security system is completely immune to attacks. A well-defined incident response plan is essential for minimising disruption and damage in the event of a breach.

The first step is to establish a dedicated incident response team with clearly defined roles and responsibilities. Next, operators should outline clear procedures and a classification system for identifying and responding to security incidents.

Regular drills, such as tabletop exercises and live simulations, can ensure the team is informed and able to respond when an incident occurs. After each drill, building operators can review the actions against the plan to identify any gaps or weaknesses.

Train and empower employees

The weakest point in most security strategies is often human error. A 2024 study by cybersecurity firm KnowBe4 found that, without any security awareness training, over one third of employees (34.3 percent) were susceptible to phishing attacks. However, that number dropped to 18.9 percent after just 90 days of training and to only 4.6 percent after a year.

While people can be the greatest liability to building security, they can also be an important part of the solution. Creating a security-first culture with strong passwords, multi-factor authentication, role-based access control and ongoing communication across teams and departments will enable employees to help prevent and detect security threats.

By following these five steps, building operators can significantly enhance the security of their autonomous buildings. Taking a proactive, multi-layered approach – combining cyber protection, physical security and well-trained personnel – ensures that both people and data remain protected while allowing for seamless building operations.

As security threats continue to evolve, organisations must remain vigilant, adapting their security strategies to stay ahead of emerging risks. The most effective security frameworks are integrated, continuous and resilient, enabling buildings to operate efficiently while maintaining the highest levels of safety and protection.

Gareth Ellams General Manager for Security and Access Solutions for Europe and the UK Honeywell