Wired Insecure: Automation System Exposes Building Entry Weakness
__________________________________________________________________
The Challenge
In January 2025, Crestview Holdings, a national real estate investment and property management firm, suffered a serious operational disruption when tenants across multiple office complexes reported failures in their smart entry systems. Doors would not unlock, access badges stopped responding, and digital visitor logging kiosks were unresponsive. What appeared to be a routine outage quickly revealed a deeper cybersecurity issue.
An internal investigation confirmed that the affected sites all relied on an aging building automation network connected directly to the corporate administrative environment. The systems had been installed years earlier and were never segmented from core business networks. Weak passwords, default manufacturer credentials, and outdated firmware had left the environment wide open to exploitation.
The incident was first detected when a tenant complained about after hours access anomalies. Logs later showed repeated unauthorized connections from a foreign IP address that had issued remote configuration commands to door controllers. Fortunately, the attacker did not move laterally into tenant or payment systems, but the event forced an emergency shutdown of automated building controls for several days.
The Office of the Privacy Commissioner of Canada was notified under the Personal Information Protection and Electronic Documents Act (PIPEDA) because digital visitor logs included names, phone numbers, and timestamps that could identify individuals. Regulators questioned why the firm’s automation vendor had been permitted to operate without regular security audits or patching requirements.
Our Solution
We were brought in to restore stability, contain exposure, and modernize network security around building automation assets. The first step was to isolate operational technology devices from administrative networks. Temporary firewalls and strict access control lists were implemented to ensure only authorized maintenance connections could reach controllers.
Next, our team performed a comprehensive review of all connected devices, identifying unpatched firmware, unused interfaces, and weak authentication protocols. Each vulnerability was ranked by severity, and a phased mitigation plan was established to avoid downtime for tenants.
We coordinated with the automation vendor to deploy updated firmware across hundreds of controllers and introduced endpoint security agents that continuously monitor for abnormal network activity. Procurement policies were rewritten to require cybersecurity compliance for all smart building technologies. Governance responsibility for physical system connectivity was transferred from facilities management to the corporate security office, ensuring unified oversight.
Within three months, Crestview restored full automation capabilities without further incident. A follow up penetration test verified the integrity of both networks. The modernization not only satisfied regulators but also enhanced tenant confidence in the safety of digital building operations.
The Value
Crestview transformed a costly near miss into an opportunity to strengthen resilience and rebuild trust. Executive leadership gained visibility into operational technology risks that had previously gone unnoticed, while the company’s vendors adopted higher security standards across all managed properties.
Implementation Roadmap
1. Segregate all building automation devices from administrative networks.
2. Apply firmware updates and enforce multifactor authentication for system access.
3. Conduct third party audits on all automation vendors.
4. Integrate security requirements into procurement and design standards.
5. Schedule annual penetration testing of physical system interfaces.
