Secure-by-Design: How Facility Managers Protect Infrastructure

Operational systems in modern buildings have evolved into critical infrastructure, but many remain vulnerable to cyberattacks. Operational technology (OT) like HVAC, lighting, and access control systems are typically deployed for their functionality, not for their ability to protect against cyberattacks. Even though advancements in automation have brought OT online and integrated into broader network operations, these systems are still often excluded from security assessments and treated as isolated assets.

Thousands of building management systems (BMS) are running on outdated software and are exposed to significant risk. Research has found nearly 70,000 OT devices in commercial and industrial facilities accessible to public networks. Many of these were installed with minimal safeguards, making them easy targets for attackers. As physical infrastructure becomes more digitally connected, facility managers are being pulled into the conversation about how to prevent cyber risks and strengthen operational resilience.

Lessons From Other Environments
Cybercrime does not discriminate. Industries like energy, utilities, and manufacturing have been hit hard as OT systems become more internet-facing. Recent surveys show 77% of organizations in these sectors experienced a successful cyberattack affecting their OT systems in the last year. More than half expect additional attacks within the next twelve months, particularly against older systems running unpatched software.

These challenges are far from isolated. The same systems, i.e., lighting, controls, HVAC, printers, and thermostats, are in use throughout commercial facilities and often maintained with even less rigorous security protocols. The risks are growing, and the lessons from these sectors are relevant. OT systems must be managed with long-term oversight and built-in protections from the start.

Safeguard Operations From the Start
Securing BMS from the beginning is the most effective way to prevent cyberattacks. A Secure-by-Design architecture builds cybersecurity directly into the systems that manage a building’s infrastructure, rather than relying on bolted-on solutions after deployment.

This includes replacing legacy communication protocols that were never built for secure networking with encrypted standards such as BACnet Secure Connect (BACnet/SC). It also means using certificate-based authentication to ensure only authorized devices can connect to the system. Instead of allowing remote access points that bypass security settings, Secure-by-Design architectures route communications through centralized, protected platforms. These practices give facilities teams the tools and safeguards they need before problems emerge.

What Secure-By-Design Architecture Looks Like in Buildings
A Secure-by-Design approach shifts the model from reactive to preventive. It ensures that controllers and systems communicate over encrypted, trusted networks. In most commercial buildings today, unauthorized access is still too easy, whether it is plugging into open ports, exploiting unsecured HVAC software, or remotely accessing panels through weak firewall configurations.

Secure-by-Design replaces these weak links with a unified architecture: strong authentication across all layers, encrypted device communication, and centralized oversight. It adopts a zero-trust model, treating every internal connection as untrusted until verified. This prevents lateral movement and keeps unauthorized users from accessing systems through overlooked vulnerabilities.

Save on Security and Costs
For facilities managers, security failures have real-world consequences. Downtime, unplanned service calls, and tenant disruption all impact budgets and reputations. Embedded security systems reduce the likelihood of costly outages and improve the maintainability of the infrastructure over time. They also reduce the strain on staff and IT resources by centralizing access, improving visibility, and preventing the need for reactive fixes.

Research says that cyber incidents involving OT systems are expected to cost organizations across the globe up to $300 billion annually. Facilities that adopt Secure-by-Design principles, such as encrypted communication, centralized access management, and certificate-based verification, report fewer disruptions, better collaboration across IT and facilities teams, and greater confidence. When security becomes an operational efficiency, it expands its role beyond being a protective layer only.

Organizations that prioritize security through embedded controls such as encrypted communication, centralized access, and certificate-based authentication report fewer service disruptions, reduce risk escalation, and have more collaboration between IT and facilities teams.

Secure-by-Design also helps reframe a long-standing misconception, i.e., that cybersecurity in operational technology (OT) systems undermines safety or uptime. Traditionally, IT has focused on confidentiality, integrity, and availability, while OT has prioritized safety, then availability, and lastly, integrity. Secure-by-Design eliminates the need for this tradeoff. It embeds protections that reinforce safety and ensure uptime without compromising operational performance. By turning controllers into active components of the security architecture and adopting a zero-trust model, Secure-by-Design strengthens every layer from human interaction to the physical infrastructure it supports. This approach protects the physical infrastructure against the evolving cyber threats OT technologies face.

Call to Action for Facilities Managers
Facilities managers have a central role in building security resilience, starting with cataloging all OT equipment active, including the connected systems, communication methods, and any potential gaps. The next priority: work with vendors and integrators from the start so every deployment includes embedded security, not just surface-level protections.

Collaboration with IT during the planning stage is equally important. This approach provides teams with a better view of potential weak points, enhances system configuration, and enables everyone in the organization to anticipate risks proactively rather than reactively.

Connected buildings have expanded the responsibilities of facility managers. Security now belongs squarely within that scope. Secure-by-Design architecture offers a clear path forward. It is not just a framework, but a process that protects people, places, and operations from escalating threats. While this model is already in place across high-security environments, the need for broader adoption is growing.

Ken Kurz, CIO, COPT Defense Properties, has more than 20 years of operational leadership responsibility, including roles as a Chief Information Security Officer (CISO) in higher education at multiple research universities and a Chief Information Officer (CIO) in a publicly traded company. He has extensive experience in designing, implementing, assessing, securing, remediating, and monitoring network technologies for higher education, non-profit, military, government, and private sector information systems.