Cybersecurity in Commercial Energy Systems: Protecting Your Operations

Your building's energy systems—the HVAC controls, building automation system, smart meters, and increasingly sophisticated energy management platforms—are connected to the internet. That connectivity creates enormous operational and financial value. It also creates a cybersecurity exposure that most Illinois business owners have never seriously considered.

The 2021 attack on the Oldsmar, Florida water treatment facility, where an attacker gained remote access and attempted to raise sodium hydroxide levels to dangerous concentrations, was a wake-up call for operational technology (OT) security across all infrastructure sectors. Commercial building energy systems present similar vulnerabilities—and the threat landscape has grown significantly more sophisticated since then.

This isn't a theoretical risk. According to IBM's X-Force Threat Intelligence Index, attacks on operational technology systems increased by 25% in 2023 alone. Building automation security is now a recognized category within the broader OT/ICS (industrial control system) security discipline—and commercial facility operators ignore it at real peril.

This guide walks through the specific threats facing Illinois commercial buildings, provides an actionable security checklist, and explains how a proactive energy strategy can actually strengthen your cybersecurity posture.

Is Your Building's Energy System an Open Door for Hackers?

The modern commercial building is, by necessity, a networked facility. Building automation systems (BAS), smart meters with two-way communication, HVAC controllers, lighting management systems, access control, and energy management platforms all require network connectivity to deliver their value. And that connectivity—when not properly secured—creates pathways for unauthorized access.

Why Commercial Building Energy Systems Are Vulnerable

Legacy systems with modern connectivity: Many commercial buildings operate BAS equipment installed in the 1990s or 2000s, running software that predates modern cybersecurity practices. These systems were designed for isolated, proprietary networks—not for internet exposure. But facility operators have often added internet connectivity to these legacy systems for remote monitoring and management without upgrading their security posture.

Insecure-by-default protocols: Many building automation protocols—BACnet, Modbus, LonTalk—were designed for reliable communication on private networks, not for security against adversarial attacks. They often transmit data without encryption and lack robust authentication mechanisms.

Vendor and contractor access points: HVAC contractors, elevator maintenance companies, and energy management vendors commonly maintain remote access to building systems for monitoring and maintenance. Each of these access points is a potential entry vector if not properly managed.

Misconfigured cloud connections: Energy management platforms that pull data from your building systems to cloud analytics applications create data flows that can be exploited if access controls are misconfigured.

Shodan visibility: The Shodan search engine—often called "the Google for the Internet of Things"—allows anyone to search for internet-exposed building systems by protocol, manufacturer, location, and type. Improperly secured BAS systems in Chicago and Illinois cities appear in Shodan searches regularly, making them visible to threat actors worldwide.

The Business Impact of a Building Energy System Breach

What can actually happen if a threat actor gains access to your building's energy systems?

HVAC manipulation: Disrupting temperature controls can make facilities unusable for employees and customers, damage temperature-sensitive inventory, or compromise data center cooling
Ransomware deployment: Building automation networks are increasingly targeted as entry points for ransomware attacks against broader corporate IT systems
Energy fraud: Manipulating meter data or building controls to enable fraudulent energy billing
Physical sabotage: Overriding safety limits on equipment, forcing compressor failures, or disabling fire safety systems
Regulatory exposure: Healthcare facilities, food processors, and other regulated industries face serious regulatory consequences if building system compromises affect product safety or patient care
Data exfiltration: Energy usage patterns can reveal occupancy schedules, production runs, and operational details that constitute sensitive business intelligence

The 5 Biggest Cyber Threats Targeting Your Commercial Building Right Now

Threat 1: Remote Access Exploitation

The single most common entry point for attacks on commercial building systems is unauthorized exploitation of legitimate remote access capabilities. HVAC contractors, energy management vendors, and facility managers commonly access building systems via VPN, RDP (Remote Desktop Protocol), or proprietary vendor portals—often with weak passwords, no multi-factor authentication, and no audit logging.

According to CISA (Cybersecurity and Infrastructure Security Agency), unauthorized remote access is the most common initial access vector for attacks on industrial control systems.

Mitigation:

Require multi-factor authentication (MFA) for all remote access to building systems
Implement time-limited, session-specific access for vendors rather than persistent credentials
Log all remote access sessions and review regularly
Segment vendor access to specific systems rather than providing broad network access

Threat 2: Ransomware via Building Automation Networks

Building automation networks are increasingly used as lateral movement pathways by ransomware attackers who initially compromise building management workstations. Once inside the BAS network, ransomware can spread to building controllers, disabling HVAC, lighting, and access control while simultaneously encrypting the facility management workstation.

The cost of ransomware attacks on commercial facilities has escalated dramatically. The average commercial ransomware payment in 2024 exceeded $2.5 million, according to Sophos's State of Ransomware Report—and that excludes downtime, recovery costs, and reputational damage.

Mitigation:

Network segmentation between building automation systems and corporate IT networks
Regular, tested backups of building system configurations
Endpoint detection and response (EDR) on building management workstations
Incident response planning that specifically includes building system recovery

Threat 3: Firmware and Supply Chain Attacks

Building automation equipment—HVAC controllers, smart meters, energy management gateways—contains firmware that is increasingly targeted by sophisticated threat actors. Compromised firmware can enable persistent access that survives typical remediation efforts and is extremely difficult to detect.

The 2020 SolarWinds attack demonstrated the scale of damage possible through supply chain compromise. While that attack targeted IT software, similar tactics are being applied to operational technology. Malicious firmware in a building automation controller or smart meter gateway could provide persistent access across an entire commercial portfolio.

Mitigation:

Maintain an inventory of all connected building equipment with current firmware versions
Subscribe to vendor security advisories and apply firmware updates promptly
Source equipment only from verified, reputable channels
Consider third-party security assessments for high-value or critical facility deployments

Threat 4: Smart Meter and AMI Network Vulnerabilities

Advanced Metering Infrastructure (AMI)—the two-way communication network supporting smart meters—creates a new attack surface in the building-to-utility communication chain. Vulnerabilities in smart meter firmware, AMI network protocols, or utility head-end systems could potentially allow attackers to manipulate meter readings, disrupt service, or use meters as entry points to building networks.

While major Illinois utilities have invested significantly in AMI security, the security posture of the thousands of different smart meter devices and communication modules in service varies. Commercial customers with direct AMI integration into their energy management systems have additional exposure.

Mitigation:

Isolate smart meter communication interfaces from core building networks where possible
Monitor for anomalous communication patterns from energy management systems
Ensure your energy management software vendor follows security best practices (SOC 2 compliance, regular penetration testing)

Threat 5: Physical-Cyber Convergence

An often-overlooked threat is the convergence of physical and cyber access to building energy systems. Improperly secured building automation system panels, exposed control interfaces in electrical rooms, and inadequate physical access controls to mechanical rooms all create opportunities for attackers to make physical changes to systems (installing rogue devices, accessing local configuration interfaces) that would be blocked by network security.

In multi-tenant buildings, tenant access to common mechanical areas can represent an uncontrolled physical access risk to other tenants' and the building's energy systems.

Your Actionable Cybersecurity Checklist for Securing Commercial Energy Systems

Work through this checklist to assess and improve your building energy system security posture:

Network Architecture

Building automation systems are on a dedicated, segmented network—not on the same flat network as corporate IT systems
Firewall rules between BAS network and corporate IT are restrictive and documented
Remote access to building systems requires VPN with multi-factor authentication
All default passwords have been changed on building controllers, BAS servers, and gateways
Network traffic to and from building systems is logged and reviewed periodically

Access Control

Remote access credentials for HVAC/BAS vendors are unique per vendor, time-limited, and revoked when no longer needed
All user accounts for building management workstations have individual credentials (no shared accounts)
Administrator access to building systems follows least-privilege principles
Physical access to mechanical rooms, electrical rooms, and building automation panels is controlled and logged

Patch and Vulnerability Management

Inventory of all connected building devices (BAS controllers, gateways, meters) with current firmware versions
Process in place to apply security updates to building system software and firmware
Subscriptions to vendor security advisories for critical building equipment
Annual vulnerability assessment of building automation network

Monitoring and Incident Response

Security event logging is enabled on building management systems
Anomaly detection (unusual login times, unexpected configuration changes) is in place or planned
Incident response plan exists and specifically addresses building system cyber incidents
Backup and recovery procedures for building system configurations are tested annually

Vendor Management

Security requirements included in contracts with HVAC contractors, BAS vendors, and energy management service providers
Vendor access review process is in place (who has access? Why? Is it still needed?)
Evidence of security practices (SOC 2, security assessments) requested from critical vendors

Partnering for Protection: How a Proactive Energy Strategy Fortifies Your Illinois Business

There's a perhaps counterintuitive relationship between sophisticated energy management and cybersecurity: businesses that take a proactive, strategic approach to commercial energy management tend to have stronger security postures than those that manage energy reactively.

Here's why:

Asset visibility: A strategic energy management approach requires knowing exactly what connected devices exist in your building—smart meters, BAS controllers, energy management gateways, building automation sensors. This asset inventory is also the foundation of a strong OT security program. You can't secure what you don't know exists.

Managed access vs. open access: Strategic energy management involves working with trusted advisors and vendors who access your systems through structured, auditable mechanisms rather than ad-hoc, uncontrolled remote connections. This governance approach naturally tightens your access control posture.

Contract structure: Working with a sophisticated energy advisor means your supply contracts are structured to avoid situations where you're under financial pressure to reduce consumption through insecure shortcuts. Energy security includes both procurement security and cybersecurity.

Incident resilience: Businesses with on-site generation (solar), battery storage, and well-tested backup systems have greater resilience against both grid outages and cyber-induced disruptions. A battery storage system that allows you to island from the grid during a cyberattack-induced outage isn't primarily a cybersecurity tool—but it provides meaningful resilience value.

At Commercial Energy Advisors, our advisory approach includes awareness of the cybersecurity dimensions of energy management technology. When we recommend energy management platforms, we consider their security practices as part of our evaluation—not just their features and pricing.

Conclusion: Your Energy Systems Are a Security Perimeter—Treat Them That Way

The integration of building energy systems with internet connectivity is not going to reverse—if anything, it will deepen as buildings become smarter, DER deployments expand, and real-time market participation becomes standard. The question isn't whether your building's energy systems are connected; it's whether they're connected securely.

The good news is that commercial energy cybersecurity doesn't require sophisticated technical expertise to dramatically improve. Most building energy system vulnerabilities stem from basic security hygiene issues—default passwords, lack of network segmentation, uncontrolled vendor access, unpatched firmware—that can be addressed with systematic attention and modest investment.

Don't let the complexity of OT security be an excuse for inaction. Start with the checklist above, address the most critical gaps, and build a roadmap for continuous improvement. Your energy systems—and your operations—will be significantly more resilient.

Contact Commercial Energy Advisors at 833-264-7776 or request a consultation to discuss how your energy management strategy can be designed with security as a first-class consideration.

Frequently Asked Questions

Why are commercial building energy systems a cybersecurity risk?

Building automation systems, smart meters, HVAC controllers, and energy management platforms are increasingly connected to the internet for remote monitoring and management. This connectivity—when not properly secured—creates pathways for unauthorized access. Many of these systems use legacy protocols not designed for security, and they're often managed with inadequate access controls.

What is OT security for commercial facilities?

Operational technology (OT) security refers to security practices for the hardware and software that controls physical processes—in a commercial building context, this includes building automation systems, HVAC controls, electrical systems, and energy management platforms. OT security is distinct from IT security and requires specialized knowledge of industrial control system protocols and architectures.

How can I tell if my building automation system is exposed to the internet?

You can check whether your building systems are internet-exposed using the Shodan search engine (shodan.io), which indexes internet-connected devices. Search for your building's IP address ranges or specific equipment makes and models. Your IT team or a cybersecurity professional can also conduct an external vulnerability scan to identify exposed interfaces.

What is the most important cybersecurity step for commercial building energy systems?

Network segmentation—isolating building automation systems on their own network, separated from corporate IT—is the single highest-impact security control for most commercial facilities. This prevents attackers who compromise a building management workstation from accessing corporate data, and limits the blast radius of a building system compromise.

Do Illinois businesses have cybersecurity compliance requirements related to building systems?

Most Illinois commercial businesses don't face specific building OT security mandates unless they're in regulated industries (healthcare under HIPAA, critical infrastructure, financial services). However, commercial insurance policies increasingly ask about OT security practices, and some supply chain requirements include security assessments. Healthcare facilities operating under HIPAA should ensure patient safety systems including building controls meet security requirements.

How do demand response programs affect cybersecurity risk?

Participating in demand response programs typically requires your energy management system to communicate with program operators (like your curtailment service provider) to receive dispatch signals and report curtailment performance. This creates a network interface that should be secured. Ensure your demand response provider uses encrypted, authenticated communication and that their system access is appropriately scoped and controlled.

Word count: 2,751