Cybersecurity for Building Networks: How to Secure IoT, CCTV, and BMS Systems in Australia

Building Technology

Cybersecurity for Building Networks: How to Secure IoT, CCTV, and BMS Systems in Australia

Building managers and strata committees spend considerable time thinking about physical security — locks, intercoms, surveillance cameras, alarm systems. What is less commonly understood is that all of those systems are now computers. They run software, they connect to networks, they communicate over IP, and they carry exactly the same categories of risk as any other networked device.

The difference is that IT departments actively manage, patch, and monitor business computers. Building systems are installed, commissioned, and then largely forgotten — often running for five to ten years without a firmware update, credential change, or security review. That gap is what attackers exploit.

This article is written for building managers, strata committees, and commercial property managers who are responsible for these systems but may not have a technical background. The goal is to explain the risks clearly, outline the foundational controls that reduce them, and describe what good security practice looks like for a connected building environment.

Why Building Networks Are a Cybersecurity Target

The phrase "building network" encompasses more than most people realise. A modern commercial building or residential strata complex typically connects the following across a shared IP network infrastructure:

  • IP surveillance cameras (CCTV)
  • Electronic access control systems (card readers, intercoms, door controllers)
  • Building management systems (BMS) controlling HVAC, lighting, and energy
  • Lift management and monitoring systems
  • EV charging infrastructure
  • Visitor management and parcel locker systems
  • In some cases, resident or tenant Wi-Fi

Each of those is a networked device. Each can be accessed remotely. And each has known vulnerabilities.

The incidents that surface publicly give a sense of the real-world consequences. IP cameras with factory-default passwords have been indexed on publicly accessible websites — anyone with an internet connection could view the live feed. Access control systems have been breached remotely to issue credential clones or unlock specific doors without any physical interaction. Building management systems have been manipulated to disable HVAC in multi-tenant commercial buildings, creating both operational disruption and the conditions for ransomware negotiation.

These are not hypothetical threats constructed for a vendor white paper. They are documented patterns that building owners and managers need to treat as operational risk.

For a broader view of how these threats apply to the built environment, see our earlier article on smart building cybersecurity.

The Three Categories of Risk for Building Networks

Understanding the risk landscape helps prioritise where to direct investment and attention. Building network threats fall into three broad categories.

1. Privacy Breach

Surveillance cameras exist to protect residents and tenants. When the network they operate on is insecure, they become a source of exposure rather than protection.

A compromised CCTV system can give an unauthorised party persistent access to surveillance footage — common areas, car parks, entries, lifts. In a residential strata context, that footage may capture identifiable images of residents, their visitors, and their routines. Under the Australian Privacy Act 1988 and state-level surveillance legislation, the body corporate or owner's corporation holds legal responsibility for the handling of that footage.

A breach involving residential surveillance data creates real strata liability, not just reputational damage. Understanding what cyber insurance requirements for buildings look like in Australia is increasingly relevant for strata committees.

2. Physical Security Breach

The access control system is the digital lock on the building. When it is compromised, the physical security of every occupant is directly at risk.

Attackers who gain administrative access to an access control platform can create new credential records, disable alarm zones, unlock specific doors, or export the entire access credential database. These actions can be performed remotely, without being anywhere near the building.

Physical intrusion enabled by a digital attack is a category of risk that sits at the intersection of cybersecurity and personal safety. It demands the same level of seriousness as any physical security review. See how Pickle approaches access control security in apartment buildings for a more detailed treatment.

3. Operational Disruption

The building management system controls the operational environment of the building. HVAC, lighting zones, lift interfaces, and energy management all depend on the BMS functioning correctly.

A compromised BMS can be used to disable air conditioning in a commercial tower during a Sydney summer — creating an immediate and very visible disruption that gives an attacker significant leverage. This is precisely the profile of asset that ransomware operators target: critical infrastructure with a low tolerance for downtime and a high willingness to pay to restore normal function quickly.

BMS and operational technology (OT) systems are often the least-patched devices on the building network, because the operational risk of a failed firmware update feels higher than the security risk of leaving an old version in place. That calculus is worth reconsidering.

Threat Assessment Summary

The following table maps key building systems to their primary threat, the most important control, and the relative priority for security investment.

Building SystemPrimary ThreatKey ControlPriority
IP surveillance cameras (CCTV)Privacy breach, credential theft, network pivotVLAN isolation, credential change, firmware updatesHigh
Electronic access controlPhysical intrusion, credential duplication, remote unlockVLAN isolation, no direct internet exposure, audit loggingCritical
Building management system (BMS)Operational disruption, ransomware leverageVLAN isolation, VPN-only remote access, firmware scheduleCritical
Intercoms and visitor managementSocial engineering enablement, credential harvestDefault credential removal, network segregationHigh
EV charging infrastructureData exfiltration, lateral movement to other VLANsDedicated VLAN, firewall rules, access restrictionsMedium
Lift management systemsOperational disruption, safety system interferenceNetwork isolation, restricted management accessHigh
Tenant or resident Wi-FiLateral movement into building systems if not isolatedStrict VLAN separation from all building system VLANsHigh

VLAN Segmentation: The Foundational Building Security Control

If there is a single security concept that every building manager should understand, it is VLAN segmentation.

A VLAN (Virtual Local Area Network) is a logical separation of network traffic. Even though multiple systems share the same physical cabling and switching infrastructure, VLANs create enforced boundaries between them. Devices on one VLAN cannot communicate with devices on another VLAN unless a firewall rule explicitly permits it.

In a correctly designed building network, the CCTV system runs on its own VLAN. The access control system runs on a separate VLAN. The BMS runs on a separate VLAN. Tenant Wi-Fi is isolated on its own VLAN. These segments do not intersect unless there is a specific, documented, and firewall-controlled reason for them to do so.

The security consequence of this design is significant. If an attacker compromises an IP camera — perhaps because it had a default password, or because it was running firmware with a known vulnerability — they are confined to the CCTV VLAN. They cannot reach the access control system. They cannot reach the BMS. The blast radius of the compromise is contained.

Without VLAN segmentation, a compromised camera is a stepping stone to every other system on the network. A single vulnerable device becomes a path to physical intrusion, operational disruption, and data theft simultaneously.

VLAN segmentation is not a premium option for enterprise environments. It is the baseline security architecture for any building network that includes multiple system types. Full detail on how this is designed and implemented is covered in our article on VLAN segmentation for apartment buildings.

Default Credentials: The Most Common Entry Point

The single most prevalent entry point for attacks on building system devices is factory-default credentials.

The vast majority of IP cameras, intercoms, access control controllers, and BMS interface devices ship with documented default usernames and passwords. Common examples include admin/admin, admin/1234, and admin/password. These credentials are published in device manuals, in vendor knowledge bases, and in attacker databases. An internet search for any specific device model and the word "default password" will return the answer in seconds.

When a building systems installer commissions a device, changes the default credentials and documents them securely for the building owner, this risk is eliminated. When that step is skipped — which is more common than it should be — the device remains permanently accessible to anyone who knows which model it is.

The requirement here is straightforward: every building system device must have its factory default credentials changed at the time of installation. The replacement credentials must be strong (not sequential numbers, not the building address), must be documented in a secure location controlled by the building owner, and must not be shared casually.

This applies to the web management interfaces of network switches, routers, and wireless access points, not just end devices. The network infrastructure itself is a target.

Firmware Updates: Why Building Devices Need a Patch Schedule

Every building system device runs embedded software, called firmware, that controls its operation and manages its network connectivity. Firmware contains vulnerabilities, and manufacturers release updates to address them.

The difference between a business laptop and a building system device is that the laptop likely receives automated security updates overnight. The IP camera installed in the car park in 2019 has almost certainly never been updated. It is running the firmware version it shipped with, and every vulnerability identified in that firmware version since installation remains open.

For critical systems, this is a significant and addressable risk. The following update schedule represents a reasonable baseline for Australian building environments.

  • Access control systems and associated controllers: quarterly firmware review, update within 30 days of a security patch release
  • IP surveillance cameras: quarterly firmware review, update annually as a minimum
  • BMS and HVAC controllers: biannual firmware review, updates coordinated with system integrator
  • Network infrastructure (switches, firewalls, routers): quarterly review and update
  • Lower-risk IoT devices (lighting controllers, sensor nodes): annual review

The practical challenge is that building system firmware updates require coordination with the system integrator or vendor, are sometimes tested before deployment to avoid operational disruption, and need to happen out of hours for critical systems. This is precisely why they rarely happen without someone actively managing the schedule. Assigning that responsibility clearly — either to a managed services provider or to a named internal contact — is the prerequisite for it occurring at all.

Network Access Controls: Removing Direct Internet Exposure

Building system devices should not be directly accessible from the internet. This sounds obvious, but it is routinely violated in practice.

Port-forwarding is the common method by which installers provide themselves (and building managers) with remote access to building system interfaces. A port is opened on the building's internet router and mapped directly to the management interface of a device — the CCTV NVR, the access control server, or the BMS web interface. This allows remote access, but it also exposes that management interface directly to every scanner and attacker on the internet.

The correct approach is remote access via a VPN. The VPN creates an encrypted, authenticated tunnel into the building network. The management interfaces of building system devices are not exposed directly to the internet at all — they are only reachable by users who first authenticate to the VPN. This eliminates the exposure of those interfaces to the public internet entirely.

Complementary to VPN-based access, firewall rules between VLANs and between VLANs and the internet should be documented, deliberately configured, and reviewed at least annually. "Allow all" rules between segments are a red flag. Rules should follow the principle of least privilege: permit only what is specifically required for system operation, and deny everything else.

Building network security for CCTV systems specifically is covered in our article on CCTV network security.

Physical Security of the MDF and Comms Room

All of the logical security controls described above — VLAN segmentation, firewall rules, credential management — depend on the physical integrity of the network infrastructure that enforces them.

The main distribution frame (MDF) or communications room houses the network switches that implement VLAN boundaries. A person with physical access to those switches can plug any device directly into any port. In many configurations, this would place that device on whatever VLAN that port is assigned to, bypassing all access controls. In a worst-case scenario, someone with switch access and enough knowledge can reconfigure the VLAN assignments entirely.

The MDF room is not a storage cupboard. It is the security control centre for the building's digital infrastructure. Access requirements for this room should reflect that status:

  • The room must be locked at all times when not actively in use
  • Access should be restricted to authorised personnel with a documented list
  • Visitor or contractor access should be escorted — no unaccompanied contractor access
  • Access logs (whether key register or electronic access control) should be maintained and reviewed
  • Any equipment added to or removed from the room should be documented

This is a physical security control with direct cyber consequences, and it is one of the most frequently overlooked elements of building network security.

The ASD Essential Eight and Building Systems

The Australian Signals Directorate's Essential Eight is primarily framed as a framework for business IT environments, but several of its controls apply directly to building system networks.

Application control. In an IT context, this means controlling which software can execute on endpoints. In a building network context, the equivalent is controlling which devices can connect to building system VLANs. Using MAC address filtering, 802.1X port authentication, or network access control policies prevents unauthorised devices from simply being plugged in and joining the network.

Patch applications and operating systems. The firmware update schedule described above is the building systems equivalent of this control. The principle is identical: known vulnerabilities should be remediated before they are exploited.

Restrict administrative privileges. Access to the management interfaces of building system devices — the CCTV NVR admin console, the access control management platform, the BMS interface — should be limited to specific named individuals with a documented business requirement. Shared generic admin accounts make audit trails unusable and increase the risk of credential compromise.

Multi-factor authentication. Any remote access path into building system management interfaces — particularly VPN access — should require multi-factor authentication. This ensures that a stolen password alone is not sufficient to gain access.

Building managers working with a managed services provider should be asking whether their provider applies these controls to the building network, not just to their business IT environment. The two are increasingly the same conversation.

Incident Response: What to Do When a Building System Is Compromised

Preparation before an incident determines the quality of the response during one. The following questions should have documented answers before an incident occurs, not during one.

Who is the responsible contact? There should be a named individual — building manager, strata manager, or managed IT provider — who is the first point of contact for a suspected building system compromise. Everyone else involved in the building should know who that person is.

How is an incident reported? Contractors, tenants, and residents should have a clear path to report something that looks wrong — a camera that has gone offline unexpectedly, a door that opened without authorisation, an HVAC system behaving strangely. Incidents reported quickly are incidents contained quickly.

What is the process for isolating a compromised system? If a CCTV camera is believed to be compromised, the correct response is to remove it from the network at the switch level — disabling the port it connects to on the relevant VLAN. This isolates the affected device without taking down the entire system. This kind of response requires someone to know the network architecture well enough to act on it.

Who notifies affected residents or tenants? If a compromise involves personal data — surveillance footage of identifiable individuals — there is a potential obligation under Australian privacy law to notify affected parties. The building's strata manager or legal adviser should be consulted on notification requirements as part of incident planning, not in the middle of a crisis.

Who is the upstream escalation? When the building manager cannot resolve the issue alone, there needs to be a managed IT provider or specialist contractor with security expertise who can respond. That relationship should be established before it is needed.

How Pickle Approaches Building Network Security

Pickle manages building networks for residential strata, commercial buildings, and mixed-use developments across Australia. Security-first design is built into every network we deploy and maintain.

Our approach includes:

  • VLAN segmentation designed to isolate CCTV, access control, BMS, IoT, and tenant networks from each other
  • Firewall rules documented, deliberately configured, and reviewed on a regular schedule
  • Default credentials changed on every device at installation, with credentials documented securely for the building owner
  • VPN-based remote access for all building system management — no direct port-forwarding to management interfaces
  • Firmware update schedules maintained across all networked building system devices
  • MDF room access standards included in our building network management scope
  • Incident response contacts clearly established for every building we manage

If you manage a commercial building or strata complex and want to understand the current state of your building network security, we are glad to help.

Phone: 1300 688 588 Email: [email protected]

Frequently Asked Questions

Q: Do I need a cybersecurity expert to manage my building's IP cameras and access control, or is this something the system installer handles?

A: The system installer is responsible for installing and commissioning the equipment correctly — changing default credentials, configuring the devices, and making sure they operate as intended. Ongoing cybersecurity management — firmware updates, VLAN configuration, firewall rule reviews, remote access security — is the responsibility of whoever manages the building network. If there is no one in that role, the devices are almost certainly unmanaged from a security standpoint. A managed services provider with building network experience fills that gap.

Q: Our building's CCTV footage is stored on a local NVR, not in the cloud. Does that mean we are less exposed?

A: Not necessarily. A local NVR is still a networked device with a management interface, and if that interface is accessible from the internet (via port-forwarding, for example) or is on an unsegmented network, it carries the same exposure as a cloud-connected system. The location of the storage matters less than the security of the network path to that storage. A local NVR on a properly segmented VLAN with no direct internet exposure is well-protected. A local NVR on a flat network with port-forwarding enabled is not.

Q: How do we know if our building network has default credentials that have never been changed?

A: The most direct method is a technical audit of the building network — reviewing each device, confirming credentials have been changed, and checking remote access configurations. A managed IT provider or building network specialist can conduct this audit. If you have no documentation from the original installer confirming that credentials were changed at commissioning, it is safest to assume they were not and conduct an audit.

Q: What is the risk of ransomware affecting a building management system specifically?

A: A building management system controlling HVAC, lifts, and lighting is exactly the profile of system that ransomware operators target: high operational impact, low tolerance for downtime, and a building owner who has little choice but to restore function quickly. The most common entry path for ransomware in OT and building systems environments is the same as for business IT — phishing credentials, exploiting unpatched vulnerabilities, or lateral movement from a less-secure device on the same network. VLAN segmentation that isolates the BMS from the rest of the network significantly limits the ability of an attacker to reach it after gaining initial access elsewhere.

Q: Does the Australian Privacy Act apply to CCTV footage in strata buildings?

A: The Australian Privacy Act 1988 applies to organisations with an annual turnover above $3 million, which captures most commercial property operators. For smaller strata schemes, state-level surveillance and privacy legislation may still apply, and the Office of the Australian Information Commissioner has issued guidance on the use of CCTV in residential settings. Regardless of whether formal legislative obligations apply, strata committees hold the footage of identifiable residents and should treat a breach of that footage as a serious matter. Legal advice specific to your building's circumstances is appropriate if a breach occurs.