BUILDING CONTROLS & TECHNOLOGY
Why your contractors’ login credentials are probably your biggest security gap
I
Michael Downs, VP at SecurEnvoy explains the benefits of multi- factor authentication in keeping buildings and their systems secure
n May 2021, a water treatment plant in Florida was accessed remotely by an attacker who briefly increased sodium hydroxide levels to more than a hundred times the normal amount. A plant operator spotted the change and reversed it before anything reached the public water supply. The attacker had got in through remote access software that plant staff used for legitimate maintenance.
Smart building technology has brought operational benefits including remote monitoring, predictive maintenance, energy optimisation, and the ability to manage a portfolio of buildings from a single dashboard. But every contractor account, every remote access session, and every business management system integration with a third- party platform is also a potential route in. And, like in the aforementioned attack, a significant number of those access points are protected by nothing more than an, often weak, password. It’s not clear whether MFA was added as an additional control but it’s unlikely considering the ease of entry.
Why third-party access is the weak link
Like many organisations, building operators might have security controls for their own staff but not for their contractors the suppliers and maintenance partners who also hold access to building systems. Those suppliers might be heating engineers that need to adjust settings remotely, Business Management System integrators monitoring performance data, lift maintenance companies that need access to control systems, and security firms that manage access control platforms. They will all need privileged access.
This issue is that these accounts frequently sit outside the security policies that apply to internal staff. They may be using personal devices or using credentials that haven’t been updated in years. In some cases, a single set of login details might be shared across an entire contractor organisation, meaning there is no way to know who actually logged in, or when. Attackers are familiar with this and take advantage of these weak entry points. Contractor credentials are one of the most consistent ways into an operational environment precisely because they tend to be less carefully managed. Once inside, an attacker can move through connected systems and escalate their access.
The 2021 Colonial Pipeline attack is a prime example. Attackers accessed the network through a VPN account, without MFA enabled. The pipeline shut down for six days, causing fuel shortages across the US east coast. The attack prompted a US executive order mandating MFA across critical infrastructure, demonstrating the significance of the attack. On the UK side, MFA guidance is increasingly included in legislation and compliance mandates. The NCSC’s Cyber Essentials program has just been updated to require more comprehensive MFA controls, especially for critical suppliers.
The smart building problem is getting worse
The integration of IoT sensors, cloud-based BMS platforms, and remote monitoring tools means that the number of systems accessible from outside the building perimeter keeps growing, along with the number of third-party accounts required to manage them. Each one is a potential entry point, and the more of them there are, the harder it becomes to keep track of who has access to what. Attackers frequently target accounts that are weakly protected or have no additional
Read the latest at:
www.bsee.co.uk
authentication. Recent incidents linked to infostealer malware have shown attackers gaining access to dozens of organisations simply by targeting accounts without enforced MFA. The malware harvests credentials from infected devices, and if those credentials are enough to log in without any further verification, the attacker has their way in.
What MFA actually does
Multi-factor authentication requires a user to verify their identity with something beyond a password, a code sent to a phone or generated by an authenticator app, a biometric check, or a hardware token. Therefore, even if an attacker has a valid username and password, they cannot log in without the second factor. In the case of building systems, it’s most important to secure with MFA those accounts at the perimeter that give an attacker leverage over physical building functions and are most likely to belong to third parties operating outside the building operator’s direct oversight. The objection that comes up most often is friction. Contractors are busy, often accessing systems from the field, from different devices, sometimes under time pressure. They don’t want another step in the log in process. However, MFA is incredibly simple to implement and need not hinder productivity; authenticator apps take seconds and biometrics require no codes at all. Phishing- resistant MFA authenticates automatically and cryptographically between the user’s device and the legitimate service, so attackers can’t overwhelm users with prompts or trick them into tapping “approve.” Risk-based authentication, which only prompts for a second factor when a login looks unusual, such as from an unfamiliar device or location, means that a contractor logging in from their usual setup barely notices it’s there. Conditional access, whereby you only grant access to systems to those who need, is another control to limit unwanted access. If MFA is set up to be as straightforward as possible, with clear guidance for contractors on how to use it, then it tends to stick and be used with confidence.
Making it a contractual requirement
The most reliable way to enforce MFA across third-party access is to make it a condition of the contract. If a supplier wants to access
your building systems remotely, they meet your security requirements, including MFA on any account used to do so.
The NCSC’s Cyber Essentials scheme, which is
increasingly required by public sector contracts and recommended across regulated industries, mandates MFA as a baseline control. And, as building owners and facilities managers become more security-conscious, the ability to demonstrate that your remote access is properly secured becomes a differentiator rather than a cost.
Principle of least privilege
MFA sits alongside another control that is worth addressing at the same time: making sure that third-party accounts only have access to what they actually need.
A contractor maintaining the HVAC system does not need access to the access control platform. A BMS integrator pulling performance data does not need administrative rights across the whole system. Limiting access to what is required for the job, and revoking it when the job is done, significantly reduces the damage an attacker can do if they do get hold of a contractor’s credentials. Combined with MFA, it means that even a successful credential theft results in limited access rather than a route through the whole building’s systems.
The practical starting point
For most organisations, the first step is understanding the current state: how many third-party accounts have remote access to building systems, what level of access each one has, and which of them currently have MFA in place. From there, the priority are the accounts with the broadest access and the highest potential impact if compromised. BMS administrator accounts, remote access to access control systems, any account that can adjust physical building functions are the ones to secure first. The goal is not to make remote access difficult. Buildings need contractors and contractors need to be able to do their jobs. The goal is to make sure that the accounts enabling that access are not also the easiest way into the building for someone who should not be there. Given how straightforward MFA has become to implement and use, there is less and less justification for leaving that gap open.
BUILDING SERVICES & ENVIRONMENTAL ENGINEER JUNE 2026 23
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32 |
Page 33 |
Page 34 |
Page 35 |
Page 36 |
Page 37 |
Page 38