NYC’s Smart HVAC Systems Under Siege: The Alarming Rise of Cybersecurity Threats in 2025

New York City’s buildings are becoming smarter, but they’re also becoming more vulnerable. Cyberattacks on IoT devices have increased by 400% year-over-year (YoY), and attackers view HVAC systems as weak links—often less protected than core IT systems but still connected to the same networks. As we navigate through 2025, building owners and facility managers across NYC are facing an unprecedented cybersecurity challenge that could literally leave them out in the cold.

The Growing Threat Landscape

Smart HVAC systems in NYC buildings are no longer just about maintaining comfortable temperatures. Whether it’s remote monitoring, automated climate controls, or energy management dashboards, these systems require internet access and data sharing to function efficiently. However, this digital connectivity introduces vulnerabilities that cybercriminals are increasingly exploiting.

Cybersecurity firm ForeScout Technologies have discovered that thousands of vulnerable IoT devices in heating, ventilation, and air conditioning (HVAC) systems are vulnerable to cyberattacks, with nearly 8,000 connected devices, mostly located in hospitals and schools, offered unauthorized access and were highly vulnerable to cyberattacks.

Real-World Consequences

The risks aren’t theoretical. Hackers exploited weak access controls, taking over the HVAC system and demanding Bitcoin payments in exchange for restoring climate control in a 2021 commercial real estate attack. The attack resulted in millions of dollars in damages due to downtime and lost business. Even more concerning, attackers caused a system failure that left residents of two buildings without heat and hot water in winter in a 2016 Finnish smart building attack.

Target’s retail chain suffered a massive data breach in 2013 due to hackers infiltrating its HVAC network, demonstrating how once hackers are in through your HVAC system, they’ve got a backstage pass to the rest of your network.

Common Attack Methods

Cybercriminals are employing various sophisticated techniques to breach HVAC systems:

• Ransomware and Siegeware: In a “siegeware” attack, hackers take control of HVAC operations—such as disabling cooling or ventilation—and demand payment to restore functionality
• Man-in-the-Middle Attacks: Hackers intercept communications between HVAC equipment and control servers, enabling them to manipulate temperature settings, disable alarms, or shut down systems
• Legacy Protocol Exploitation: Some BMS still use older protocols such as BACnet and Modbus, designed before cybersecurity was a concern. Since these standards lack encryption and authentication, they leave building networks open to anyone who can reach them

Vulnerable Building Systems

A huge vulnerability for smart buildings is the BAS, which is used to control the heating, ventilation, lighting, security and air conditioning. Claroty found that 75% of organizations have BMS devices with known exploited vulnerabilities, while default passwords, hardcoded credentials, and single-factor authentication are still common.

The problem is compounded by the interconnected nature of modern buildings. For smart buildings to function effectively they rely on a multitude of IoT devices to communicate with each other. However, all it takes is one compromised IoT device for hackers to get in, and it could take months before any malware they have used is detected.

Protection Strategies for NYC Buildings

Building owners and facility managers must adopt a proactive, multi-layered approach to cybersecurity:

• Regular Updates: Securing smart buildings starts with the basics: keeping software and equipment up to date. Schedule regular updates and make sure every connected device, from HVAC controllers to access systems, is patched against known issues
• Access Control: Vendor access should also be reviewed closely. Limit who can connect remotely, require MFA, and keep a record of all third-party sessions
• Staff Training: Facilities staff play a key part in cybersecurity. When a system behaves oddly, such as a door that stops responding or a thermostat that resets itself, treat it as a potential warning sign

The Role of Professional HVAC Partners

Given the complexity of modern cybersecurity threats, NYC building owners need trusted partners who understand both HVAC systems and security protocols. Companies like Brothers Supply, a HVAC System NYC specialist with over 50 years of experience serving the New York area, are adapting to address these new challenges. As a locally owned and operated business for over 50 years, we have deep roots in the community, and we’re committed to serving our neighbors with integrity and care.

At Brothers Supply, our extensive experience and commitment to customer satisfaction set us apart. We’re experts in HVAC installations and repairs. Our team is ready to tackle any challenge, offering reliable and effective services every time. Their comprehensive approach includes the latest and most eco-friendly heating and cooling equipment, guaranteeing your indoor comfort while maintaining security-conscious practices.

Looking Ahead

Standards like ISO/IEC 27001 and NIST’s Zero Trust guidelines are becoming benchmarks for HVAC cybersecurity. Proactive adoption of these frameworks, combined with emerging technologies like quantum-resistant encryption, will define the next generation of secure climate control systems.

As NYC continues to embrace smart building technologies, the importance of cybersecurity in HVAC systems cannot be overstated. No single tool or policy will protect a building on its own. Combine updates, access control, and staff awareness into daily operations. Building owners who take proactive steps now will be better positioned to protect their properties, tenants, and operations from the growing threat of cyberattacks targeting smart building systems.

The future of NYC’s buildings depends not just on smart technology, but on smart security practices that keep these systems running safely and efficiently.