Connected building systems have turned modern apartment buildings and commercial properties into high-value targets for cyber attackers. Every CCTV camera, access controller, intercom and lift monitoring system adds another entry point to your network — and most were never designed with cyber security in mind. If your building's network lacks proper segmentation and access controls, a single compromised device can expose every other system on that network.
Why Smart Buildings Face Serious Cyber Security Risks
The shift from isolated, closed systems to internet-connected infrastructure has happened quickly, and security has rarely kept pace. Building management systems (BMS), CCTV platforms, intercom hardware and access control controllers were traditionally installed on private, air-gapped networks. Today, they are routinely connected to the internet for remote monitoring and management — a practical necessity, but one that fundamentally changes the threat landscape.
The cyber security risks buildings face are not theoretical. In 2021, attackers gained access to a Florida water treatment facility through an outdated remote access tool connected to operational systems. The same attack vectors exist in apartment buildings and strata complexes: internet-exposed devices, default credentials, unpatched firmware and flat networks where every device can communicate with every other device.
For strata managers and building owners, the consequences of a breach extend beyond inconvenience. Unauthorised access to CCTV feeds raises serious privacy obligations under the Australian Privacy Act. Compromise of access control systems can physically endanger residents. Outages in building management platforms can disrupt lifts, HVAC and common area lighting across an entire complex.
The Most Common Building Network Security Failures
Understanding where building network security breaks down is the first step toward fixing it. The problems we encounter most often when auditing strata and commercial building networks fall into a consistent pattern.
Flat Networks With No Segmentation
The single most common and damaging building network security problem is the flat network — an architecture where CCTV cameras, access control panels, resident Wi-Fi, management computers and building systems all share the same network. There are no internal barriers. If an attacker compromises a single IoT device, such as a camera running two-year-old firmware, they have unimpeded access to every other device on that network.
Proper VLAN apartment building architecture solves this by isolating each system category into its own logical network segment. A compromised camera on the CCTV VLAN cannot reach the access control VLAN. Resident Wi-Fi traffic stays separate from building management infrastructure. Damage is contained.
Insecure Remote Access via Port Forwarding
Many building system installers configure remote access by opening ports directly on the internet router and forwarding traffic to internal devices. This method exposes devices directly to the public internet, where automated scanning tools continuously probe for open ports and attempt known exploits. We have audited buildings where CCTV recorders, intercom servers and BMS controllers were fully reachable from any IP address on the internet, protected only by a default or weak password.
The correct approach is a properly configured VPN, where remote access is granted only to authenticated users through an encrypted tunnel. No building system management interface should be directly internet-facing.
Outdated Firmware on IoT Building Security Devices
IoT building security devices — cameras, intercom units, access readers, environmental sensors — are notoriously slow to receive firmware updates, and building managers are rarely notified when critical security patches are released. A camera running firmware from 2022 may contain multiple publicly documented vulnerabilities that attackers can exploit without credentials. The same applies to intercoms, smart lighting controllers and energy monitoring gateways.
Regular patching is not optional. Every connected device in a building is a potential entry point, and manufacturers regularly release firmware updates specifically to address exploited security flaws.
Unsupported Operating Systems on Management Computers
Building management workstations — the computers used to configure and monitor BMS, CCTV and access control platforms — frequently run Windows versions that Microsoft no longer supports. Unsupported operating systems receive no security patches, meaning any vulnerability discovered after the end-of-life date remains permanently exploitable. We regularly encounter Windows 7 and Windows 10 (post end-of-life) machines running critical building infrastructure software.
Default Credentials on IoT Devices
A significant proportion of IoT building security devices arrive from manufacturers with well-known default usernames and passwords. These credentials are published in product manuals, indexed by search engines and used by automated attack tools. Without a formal process for changing credentials on every device during installation and periodically thereafter, buildings are effectively leaving their doors unlocked.
How to Secure a Smart Building Network: The Right Architecture
Addressing smart building cyber security requires a layered approach. No single control eliminates risk, but the combination of proper segmentation, managed infrastructure, secure access and consistent patching reduces the attack surface to a manageable level.
VLAN Segmentation for Every System Category
A properly designed apartment building network separates devices into distinct segments based on function and risk level. A typical strata building network should include separate VLANs for the following categories:
- CCTV and surveillance systems
- Access control and intercom infrastructure
- Building management and automation systems
- Resident broadband Wi-Fi
- Staff and management devices
- Guest or visitor Wi-Fi
Inter-VLAN communication should be explicitly permitted only where operationally required, and all permitted traffic should pass through a firewall where it can be inspected and logged. This architecture means a compromised resident device cannot reach access control systems, and a vulnerable IoT sensor cannot be used as a pivot point to reach management computers.
Business-Grade Firewalls With Active Threat Intelligence
Consumer-grade routers are insufficient for building network security. A business-grade firewall provides deep packet inspection, intrusion prevention, application-aware filtering and centralised logging. Modern unified threat management (UTM) platforms also incorporate threat intelligence feeds that automatically block traffic to and from known malicious IP addresses and domains — useful when IoT devices attempt to beacon to command-and-control infrastructure.
For strata and apartment buildings, the firewall should be configured to enforce strict outbound policies for IoT devices. A CCTV camera has no legitimate reason to communicate with servers in foreign jurisdictions. Restricting outbound traffic to known, necessary destinations is an effective control against malware that attempts to exfiltrate data or receive instructions.
Secure Remote Access for Building System Maintenance
Building systems require legitimate remote access for vendor maintenance, software updates and fault resolution. This access should be provided through a managed VPN with multi-factor authentication, not open ports or third-party remote desktop tools with weak credentials. Access sessions should be logged, and vendor access should be time-limited and revoked when maintenance is complete.
Our managed network building service includes management of remote access infrastructure, so building managers do not need to handle VPN configuration or vendor credential management themselves.
Managed Network Infrastructure and Continuous Monitoring
Passive network infrastructure — switches, access points and routers that are installed and then forgotten — creates blind spots. Managed infrastructure provides real-time visibility into device status, traffic anomalies and security events. When a camera goes offline, when an unknown device connects to the network, or when unusual traffic volumes appear, building managers receive an alert rather than discovering the problem days later during a manual check.
This level of visibility is central to our approach to strata building communications and security. Proactive monitoring means issues are caught before they escalate into incidents.
CCTV Network Security Deserves Specific Attention
CCTV systems sit at an uncomfortable intersection of physical security and cyber risk. A compromised CCTV network does not just expose footage — it can provide attackers with a detailed, real-time view of a building's physical security posture, including guard patrol patterns, access point usage and resident movement.
CCTV network security requires dedicated network segmentation, strong recorder and camera credentials, encrypted video streams where supported, and restricted remote access. Recording servers should not be connected to general-purpose networks, and camera management interfaces should never be internet-facing.
Cyber Security Obligations for Strata Buildings
Strata buildings hold personal information about residents — names, contact details, access logs, and biometric data where facial recognition or fingerprint access is used. Under the Australian Privacy Act 1988, organisations with obligations to protect personal information must take reasonable steps to secure it. A building network that allows unauthorised access to CCTV footage or access control logs is not meeting that standard.
Beyond privacy law, strata managers have a duty of care to residents. A cyber security incident that disables access control or allows physical intrusion creates direct liability exposure. Treating building network security as a facilities matter rather than an IT matter is no longer defensible.
Frequently Asked Questions
Q: What is a VLAN and why does it matter for apartment building security?
A: A VLAN (Virtual Local Area Network) is a way of logically separating devices on the same physical network infrastructure so they cannot communicate with each other directly. In an apartment building, this means CCTV cameras, resident Wi-Fi, access control systems and building management computers each operate in their own isolated segment. If one device is compromised, the attacker cannot use it to reach systems on other VLANs. It is the single most important architectural control for building network security.
Q: How do cyber attackers typically target smart buildings?
A: The most common attack vectors are internet-exposed management interfaces, default or weak credentials on IoT devices, unpatched firmware on cameras and controllers, and phishing attacks on building management staff. Automated scanning tools continuously probe the internet for exposed devices, so buildings with poor network architecture are discovered and targeted without any specific intent on the attacker's part.
Q: Do small strata buildings need the same security as large commercial complexes?
A: The security controls should be proportionate to the number of connected systems and the sensitivity of the data involved, but the fundamental architecture — VLAN segmentation, business-grade firewall, secure remote access, managed infrastructure — applies regardless of building size. A small strata complex with 20 apartments and a CCTV system, intercom and access control still has enough connected infrastructure to warrant proper network design. The cost of proper security is substantially lower than the cost of recovering from a breach.
Q: Who is responsible for cyber security in a strata building?
A: Responsibility is typically shared and depends on how the strata scheme is governed. The owners corporation is generally responsible for common property systems including networks serving common areas. Strata managers acting on behalf of the owners corporation may have obligations depending on their management agreement. Where building technology systems are owned and operated by the owners corporation, it bears primary responsibility for securing that infrastructure. We recommend strata managers ensure their buildings have a documented network security policy and a managed IT provider with specific building technology experience.
Q: How often should building network devices be patched and updated?
A: Critical firmware updates should be applied within 30 days of release for internet-connected devices, and sooner where the update addresses an actively exploited vulnerability. Operating system patches for management computers should follow a monthly cycle aligned with vendor release schedules. In practice, without a managed service in place, most building networks receive no systematic patching — firmware is updated only when a device develops a fault severe enough to trigger a service call.
Protect Your Building With a Managed Network Audit
If you manage a strata building, apartment complex or commercial property with connected systems, the risks described above are not hypothetical — they are present in the majority of building networks we audit. Flat network architecture, internet-exposed devices, default credentials and unpatched firmware are the norm, not the exception.
We provide network audits, VLAN design, managed network infrastructure and ongoing cybersecurity services for strata and commercial buildings across Australia. Our team understands both the IT and the building technology side, which means we can secure your network without disrupting the systems your residents and managers depend on.
To arrange a building network security assessment, contact us on 1300 688 588 or email [email protected].