Thomasin Crowley, VP, Asia Pacific, WiredScore, shares how cyber risk is shifting from data to disruption as buildings become smarter and more connected.
Singapore has earned its reputation as one of the world’s most resilient cities, supported by robust digital infrastructure, strong regulatory frameworks and a clear national focus on connectivity. But as buildings become smarter, more connected and increasingly reliant on digital systems, a new and less visible risk is emerging – one that extends beyond data and into the physical operation of buildings themselves.
Over the past five years, the risk profile for buildings has fundamentally shifted. Traditionally, cybersecurity focused on protecting corporate IT networks – data, emails and enterprise systems.
Today, the focus is increasingly on operational technology (OT) – the systems that control how buildings function, including air-conditioning, access control, lighting and building management systems. These systems are now highly connected, often integrated with cloud platforms and external networks, yet they have not always been designed with cybersecurity in mind. As a result, they are becoming an attractive target for cyber criminals.
We are already seeing how seemingly routine systems can be exploited. Entry points can be as simple as HVAC controls or internet-enabled devices. Each additional connection increases the attack surface, and as buildings evolve into digital ecosystems, the potential points of vulnerability multiply.
WiredScore’s latest research highlights the scale of this challenge. Globally, 75 percent of organisations operate building systems with known vulnerabilities, while half of cyber incidents now occur in operational technology – the systems that keep buildings running. Singapore’s strong performance in global resilience rankings reflects a proactive approach to these risks.
Regulatory frameworks such as those introduced by the Infocomm Media Development Authority (IMDA), including standards for in-building telecommunications infrastructure, have helped to raise the baseline for digital performance and reliability. Combined with a nationwide fibre network and a focus on protecting critical information infrastructure, this has created a more resilient foundation than in many other markets. However, even in Singapore, the risk is evolving.
Recent cyber incidents targeting telecommunications and other critical infrastructure highlight how attackers are increasingly seeking persistent access to the systems that underpin digital connectivity. As buildings rely more heavily on these systems, the implications for the built environment are becoming more significant.
This changes the equation.
Cyber risk is no longer just about data breaches, or financial or reputational loss. It is about operational continuity. If building systems are compromised, the impact can be immediate and visible: access systems fail, environmental and temperature controls are disrupted, and in extreme cases, buildings may become temporarily unusable.
For asset owners, one of the biggest challenges is translating cybersecurity policies into building-level practice. Responsibility is often fragmented across multiple stakeholders – landlords, property managers, IT providers and contractors – creating gaps in oversight and accountability.
Fundamentally, there is a huge lack of governance today for building OT around cybersecurity because it still falls between the Property Management team and the IT team, who typically oversee data related cybersecurity. This often means that the governance and controls applied to IT cybersecurity are not extended to OT cyber security, largely because people haven’t thought about it as a risk. At the same time, building systems are frequently deployed and maintained by different vendors, making it difficult to ensure consistent security standards across all components.
Addressing this requires a shift in mindset. Cybersecurity must be treated not as an IT issue, but as a core component of building performance, and asset owners need to extend the purview of their governance structures and controls to include OT too. In practical terms, this means:
- Device Management: Understanding exactly what building technology you have in your building and who’s responsible for keeping each device cyber secure.
- Governance: Integrating building technology into the cyber policies, risk management and training processes you already have for laptops and corporate equipment today.
- Control: Implementing cyber controls to pre-empt problems rather than reacting to them. Simple measures such as ensuring passwords aren’t left on post-it notes stuck to the BMS PC is all it takes to start.
Independent benchmarking and certification can also play an important role in raising standards. WiredScore can provide asset owners with a clear framework for assessing and improving resilience, to help them establish where the risks are by surfacing them systematically.
The commercial implications are increasingly clear. As occupiers become more dependent on digital infrastructure, particularly in sectors such as finance, technology and AI, expectations of buildings are shifting. Reliability, connectivity and security are no longer differentiators; they are requirements. In a market like Singapore, where competition for tenants is high and expectations are sophisticated, resilience is becoming directly linked to asset value, tenant retention and long-term competitiveness.
Looking ahead, the next frontier of cyber risk will not be limited to individual systems, but will involve the interconnection between systems where vulnerabilities in one area can cascade across an entire building ecosystem. The question for asset owners is no longer whether cyber risk will affect the built environment, but whether their buildings are prepared for when it does. Because the next cyberattack may not just compromise data. It could shut down your building.
Thomasin Crowley, VP, Asia Pacific, WiredScore
Thomasin Crowley oversees all markets across Asia Pacific and the Middle East. She shapes regional strategy, drives growth and leads the rollout of WiredScore and SmartScore certifications at scale. Based in Hong Kong, Thomasin is known for her sharp commercial instincts, deep understanding of digital infrastructure and ability to influence senior stakeholders. Her career spans advisory, real estate and technology, which gives her a unique lens on how buildings remain competitive, future ready and sustainable.
