Last year’s theft of high-value assets at the Louvre Museum in Paris, France, serves as a critical and tangible case study on the intersection of physical and digital vulnerabilities within modern built environments. While such institutions often employ sophisticated security measures, the investigation revealed that a nearby surveillance camera had been angled away from the intrusion point, and the password protecting the museum’s internet protocol (IP) camera network was easily compromised. This combination of physical misalignment and weak digital authentication practices reflects a broader challenge faced by facility managers as Extended Internet of Things (xIoT) systems become integral to daily operations.

Cameras, access controls, environmental sensors and other connected assets form the essential layers of modern facility infrastructure. However, many of these devices remain deployed with minimal configuration oversight, vulnerable software or factory-set credentials. Even in highly sophisticated environments, the tendency to overlook fundamental safeguards can create conditions in which a single vulnerable device compromises the resilience of an entire facility. Protecting a facility’s most critical assets requires an understanding of both individual hardware vulnerabilities and the operational practices that allow those weaknesses to persist.

The expanding xIoT landscape

Facilities incorporate an expansive range of connected devices – including IP cameras, badge access controllers, HVAC systems, air quality sensors, leak detectors, lighting systems, smart elevators and energy-management platforms. These technologies are deployed to streamline operations, improve energy efficiency, support global sustainability targets, and enhance the overall safety and occupant experience.

Despite the wide swath of benefits, connectivity introduces significant layers of responsibility. Many connected systems run continuously, requiring regular software updates and secure configurations that must be monitored over time. Digital maturity varies significantly across different global regions and facility types. While some global enterprises have successfully adopted connected-device governance models, many organizations struggle to integrate legacy systems with newer smart-building technologies.

Facility managers overseeing older buildings or geographically distributed portfolios often inherit decades-old HVAC controllers or access systems that were never designed for integration with modern monitoring platforms. When layering legacy systems into newer environments without consistent standards for configuration, updates or oversight, they create inconsistent risks across the broader facility. This "technical debt" is not merely a performance issue; it is a fundamental security gap that expands as more devices are added to the network.

Vulnerabilities & operational implications

Unfortunately, FMs commonly rely on passive monitoring or traditional discovery tools to track the status and network behavior of connected systems. For example, a building management team may run weekly scans to ensure HVAC units and cameras are online and reporting data. While this provides visibility, it does not actively enforce security controls.

The assumption that visibility is equivalent to security is a persistent misconception. Even actively monitored systems remain vulnerable if underlying weaknesses are not addressed; a camera may report an "operational" status while still using default credentials, leaving it open to unauthorized access. In large, geographically dispersed facilities where thousands of systems are deployed across multiple campuses, manual oversight is often impractical. Consequently, minor misconfigurations – such as outdated thermostat firmware or an expired digital certificate – can go unnoticed for months.

Common systemic vulnerabilities include:

  • Default credentials: Many devices are shipped with factory-set usernames and passwords that are never updated, leaving them exposed to simple brute-force attacks.

  • Outdated firmware: Known exploits often remain unpatched in facility hardware, providing accessible entry points for attackers.

  • Configuration drift: Small, incremental changes to system settings accumulate unnoticed over time, gradually weakening both reliability and security.

  • Expired certificates: Lapses in encrypted communication or identity trust mechanisms can disrupt operations and expose systems to unauthorized access.

A single misconfigured system can serve as a gateway into critical building system networks, including life-safety infrastructure and environmental monitoring. Exploited vulnerabilities may lead to altered temperature settings, disabled surveillance or inaccurate sensor readings. Beyond immediate operational disruptions, compromised systems can be leveraged as entry points for ransomware or data exfiltration. These weaknesses are the digital equivalent of leaving a physical door unsecured.

Instructional guide: Conducting an xIoT audit

To move from a reactive to a proactive security posture, FMs should conduct regular, comprehensive audits of their connected device landscape. An effective audit follows a structured methodology to ensure no critical infrastructure is overlooked.

Louvre - Phase 1Louvre - Phase 2Louvre - Phase 3Implementing proactive governance

Managing xIoT systems effectively requires moving beyond simple device-level monitoring toward systemic governance and continuous intervention. As the number of connected devices proliferates, relying on manual action becomes untenable, making automated processes and standardized policies essential for maintaining resilience.

FM teams can mitigate risks by adopting a system-focused governance approach centered on the following practices:

  • Credential hygiene: Implementing strong authentication policies and regular password rotation cycles.

  • Firmware governance: Ensuring devices receive timely updates to eliminate known vulnerabilities.

  • Certificate management: Tracking expiration dates and renewing certificates to maintain secure communication.

  • Configuration baselines: Developing standardized configurations for each device category to prevent drift.

  • Continuous monitoring: Using tools to detect unusual behavior or unauthorized access attempts in real time.

Automation’s role in scaling security

In an environment with thousands of connected devices, manually updating passwords or rotating certificates would require a massive, dedicated staff. Automation is not a luxury; it is a necessity for modern FMs.

Automated systems can perform "zero-touch" rotations of credentials, ensuring that every camera, sensor and controller has a unique, complex password that changes on a predefined schedule. Furthermore, automated firmware management can download, test and deploy patches across thousands of devices simultaneously, reducing the window of vulnerability from months to hours.

Developing an RFP for xIoT security

As organizations realize the scale of their xIoT footprint, many seek third-party solutions to manage these risks. To ensure a facility obtains the necessary level of protection, the request for proposal (RFP) must be specific and rigorous. An IT RFP is often insufficient because it does not account for the unique operational constraints of building automation systems.

Key requirements for a facility-centric xIoT security RFP should include:

  • Nondisruptive discovery: The solution must be able to identify devices without causing operational downtime. Many legacy HVAC or medical devices are sensitive to active network scanning; therefore, the RFP should prioritize tools that use "passive" or "safe-active" discovery methods.

  • Automated remediation: Visibility is only half the battle. The RFP should require the ability to automatically rotate passwords and update firmware without manual intervention.

  • Vendor agnostic support: Modern facilities use a mix of manufacturers. The security platform must support a broad range of proprietary and open protocols.

  • Integration with existing workflows: The solution should integrate with existing computerized maintenance management systems or security information and event management platforms to ensure alerts are managed by the appropriate teams.

Louvre - COA framework for resilience

The Louvre incident demonstrates how small oversights in both physical and digital domains can lead to major consequences. A misaligned camera or an unchanged password serves the same role as an unlocked window, allowing a breach that bypasses even the strongest perimeter defenses.

To address these challenges, FMs should adopt frameworks that integrate physical security teams, IT departments and building automation specialists. Cross-functional collaboration ensures that device security is viewed not merely as an IT responsibility, but as an essential component of overall facility resilience. Prioritizing proactive security over reactive incident response allows organizations to address predictable vulnerabilities before they are exploited.

As environments become interconnected, the security of connected devices is foundational to operational stability and risk management. By combining rigorous governance, continuous monitoring and cross-functional coordination, FM teams can reduce systemic vulnerabilities and fortify the assets they protect.