Critically Neglected: Cybersecurity for buildings
Thomas Pope
DEF CON 33 · Day 1 · Main Stage
In an era where digital infrastructure underpins nearly every aspect of modern life, the cybersecurity of physical buildings remains a critically overlooked and dangerously vulnerable attack surface. Thomas Pope, Head of Property Cyber Security, delivered a compelling talk at DEF CON, shedding light on the alarming state of security within **Building Management Systems (BMS)**, **Building Automation Systems (BAS)**, and the burgeoning **Internet of Things (IoT)** devices integrated into commercial properties. His presentation underscored a fundamental disconnect: while industries like power, oil, and gas inherently recognize the need for robust control system security, buildings—complex ecosystems of interconnected operational technology (OT)—are often left exposed, operating on assumptions of isolation that no longer hold true.
AI review
Pope clearly knows this space and the case studies — AppleTalk C2 through elevators, KN&X mass-password-set, ransomware destroying forensic evidence via vendor advice — are genuinely useful war stories from someone who's been in these buildings. The problem is the talk stays at the survey layer: here's how bad the hygiene is, here's why nobody cares, here's the org-chart friction. That's a real contribution, but it's not DEF CON-tier research.