Right now, you're sitting in 72-degree comfort, fluorescent lights humming overhead, elevators moving quietly between floors.
Somewhere in your building's basement, a Tridium Niagara controller is making thousands of decisions per second about your physical environment.
Nozomi Networks just disclosed it has thirteen vulnerabilities. The encryption is turned off. And someone, somewhere, has definitely noticed.
The Ghost in the Machine
Tridium Niagara runs in 500,000 buildings worldwide. Not some of them. Not most of them. Damn near all of them. That hospital where you were born? Niagara. The office where you're reading this? Niagara. The hotel where you had that affair? Definitely Niagara, and yes, it logged your keycard.
These systems know things. They know when the CEO arrives because the executive floor starts warming at 6:47 AM. They know when layoffs are coming because HR books the big conference room and disables the keycard printer. They know when the janitor is stealing laptops because he badges into offices that aren't on his cleaning schedule.
Now imagine someone else knowing all of that. For the past five years. Because these vulnerabilities aren't new, they're just newly admitted.
The Beautiful Horror of Building Control
Forget everything you think you know about cyberattacks. No ransomware pop-ups. No stolen files. No dramatic shutdowns. Building attacks are subtle, patient, almost artistic in their cruelty.
Picture this: It's August in Phoenix. Board meeting on the 47th floor. The HVAC fails at 2 PM, just as the quarterly disaster is being explained to investors. The room temperature climbs to 89 degrees. Sweat stains appear on expensive suits. The CFO's makeup runs. The presentation dies as executives flee for cooler floors.
Was it an attack? Equipment failure? Perfect timing? You'll never know. The logs show a "transient anomaly." The HVAC vendor finds nothing wrong. But the stock drops 3% on reports of "chaos" at the board meeting.
That's building control. Not destruction. Manipulation.
The Texas Preview
Remember the 2021 Texas freeze? Buildings lost heat. Pipes burst. People literally froze to death in their apartments. That was nature showing us what building control warfare looks like.
Now realize someone can recreate that. Building by building. Target by target. A hospital during surgery. A data center during trading hours. A pharmaceutical facility during vaccine production. All it takes is flipping the right bits in a system running code from 2009 with the encryption turned off because that's how it shipped and nobody knew to change it.
The Integrator Problem
Here's the sick joke: The same efficiency that makes modern buildings possible makes city-wide attacks trivial. Every major city has maybe five companies that service these systems. Johnson Controls. Siemens. Honeywell. Schneider. They all have master passwords. They all have VPN access. They all use the same configurations because why reinvent the wheel?
Hack one integrator and you own every building they touch. In Manhattan, that's hundreds. In Houston, that's every refinery's control room. In DC, that's buildings you're definitely not supposed to be in.
The integrators know this. They've known for years. But admitting it means admitting that two decades of smart building installations are fundamentally, unfixably broken. So they patch what they can, pray nobody notices what they can't, and cash the maintenance checks.
The Perfect Crime
Building attacks are invisible because buildings are supposed to fail. HVAC breaks. Elevators stop. Lights flicker. It's annoying but expected. Nobody calls the FBI when the air conditioning dies. They call maintenance.
An attacker who understands this can live in these systems forever. Slowly increase energy bills by adjusting temperature setpoints. Create maintenance issues that require expensive emergency repairs. Make elevators just slow enough to be irritating but not suspicious. Gradually degrade comfort until productivity drops but nobody can explain why.
Or wait. Wait for the perfect moment. The IPO. The merger announcement. The vaccine deployment. The moment when building failure becomes business failure. Then execute with surgical precision and let everyone argue about whether it was intentional or just Murphy's Law.
The Thirteen Vulnerabilities
Nozomi found thirteen ways in. They're not saying what they are, exactly, which tells you everything. When researchers go quiet on details, it means the details are catastrophic. It means patches won't help. It means the only fix is ripping out millions of dollars of infrastructure that companies just finished installing.
But here's the real tell: These vulnerabilities affect versions through 4.10u10. That's not a random version number. That's the version running in most buildings because upgrading building automation systems means shutting down the building. Try explaining to a hospital that they need to turn off life support systems for a firmware update. Try telling a trading floor they need to close for a week to segment networks.
What This Actually Means
Five hundred thousand buildings with thirteen vulnerabilities and encryption turned off by default. Twenty-year-old systems that can't be patched without shutting down critical operations. Master passwords shared across entire cities. And somewhere, someone who's been inside these systems long enough to understand them better than the people who built them.
The next time your office feels stuffy, your elevator seems slow, or your badge reader hesitates before the green light, remember: Your building has thirteen ways to kill you.
And someone, somewhere, is deciding whether today's the day.
🌊
Based on Nozomi Networks disclosure, November 5, 2025