Network diagram showing connected building automation systems and IT infrastructure

What IT/OT Convergence Actually Means for Facility Managers

Ten to fifteen years ago, a building’s HVAC controls, its IT network, and its physical security system were three separate worlds, run by three different teams, with almost no overlap between them. That separation is disappearing, and most facility management organizations haven’t fully caught up to what the change actually requires of them.

This is what people mean by IT/OT convergence — Information Technology (the systems that manage data, networks, and computing) and Operational Technology (the systems that manage physical equipment, like HVAC controllers, elevators, and building automation) increasingly running on the same networks, talking to the same platforms, and creating the same risk exposure.

Why This Happened

Building automation didn’t become networked by accident. IoT sensors, remote monitoring, and centralized building management systems all promised real, legitimate value — the ability to see a building’s performance in real time, catch a failing system before it fails completely, and manage multiple properties from a single dashboard instead of relying on someone physically walking the site.

That value is real. Building automation systems genuinely do reduce reactive maintenance, catch problems earlier, and give facility teams visibility they didn’t have when everything was analog. The convergence trend is not a mistake to reverse — it’s the direction the entire industry has been moving for a legitimate reason. It’s also directly connected to why vendor accountability matters more as systems get more connected — the same documentation gaps that undermine SLA enforcement also tend to undermine security visibility.

The complication is that connecting a building’s physical control systems to a network — especially one that touches the broader internet for remote monitoring or cloud reporting — means those systems now carry the same kind of exposure that IT networks have dealt with for decades. A compromised thermostat or sensor is no longer just a facilities problem. It’s potentially a network entry point.

Why This Is Showing Up in Procurement Now, Not Just IT Departments

This shift used to be a conversation confined to IT security teams. It’s increasingly showing up directly in facility management procurement decisions, for a specific reason: cybersecurity credentials on building automation equipment are now affecting vendor selection and RFP outcomes, particularly in regulated sectors like healthcare, finance, and government.

Regulatory activity is accelerating this. Government agencies have moved to standardize on more security-hardened building automation platforms specifically to address this exposure. Protocol-level security upgrades — like BACnet Secure Connect (BACnet/SC), a hardened version of the dominant open protocol in commercial building automation — are increasingly showing up as explicit contract requirements rather than optional upgrades.

For a facility manager, this means a decision that used to be purely operational — which BMS platform to select, which vendor to bring in for an IoT rollout — now has a real cybersecurity dimension that can’t be delegated entirely to an outside IT department without losing visibility into the operational tradeoffs.

What This Practically Means for Facility Teams

Legacy systems are a real, specific exposure. Older building automation systems were often designed with no meaningful security architecture at all, built at a time when nobody expected them to be networked. Connecting a legacy BAS to a modern network without addressing this creates a genuine vulnerability, not a theoretical one.

Vendor selection now has a technical security dimension. Evaluating a CMMS or BAS vendor increasingly requires asking about their security architecture directly — not just their feature set, response times, or price. A vendor unable to speak clearly to protocol security, network segmentation, or update practices is a real signal worth weighing. This is the same underlying discipline behind good vendor accountability generally — the willingness to ask precise questions and expect documented answers, not just reassurance.

This is a genuine specialization, not a footnote. IT/OT convergence sits at the intersection of two disciplines that historically didn’t need to talk to each other. Facility teams evaluating this now benefit from guidance that understands both the operational reality of building systems and the security architecture question, rather than treating it as purely an IT problem to hand off.

Where This Is Heading

The trajectory here is clear even if the pace varies by sector: building automation will keep getting more connected, not less, because the operational value is real and the direction of the broader industry isn’t reversing. What’s changing is that the security dimension of that connectivity is moving from an afterthought to a standard evaluation criterion — showing up explicitly in RFPs, procurement standards, and regulatory requirements in a way it simply didn’t a few years ago.

Facility teams that treat this as a genuine planning consideration now — understanding what’s actually running on their networks, where legacy exposure exists, and what a security-conscious vendor selection process actually looks like — are in a materially better position than teams that keep treating it as purely an IT department’s problem.

Kibog Advisory works on FM technology strategy, including IT/OT convergence, IoT rollout planning, and building automation vendor evaluation, for facility and property teams across North America. Explore the platform or start a conversation about your specific technology roadmap.