Tosi's 2026 OT Security Maturity Assessment of the real estate sector identified remote access as the weakest OT security capability; the lowest-scoring of the five capability areas assessed.
While European building automation operators perform slightly better in this area, scoring 3.34, out of a possible 5.0, against 3.28 achieved by their American counterparts, the difference is marginal and does not change the bigger picture. Shared VPN credentials, open ports, and slow vendor access provisioning remain widespread across building automation environments, leaving critical systems, HVAC, elevators, access control, fire suppression, exposed to unauthorized entry.
Real estate and property management leads the building automation industry overall with an average OT maturity score of 3.63 out of 5.0, performing better than other assessed sectors in thread detection (3.93) and multi-site management (3.57). Portfolio-scale operations appear to drive investment in centralized visibility and monitoring. Yet that leadership makes the remote access gap all the more striking, organizations that have invested in knowing what is on their networks have not extended the same discipline to controlling who gets in.
“Real estate environments are increasingly connected, but access governance has not kept pace,” said Sakari Suhonen, CEO of Tosi U.S. “The data shows that organizations can detect a breach, but they are far less capable of preventing unauthorized entry in the first place. Monitoring investment has outpaced access control investment. That imbalance needs to be corrected before a vendor’s open port becomes an attacker’s entry point into a skyscraper, or a shopping center”