Topics:
Building management systems (BMS) are foundational to the operation of critical infrastructure, enabling environmental control across various sectors, including energy, commercial and government facilities, the defense industrial base, data centers, battery energy storage, food processing, semiconductor fabrication, aerospace, and pharmaceutical manufacturing.
These control systems regulate temperature, humidity, airflow, and other conditions essential to uptime, safety, and product integrity. However, their roles are often excluded from organizations' cybersecurity strategies. We’ll learn how this oversight introduces systemic risk, and why BMS should be treated as integral components of any mission-critical security plan.
A BMS is a centralized platform that monitors and controls critical facility functions such as heating, ventilation, air conditioning (HVAC), lighting, access control, and fire suppression. These systems help maintain safe, efficient, and stable operating conditions across multiple environments. While traditionally managed as facility support infrastructure, BMS often interfaces with ICS/OT and enterprise networks, sometimes through control system protocols (e.g., BACnet, Modbus TCP, LonWorks, KNX, BALI, and OPC) or vendor-managed remote access platforms, making them deeply embedded in the broader operational ecosystem.
In mission-critical environments, BMS dependencies are tightly coupled with continuity, safety, and compliance. Data center safety relies on precise cooling, airflow, and fire suppression to prevent thermal shutdowns and equipment damage, while access control systems help secure sensitive server rooms. Food processing facilities depend on temperature regulation, contamination control, and lighting systems calibrated for hygiene and inspection standards. Climate-sensitive manufacturing sectors, including pharmaceuticals, semiconductors, and aerospace, require stable environmental conditions, cleanroom lighting, and controlled access to protect sensitive materials, maintain product integrity, and meet regulatory thresholds.
Despite their operational importance, BMS are frequently excluded from cybersecurity planning due to a combination of organizational, technical, and regulatory blind spots. They are typically managed by facilities or operations teams, not IT or cybersecurity personnel. In some cases, however, IT personnel manage the network over which the BMS communicates.
This separation creates a disconnect in responsibility and visibility, especially when cybersecurity policies are developed without input from those overseeing physical infrastructure. American Society of Heating, Refrigerating and Air-Conditioning Engineers (ASHRAE) member, Ron Bernstein article on “Cybersecurity for Building Automation System” notes: “The ongoing maintenance and monitoring of the systems falls into the facility engineering and maintenance team… they are key to defining and enforcing the plan.”
BMS platforms are sometimes proprietary, providing the asset owner with limited transparency into system architecture or remote access configurations. Facility owners often rely on vendor technicians for system and/or security updates and troubleshooting, which can delay remediation and obscure accountability. Managing vendor relationships is an essential layer in a comprehensive security approach, with attention to supply chain risks and the use of outsourced or cloud-based services.
They are often treated as an afterthought or considered non-critical, particularly when compared to IT systems or production assets. This misconception overlooks the fact that BMS has a direct impact on uptime, safety, and environmental stability. However, smart buildings have further integrated BMS with IT enterprise networks and internet of things (IoT) devices and are no longer isolated systems. They are critical for operational continuity, especially in data centers and high-sensitivity production environments.
While cybersecurity frameworks like NIST CSF and ISO/IEC 27001 provide cybersecurity guidance, they rarely address BMS explicitly. Sector-specific standards may focus on IT and OT systems but do not consider the cyber-physical nature of building controls. The ASHRAE article points out that formal security requirements for BMS are often missing. It encourages stakeholders to build customized cybersecurity strategies that address incident response, system monitoring, and legal accountability.
BMS have increasingly become targets for cyberattacks due to their connectivity, legacy protocols, and operational importance. Misconfigured HVAC systems have led to documented server failures in data centers, where environmental control lapses caused overheating, resulting in downtime and hardware damage. Remote access vulnerabilities are especially prevalent in vendor-managed BMS platforms; Claroty's “State of CPS Security 2025: Navigating Risk in an Uncertain Economic Landscape” report found that 75% of organizations operate BMS devices affected by known exploited vulnerabilities (KEVs), with many linked to ransomware campaigns and insecure internet-facing interfaces. Control system protocols such as BACnet and Modbus, widely used in building automation, lack encryption and authentication, making them susceptible to spoofing, replay attacks, and unauthorized access to BMS platforms.
These vulnerabilities create viable attack vectors for adversaries. Due to limited segregation between IT and OT networks, an attacker can pivot from a compromised IT system into broader OT networks through remote service exploitation (T1210) or remote desktop hijacking (T1563.002).
Once inside, attackers may deploy ransomware to disrupt facility controls, encrypt operational systems, or demand payment to restore HVAC, lighting, or access control functions. MITRE ATT&CK for ICS Technique: change credentials (T0892), has been observed in an attack against a BMS in Germany, “where adversaries locked operators out of their building automation system (BAS) controllers by enabling a previously unset BCU key.” The convergence of physical and digital systems in BMS environments amplifies the impact of these threats, turning what was previously considered peripheral infrastructure into a high-value target.
Securing BMS requires asset owners to consider these systems as part of their organization’s attack surface. This shift in thought requires a layered approach that includes technical controls, organizational alignment, and vendor collaboration and accountability.
Effective BMS security planning includes asset visibility. Asset owners must maintain a current asset inventory of all BMS devices and connected assets with external networks. This includes controllers, gateways, BMS servers, and vendor-managed remote access.
These systems should be logically segmented via VLANs from the IT and OT networks using a firewall to create demilitarized zones (DMZs), intrusion detection systems for monitoring, and, if necessary, data diodes for one-way traffic flow. Segmentation helps mitigate lateral movement but can be defeated through insecure remote access to internet-facing devices on both IT and OT networks.
Understanding the capabilities and limitations of BMS protocols such as BACnet, Modbus, LonWorks, and KNX is crucial for selecting appropriate security solutions and configuring monitoring and detection functions for BMS devices that communicate with these protocols. Continuous monitoring and anomaly detection is required for identifying legitimate and malicious activity. Establishing a baseline for normal BMS operations is key to tuning alerts for detecting threat activity.
BMS vendors are critical to securing the system, particularly for remote access and cloud services that provide maintenance and operations support. Asset owners should establish clear responsibilities in service level agreements (SLAs) that define patching, access control, product security advisories, breach notification, and incident handling responsibilities.
Enhancing communication and alignment between facilities, IT, and security teams can help address security gaps in organizations' cybersecurity plan for protecting BMS. No single team owns cybersecurity. No single team owns the cybersecurity plan, and it should include facility engineers, IT staff, legal counsel, third-party vendors, and security team members to coordinate roles and responsibilities, and an escalation process when events/incidents occur. This collaboration ensures that BMS security is not siloed from the organization's cybersecurity plan and operations.
BMS should be included in the organization’s risk assessments, incident/emergency response tabletop exercises, and incident response plan. This requires modeling intrusion and exploitation scenarios that involve HVAC, lighting, or access control system disruptions, and exercising incident response processes and procedures for both digital and physical consequences.
BMS are not peripheral systems but are foundational to the continual operation of data centers, sophisticated manufacturing processes, healthcare, pharmaceuticals, food production/storage, and other climate-sensitive environments. Their role in maintaining environmental stability, physical security, and life safety systems makes them critical infrastructure to be protected.
They are often excluded from an organization's cybersecurity planning due to siloing within the staff, BMS communication protocols, and regulatory ambiguity. This oversight leaves BMS at risk of exploitation and attack by adversaries.
Organizations must treat BMS as part of their overall cybersecurity strategy. This means integrating them into their organization's asset inventory, risk assessments, tabletop exercises, and incident response plans. Further, it demands vendor transparency, enforcement of access controls, and collaboration between facility management, IT, and security teams.
This is essential to ensuring the protection and continued operations of critical infrastructure sectors, including chemical, critical manufacturing, defense industrial base (DIB), energy, financial services, food and agriculture, healthcare and public health, information technology, nuclear reactors, materials, and waste, and transportation systems sectors.
Dan Ricci is founder of the ICS Advisory Project, an open-source project to provide DHS CISA ICS Advisories data visualized as a dashboard to support vulnerability analysis for the OT/ICS community. He retired from the U.S. Navy after serving 21 years in the information warfare community.
