🔒 BMS and OT Cybersecurity: Protecting Building Automation Systems from Cyber Threats

Why BMS Cybersecurity Is Now a Critical Engineering Issue

Building management systems were designed for reliability and interoperability, not security. Older BACnet, Modbus, and LON networks assumed physical security was sufficient protection — an attacker would need to be in the building to reach the control network. That assumption no longer holds. As BAS systems have migrated to IP networks, gained web interfaces for remote management, and integrated with enterprise IT systems and cloud platforms, they have become accessible from the internet — and from any device on the corporate network.

High-profile incidents have demonstrated the risk. In 2021, a threat actor accessed a Florida water treatment plant's SCADA system through remote access software and attempted to raise sodium hydroxide levels to dangerous concentrations. In 2013, attackers breached Target Corporation's network through an HVAC contractor's remote access credentials, ultimately stealing 40 million credit card numbers. Building systems are now a recognized entry point for enterprise network attacks and a direct target for operational disruption.

The OT vs. IT Security Distinction

Operational Technology (OT) security differs from Information Technology (IT) security in fundamental ways that affect how security is designed and implemented.

IT security prioritizes confidentiality (protecting data), then integrity, then availability. OT security inverts this: availability is paramount — a BAS that goes offline during a building emergency, or an HVAC system that loses control during extreme weather, creates physical consequences that a data breach does not. Patching and updates, routine in IT, are operationally risky in OT environments where controllers may run continuously for years and where a failed firmware update can take critical equipment offline.

This means OT security strategies must account for legacy equipment that cannot be patched, controllers with no authentication capability, and systems where even brief disruptions have physical consequences. Security measures must be applied around equipment that cannot be changed, not just to equipment that can be updated.

Common BAS Attack Vectors

Remote access software: VPNs, remote desktop software, and vendor-specific remote access tools are the most common entry points. Weak credentials, shared passwords, and unrevoked access for former employees or contractors are frequently exploited. The Target breach began with stolen credentials for Fazio Mechanical Services, the HVAC contractor with remote access to Target's BAS.

Flat networks: Many buildings have BAS systems on the same network segment as corporate IT devices. An attacker who compromises any device on the shared network can reach BAS controllers directly. This is the single most common and most correctable vulnerability in commercial building automation installations.

Web interfaces: Many modern BAS systems and IoT devices ship with web-accessible interfaces enabled by default, often with default credentials that are never changed. Automated internet scanners (Shodan, Censys) continuously index these devices. BAS web interfaces with default passwords appear in search results within hours of being connected to the internet.

Unencrypted protocols: Standard BACnet does not include native authentication or encryption. BACnet/IP traffic can be read and manipulated by any device on the same network segment. BACnet Secure Connect (BACnet/SC), introduced in the 2019 revision of ASHRAE 135, adds TLS encryption and certificate-based authentication, but adoption is still limited.

Network Segmentation: The Purdue Model for BAS

The most effective structural defense for BAS cybersecurity is network segmentation — separating the BAS network from corporate IT networks and from the internet using firewalls, DMZs (demilitarized zones), and unidirectional security gateways.

The Purdue Model (ISA-99/IEC 62443) provides a reference architecture for industrial control system network segmentation, adapted here for building systems:

Level 0 — Field devices: Sensors, actuators, VAV boxes, fan coil units. Native communication protocols (BACnet MS/TP, Modbus RTU, LON). No direct network connection from this level to IT networks.

Level 1 — Controllers: DDC controllers, PLCs, field panels. Communicate with Level 0 devices via field bus and with Level 2 via BACnet/IP or other supervisory protocols. Should be on isolated, dedicated network segments.

Level 2 — Supervisory: BAS workstations, operator interfaces, historian servers. Communicates downward to Level 1 controllers. This level should be behind a firewall from Level 3.

Level 3 — Site operations: Building operations servers, reporting systems, analytics platforms. The DMZ between OT and IT networks. Remote access for BAS vendors should terminate here, never directly at Level 1 or 2.

Level 4+ — Enterprise IT: Corporate network, internet. Should have no direct connection to Levels 0–2. Data transfer between OT and IT should be one-directional where possible (data flows from OT to IT for reporting; commands do not flow from IT to OT).

Practical Security Measures for BAS Projects

Change all default credentials: Every BAS workstation, router, firewall, IP camera, and web-accessible device should have its default username and password changed before going live. Maintain a credential inventory and change passwords when personnel with access leave the organization.

Eliminate flat networks: Specify dedicated VLAN or physical network separation for BAS systems in new construction. For existing buildings, a network audit will typically reveal BAS devices on the corporate network — these should be migrated to a dedicated segment with firewall rules restricting traffic to only what is necessary.

Control remote access: BAS vendor remote access should use multi-factor authentication, time-limited access windows, and full session logging. Jump servers or privileged access workstations (PAWs) in the DMZ provide controlled remote access without exposing controllers directly to the internet. Audit active remote access accounts regularly.

Disable unnecessary services: BAS devices often run unnecessary services (FTP, Telnet, HTTP) by default. Disable any service not required for operation. Change web interface ports from defaults. Remove or disable unused network interfaces.

Asset inventory: Maintain an accurate inventory of all BAS devices — IP addresses, MAC addresses, firmware versions, and last-patched dates. You cannot protect what you cannot see. ASHRAE Guideline 13 (Specifying Building Automation Systems) recommends an OT asset inventory as part of BAS commissioning.

BACnet Secure Connect (BACnet/SC)

BACnet/SC, standardized in ASHRAE 135-2020 Addendum bj, adds TLS 1.3 encryption and X.509 certificate-based authentication to BACnet/IP. It replaces the unencrypted BACnet/IP protocol for IP-connected devices while maintaining backward compatibility with existing BACnet object models and services.

BACnet/SC uses a hub-and-spoke topology where devices connect to primary and failover connection hubs via WebSocket connections. This allows BACnet/SC to traverse firewalls and NAT more easily than standard BACnet/IP while providing encrypted, authenticated communication. Adoption is growing in new equipment, but most existing installed BAS devices do not support BACnet/SC and will require protocol translation gateways.