Building management systems (BMS) are the brains behind the automated functions that keep a modern building in working order, efficient, and safe. Think of them as the central nervous system for a building’s technical systems built on a collection of sensors, controllers, actuators, communication and network protocols, and central management systems. BMS, also known as building automation systems, oversee functions such as HVAC, lighting control, energy management, fire detection and suppression, surveillance and physical security systems, elevators, and water management.
These systems are increasingly being connected online and that data they produce is analyzed to improve efficiency and cost effectiveness, among other improvements. Each connection to the internet, however, introduces a new risk. Attackers looking for an entry point onto an internal network or to disrupt operations within a building could target a vulnerability in an internet-facing system and put the physical safety of occupants—or patients at a hospital, for example—at risk.
More systems being connected means more points of failure, and more opportunities for intrusions. Some industries are at particular risk more than others, including:
Education: Universities and schools using BMS for HVAC and security.
Government & Industry: Public institutions and industrial plants use BMS for a multitude of purposes, including security.
Healthcare: Hospitals rely on stable environmental controls.
Hospitality & Residential: Hotels and apartments using smart automation.
Let’s look at some of the new threats and risks introduced by connected BMS.
Many BMS allow remote monitoring and control via the internet. If these systems are not properly secured, attackers can access them remotely. Hackers can manipulate temperature settings, disable alarms, or even for i.e. lock/unlock doors remotely.
Modern BMS rely on IoT sensors and smart devices to collect data and automate building functions. These devices often lack robust security measures. If an IoT sensor is compromised, it can be used as an entry point into the entire BMS, allowing attackers to manipulate HVAC, lighting, or security systems.
Many BMS devices ship with factory-set usernames and passwords (e.g., “admin/admin”) that are often never changed. Cybercriminals can scan the internet for exposed BMS devices and gain instant access if weak/default credentials are used.
Insecure BMS are often connected to the same network as corporate IT systems, rather than being isolated. If a BMS is compromised, hackers can move laterally into financial systems, confidential data, or even critical infrastructure such as power grids or industrial controls.
Many BMS are not updated regularly, leaving them vulnerable to known exploits. Attackers can exploit known vulnerabilities in old software versions to take control of the system or install malware.
Many BMS use unencrypted communication protocols (e.g., BACnet, Modbus) to exchange data between devices. If these transmissions are intercepted, attackers can alter commands in real-time. A hacker could send false commands, such as turning off fire suppression systems or unlocking building doors.
Some critical infrastructure and industrial facilities rely on BMS for environmental control. Cybercriminals are increasingly targeting BMS with ransomware. Attackers could shut down HVAC systems, disrupt factory operations, or even disable security cameras, demanding payment to restore control.
Many BMS components come from third-party vendors. If one of these vendors suffers a breach, hackers may exploit vulnerabilities before patches are available. Attackers could plant malware or backdoors in BMS software updates, compromising thousands of buildings at once.
Now that we have explained what BMS are, and what risks and threats connectivity introduces, let’s put some percentages behind BMS connectivity in major European markets.
The increasing internet connectivity of building management systems across Europe can present serious security concerns. Using OSINT search engines Shodan, Censys, and Fofa, we conducted a detailed analysis of BACnet protocol devices, which are widely used in industrial, commercial, and public infrastructure. Our focus was particularly on Tridium Niagara devices, a popular choice for integrating and managing BMS environments.
The highest percentages of exposed BACnet-enabled BMS devices are in the following countries:
France (17.0%)
Germany (16.1%)
United Kingdom (15.2%)
Sweden (10.5%)
Netherlands (6.5%)
Ireland (5.9%)
Italy (4.7%)
These results indicate that BMS devices are widely deployed across Western and Northern Europe, where industrial automation and smart buildings are more prevalent. These numbers illustrate connectivity, and not necessarily risk or vulnerability.
Siemens Building Technologies (21.5%): The largest share of connected BACnet-enabled devices.
Xiamen Milesight IoT (13.3%): A significant portion of devices belong to this IoT manufacturer, often used in smart buildings.
AB Regin (7.1%) and SAUTER (6.6%): Companies specializing in automation solutions for HVAC and BMS.
Tridium (3.4%): A notable focus in our research, as Tridium Niagara devices are widely deployed in critical infrastructure and commercial buildings.
Other vendors include Schneider Electric, Delta Controls, Distech Controls, and Honeywell, all major players in the BMS market.
To mitigate risks, organizations must adopt strong cybersecurity measures, including:
The core principle here is isolation. BMS networks, often designed with operational efficiency in mind, frequently lack robust security. By segmenting them, you create a "demilitarized zone" (DMZ) that limits the blast radius of a potential breach.
It is crucial because the attackers who gain access to a less secure BMS can use it as a stepping stone to infiltrate more sensitive IT systems (e.g., financial data, customer records). Segmentation prevents this By isolating the BMS, you minimize the number of entry points an attacker can exploit. A compromise in the IT network won't necessarily disrupt critical building functions like HVAC, lighting, or security.
Default credentials and weak passwords are a major vulnerability in BMS. Implementing MFA adds a layer of security, requiring users to provide multiple forms of identification (e.g., password, fingerprint, mobile code). They also go a long way toward preventing credential stuffing and brute-force attacks. These attacks rely on guessing or stealing usernames and passwords. MFA makes them significantly harder. They also mitigate insider threats; even trusted employees can make mistakes or be compromised. MFA can mitigate the damage.
Many older BMS devices were not designed for internet connectivity, yet they are often exposed due to convenience. Firewalls and VPNs act as gatekeepers, controlling and encrypting network traffic. VPNs create secure, encrypted tunnels for remote access, protecting sensitive data from eavesdropping, and are crucial as remote access demands grow. Intrusion prevention systems and firewalls can also block unauthorized access attempts and malicious traffic. Users should also block unneeded ports, and use secure modern protocols that reduce the attack surface.
BMS devices often run on embedded systems with outdated software, making them vulnerable to known exploits. Patch management involves regularly applying software updates to fix these vulnerabilities, including zero-day threats.
Proactive monitoring is essential for detecting and responding to security incidents. Security information and event management (SIEM) systems and intrusion detection systems (IDS) can analyze network traffic and logs for suspicious activity for improving early detection, incident response and anomaly detection.
Human error is a significant factor in many security breaches. Training employees on cybersecurity best practices is essential.
By implementing these measures, organizations can significantly improve the security of their BMS systems and protect themselves from cyberattacks. Building management systems are complex yet essential technologies for modern buildings. They are the backbone of efficient, comfortable, and safe facilities, but it's crucial to understand their components, functionalities, and potential vulnerabilities. Understanding how they work is the first step in addressing the cybersecurity challenges that surround them. The technology is constantly evolving, and building professionals need to stay informed about the latest innovations and security best practices.
Alessio has worked for more than 10 years in the field of Italian cybersecurity, ranging from consultancies to the role of Security Specialist in international companies. He specialized in industrial security, with experience in critical infrastructure and consultancy assignments abroad, as well as a period as a telecontrol specialist in a leading company in the Oil & Gas sector.
He currently holds the position of Head of the Operational Technology Business Unit and Cyber Threat Intelligence segment at Sicuranext. He focuses on emerging threats related to the OT world, engaging in research and intelligence activities. Additionally, he collaborates with various institutions, particularly in the United States, in the field of OT/ICS research.
