Most building owners think about cybersecurity the way they think about servers and email: an IT problem that lives in the server room and gets handled by whoever manages the computers. Building automation systems barely register as a concern. They run HVAC, lights, and access control. What is a hacker going to do, change the thermostat?
The answer, as a number of high-profile incidents have demonstrated, is quite a lot more than that. BAS systems have become a meaningful attack surface, and the way most of them are configured today, they are among the least-protected networked devices in any commercial facility.
Why Building Automation Systems Are a Target
The Target breach in 2013 is the case that woke up a lot of people in this industry. Attackers gained access to Target's corporate network through credentials stolen from an HVAC vendor that had remote access to the stores' building automation systems. From there, they moved laterally through the network and eventually compromised point-of-sale systems, exposing the payment card data of 40 million customers.
The building automation system did not contain the payment data. But it served as the open door.
More recently, universities have experienced ransomware attacks that entered through BAS systems and spread to academic and administrative networks. In one documented case, a university's smart vending machines and HVAC sensors were used as the initial foothold in an attack that eventually encrypted research files and demanded payment for decryption.
The common thread in these attacks is not sophisticated hacking techniques. It is basic security hygiene failures that made the BAS an easy target:
- Default credentials left unchanged. Many controllers ship with default usernames and passwords (admin/admin, or no password at all) that are publicly documented in vendor manuals. If your contractor installed controllers and did not change the defaults, those credentials are one internet search away.
- Flat network architecture. In a flat network, all devices share the same network segment. Your BAS controllers, your corporate workstations, your credit card terminals, and your IP cameras can all reach each other directly. An attacker who compromises one device can reach everything else.
- Unpatched firmware. BAS controllers run embedded operating systems and firmware that contain vulnerabilities, just like any other software. Unlike a laptop that prompts you to install updates, a BAS controller sitting in a mechanical room above a ceiling tile will run the same firmware for ten years unless someone specifically updates it.
- Direct internet exposure. We have seen controllers configured with direct internet-facing addresses so technicians can access them remotely without a VPN. That same access is available to anyone who finds the device with a port scanner.
The OT/IT Convergence Problem
Building automation systems are what the security industry calls operational technology, or OT. For decades, OT systems like BAS, industrial control systems, and utilities management platforms operated on physically separate networks from IT infrastructure. The air gap was a security feature: if the systems were not connected, they could not be attacked remotely.
That air gap is largely gone. Modern buildings demand remote access, cloud integration, energy management dashboards, and connectivity to enterprise systems. The pressure to connect BAS systems to the internet and to corporate networks is enormous, and the business reasons are legitimate.
But the security practices that protected corporate IT systems did not automatically transfer to OT systems. IT security teams often do not have visibility into the BAS network. Facilities teams often do not think about cybersecurity at all. The result is a gap that attackers are increasingly aware of and actively exploiting.
What Proper BAS Cybersecurity Looks Like
Securing a building automation system does not require exotic technology. It requires applying the same basic principles that IT security has used for years, adapted for the OT environment.
Network Segmentation
The most important architectural change you can make is putting your BAS on its own network segment, separated from corporate IT systems and from the public internet by a firewall. This is called network segmentation or creating a demilitarized zone (DMZ) for your OT systems.
With proper segmentation, a compromised BAS controller cannot directly reach a corporate workstation or a database server. Lateral movement, the technique attackers use to spread from an initial foothold to high-value targets, becomes far more difficult.
Your IT team or network consultant can implement this. The BAS contractor needs to be involved to ensure the segmentation does not break legitimate communication paths between field controllers and the supervisory platform.
Credential Management
Every controller, every gateway, every JACE, and every user account on your BAS should have unique, strong credentials. This means:
- Change all default manufacturer passwords during commissioning. This is not optional.
- Create individual user accounts for each person who needs access. Do not use shared accounts.
- Implement role-based access control: operators should be able to acknowledge alarms and adjust setpoints, but not modify programming. Programming access should require a higher privilege level with stricter authentication.
- Disable or remove accounts for personnel who no longer need access.
Firmware and Software Updates
Establish a process for reviewing and applying firmware updates to your BAS controllers. Your controls contractor should be able to tell you what firmware version each controller is running and whether updates are available. Critical security patches should be applied within a reasonable timeframe after release.
This is not glamorous work, and it is often skipped because it requires downtime and careful planning. But unpatched firmware is one of the most common ways attackers gain initial access.
BACnet Secure Connect (BACnet/SC)
ASHRAE has published BACnet/SC, a newer variant of the BACnet protocol that adds TLS encryption, certificate-based authentication, and WebSocket transport. Traditional BACnet (over IP or MS/TP) sends data in the clear, meaning anyone on the same network segment can read BACnet traffic with a packet sniffer.
BACnet/SC addresses this by encrypting all communication between BACnet nodes and requiring mutual authentication before communication is established. It is not yet universally supported across all devices, but new installations and upgrades should prioritize BACnet/SC-capable equipment where possible.
VPN for Remote Access
If your controls contractor needs remote access to your BAS for monitoring or service, that access should go through a VPN, not through a direct internet-facing connection to the controller. A properly configured VPN requires authentication before establishing the tunnel and encrypts all traffic through the connection.
Direct internet exposure of BAS controllers is a configuration we find far too often, and it is correctable without significant cost or disruption.
Facilities Teams and IT Teams Have to Work Together
The biggest obstacle to BAS cybersecurity is organizational, not technical. IT teams typically have no visibility into BAS systems and no relationship with the controls contractor. Facilities teams have no background in cybersecurity and often view IT as outside their domain.
Fixing this requires intentional coordination. Facilities teams need to be included in cybersecurity planning, briefed on the risks, and given clear procedures for things like requesting firmware updates, managing user accounts, and reporting anomalies. IT teams need to extend their monitoring and patching processes to include the BAS network.
Neither team can own this problem alone. A BAS that is cybersecure is one where both teams are involved, communicating, and taking responsibility for their respective pieces.
If you are not sure where your building stands, the first step is an honest assessment: what devices are on your BAS network, how are they configured, what access controls exist, and how is the BAS network separated from the rest of your infrastructure. We can help you work through that assessment and build a realistic remediation plan.