Smart Building Cybersecurity - BMS Threats and Protection
Smart building cybersecurity - BACnet, KNX, LONworks protocols, BMS attacks, building network segmentation. IEC 62443 and NIS2 requirements.
Krzysztof Swaczyński 
Józef Sulwiński 
In September 2023, the Dark Angels group hit Johnson Controls with ransomware - one of the world’s largest manufacturers of HVAC systems, access control, and fire protection. Net loss: 27 million dollars. In 2025, a Claroty study found that 75% of organizations have BMS devices with publicly known exploited vulnerabilities, and 51% have those devices connected to the internet in a way that enables ransomware attacks.
Smart buildings are not just concrete and glass. They are facilities packed with automation systems - from HVAC and lighting control to video surveillance, access control, and elevator management. Each of these systems is a potential attack surface. And unlike IT systems, the consequences of an attack on a Building Management System (BMS) are not data loss - they are building evacuation, server room cooling failure, access control bypass, or lighting shutdown.
What is a Smart Building and Why It Is Vulnerable
A smart building is a facility where building automation systems (BMS - Building Management System) integrate HVAC management, lighting, access control, surveillance, elevators, and fire systems. Typical facilities include office buildings, shopping malls, hospitals, airports, data centers, and hotels.
The security problem stems from history. Building automation protocols - BACnet, KNX, LONworks - were created in the 1980s and 1990s, when functionality mattered, not cybersecurity. Initially, they communicated over dedicated wiring (copper twisted pair, bus). Ethernet and wireless connectivity were added later - which opened previously isolated systems to the outside world.
BMS Protocols - Security Status
| Protocol | Standard | Authentication | Encryption | Secure Version | Adoption Status |
|---|---|---|---|---|---|
| BACnet | ASHRAE 135 | None (BACnet/IP) | None | BACnet/SC (2020) - TLS 1.3, X.509 | Low - most installations are legacy BACnet/IP |
| KNX | EN 50090 | None (KNX Classic) | None | KNX Secure (2021) - AES-128 | Low - certification exists, adoption in installations minimal |
| LONworks | ANSI/CEA-709 | None | None | None | None - protocol considered legacy |
| Modbus TCP | Modbus.org | None | None | Modbus/TCP Security (2018) - TLS | Very low |
The pattern is the same across all protocols: standards have added security on paper, but the installed base of devices does not support it. Most buildings use devices installed 10-20 years ago, with no upgrade path.
How Attackers Exploit BMS
Internet Exposure
One of the main attack vectors is exposing BMS systems to the internet - often unintentionally. Tools such as Tenable Attack Surface Management can identify BACnet devices (UDP 47808), KNX (UDP 3671), and Modbus (TCP 502) accessible from the internet. Data from 2024 shows approximately 110,000 ICS/OT devices directly reachable from the internet, with BACnet accounting for approximately 8.9% (Forescout research).
Access to many of these systems is possible using default passwords or without any login. A 2019 incident (Safety Detective) revealed unsecured browser access to RDM BMS systems across 319 facilities globally, including ten hospitals in the United Kingdom.
BMS Integration with Corporate Networks - New Attack Vectors
Since 2019, a key shift has been the transition to cloud-managed BMS. Building operators want energy dashboards, remote diagnostics, and predictive maintenance - which requires internet connectivity. In practice, three dangerous topologies emerge:
- BMS controller with direct internet access - flat network, no segmentation
- BMS connected to the corporate network for energy reporting - risk of lateral movement to IT
- Cloud-managed BMS (Siemens Desigo CC, Honeywell Forge, Johnson Controls OpenBlue) - vendor cloud as the attack surface
Building systems rarely have dedicated security teams. Unlike industrial process control systems, BMS is often managed by facility management companies, for whom cybersecurity is not a core competency. This gap is visible in incident data.
Attack Examples
| Incident | Year | Target | Impact |
|---|---|---|---|
| Google Australia | 2013 | NiagaraAX BMS system - vulnerability allowing admin password readout | Compromise of Google’s Sydney headquarters |
| Target (USA) | 2013 | Entry vector through HVAC subcontractor system | Theft of 40 million payment card records |
| US Hospitals (WannaCry) | 2017 | Hospital systems including BMS | Ward closures, patient transfers |
| Johnson Controls | 2023 | Dark Angels ransomware on BMS manufacturer’s IT infrastructure | $27M in losses, data breach |
| Omni Hotels | 2024 | Room key systems, check-in, payments | Multi-day disruption to guest services |
Who Is Responsible for Smart Building Security
Responsibility for BMS security is blurred by the building lifecycle structure. Multiple stakeholders are involved in a project: the investor, general contractor, subcontractors (BMS installers, security systems integrator), and then building management, service companies, tenant IT departments, and external entities.
Key questions that should be asked at every stage:
- Was cybersecurity considered during the BMS design phase?
- Were security aspects taken into account when selecting devices and manufacturers?
- Were security tests of the entire system performed during building commissioning?
- Who verifies the security posture during the operational phase?
Protecting Smart Building Systems
Segmentation - The First Line of Defense
The IEC 62443 zones and conduits model applies to buildings just as it does to industrial plants. The BMS should reside in its own OT zone, separated from the corporate network by firewalls. Remote access to BMS - only through a jump server in the DMZ, never directly from the internet.
TIP
Minimum segmentation rules for a smart building: (1) BMS in a separate VLAN with a dedicated firewall, (2) no routing from BMS to the internet, (3) remote BMS access only via VPN + MFA + jump server, (4) BACnet/Modbus traffic monitoring with an IDS tool (e.g. Nozomi Guardian), (5) isolation of safety systems (fire, emergency voice, ESD) from BMS.
Protocol Hardening
For new installations, require BACnet/SC (TLS 1.3) and KNX Secure (AES-128). For existing installations - compensating controls: segmentation, monitoring, access control to configuration panels.
Asset Inventory
Most BMS operators cannot list all connected devices. Asset inventory is the starting point - passive tools (Nozomi, Claroty) now support the BACnet protocol and can discover building devices without impacting their operation.
Regulatory Requirements
NIS2 / KSC
The NIS2 directive covers essential entities in the energy, health, water, and digital infrastructure sectors - sectors that operate large building facilities. BMS systems in hospitals, data centers, and critical infrastructure buildings fall within scope as part of the OT attack surface. A BMS incident in a hospital (e.g. HVAC failure in an operating room) is subject to reporting within 24 hours. KSC is the Polish national transposition of the NIS2 directive.
EU Cyber Resilience Act
The CRA (adopted 2024, technical requirements effective December 2027) covers products with digital elements sold in the EU - including BMS components. Manufacturers will need to build in security by design and provide an SBOM (Software Bill of Materials).
IEC 62443
The standard is increasingly applied in the building context. Manufacturers such as SAUTER and Siemens Building Technologies publish BMS security assessments based on IEC 62443. The most relevant parts for buildings: 62443-2-1 (security program) and 62443-3-3 (system requirements, zones and conduits). An IEC 62443 audit allows you to assess BMS compliance with the standard’s requirements.
Smart Building Security Checklist
| Area | Element | Description |
|---|---|---|
| Inventory | BMS device register | List of all controllers, sensors, actuators with firmware and addresses |
| BMS network map | Network topology identifying connections to IT and the internet | |
| Segmentation | Separate BMS network | VLAN + firewall separating BMS from IT |
| Safety system isolation | Fire, emergency voice, ESD systems in a separate segment | |
| No internet access | No BMS device directly reachable from the internet | |
| Access | Change default passwords | Admin passwords changed on every device |
| MFA for remote access | Multi-factor authentication on VPN/management portal | |
| Individual service accounts | No shared accounts for service companies | |
| Monitoring | IDS on BMS network | BACnet/KNX/Modbus protocol monitoring (e.g. Nozomi, Claroty) |
| Access logs | Logging of all remote sessions and configuration changes | |
| Updates | Controller firmware | Regular verification of update availability |
| SBOM | Knowledge of software components in BMS devices | |
| Procedures | Incident response plan | Procedure for responding to attacks on BMS systems |
| Change management | MOC procedure for BMS configuration changes |
Smart building security starts with asset inventory and network segmentation - and does not require replacing the entire installation. If you want to assess the security posture of BMS systems in your facility, we can conduct an IEC 62443 compliance audit or penetration testing of the building OT network.