In 2023, a ransomware group compromised the building management system of a large European office complex through an exposed BACnet/IP port that had been left accessible on the public internet during a remote access configuration years earlier. The attack didn't start with a phishing email or a corporate network breach — it started with a BMS device that had no authentication, no VLAN segregation, and a default password that had never been changed. Within hours, the attackers had lateral access to the building's corporate network through a shared switch. The recovery cost exceeded £400,000 before lost productivity was factored in.
BMS cybersecurity is not an IT department concern that happens to touch building services. It's a building services concern that the IT department often doesn't know exists — until something goes wrong. As BMS networks become increasingly connected to corporate infrastructure, cloud platforms, and remote access systems, the attack surface of a commercial building grows substantially. This guide explains the real risks, the relevant standards, and what a secure BMS network actually looks like in practice.
Traditional IT security assumes that the devices on a network have been designed with security in mind — that they support authentication, that their software can be patched, and that they can be monitored for unusual activity. BMS field controllers were designed to none of these assumptions. A Trend IQ controller installed in 2012 was designed to communicate reliably on a closed RS-485 trunk with other Trend devices. It was not designed to defend itself against an authenticated attacker probing it from the internet.
The core vulnerabilities are structural rather than accidental. BACnet and Modbus — the two dominant protocols in commercial BMS networks — transmit data without authentication or encryption by default. Any device on the same network segment can read and write to any other device. There is no concept of "this device is not authorised to change this setpoint." Controllers are often commissioned with default credentials and never changed, because the commissioning process doesn't require it and the manufacturer defaults are widely documented online. And BMS networks are frequently not segregated from corporate IT infrastructure, because when the original system was installed a decade ago, it had no internet connectivity and network segmentation wasn't considered necessary.
The consequence is that a BMS network connected to a corporate network — even indirectly, even through a single shared switch — creates a potential lateral movement pathway. An attacker who compromises a corporate email account through a phishing attack, and who then finds that the same switch carries BMS traffic, may be able to reach building controllers that have no authentication whatsoever.
The primary international standard for operational technology security — including building automation systems — is IEC 62443, which establishes a security level framework (SL1 through SL4) for operational technology networks, including BMS; most commercial BMS installations should target SL2 as a minimum, providing protection against intentional violation using simple means. IEC 62443 also introduces the Zones and Conduits framework — segmenting OT networks into protected zones with controlled communication pathways between them. For a BMS, a Zone and Conduit model means the field controller network, the supervisory layer, and any integration with corporate IT are treated as separate security zones, with explicitly defined and monitored pathways between them. This is the formal version of what good network design already achieves through VLAN segregation and firewall rules.
The NIST Cybersecurity Framework, widely referenced in UK public sector and healthcare specifications, provides a risk-based approach built around five functions: Identify, Protect, Detect, Respond, and Recover. Applied to a BMS, Identify means producing an accurate inventory of every device on the network and its connectivity. Protect means implementing the technical controls — VLANs, firewalls, authentication, encryption. Detect means monitoring the BMS network for anomalous activity — unexpected device connections, unusual command patterns, access outside working hours. Respond and Recover mean having documented procedures for what happens when a BMS security event occurs, including how to isolate affected systems without taking the whole building offline.
The National Cyber Security Centre's guidance for operational technology (OT) systems recommends network segmentation between BMS and corporate IT infrastructure, patch management for supervisory software, and privileged access management for remote connections — requirements that most legacy BMS installations were never designed to meet. The NCSC's guidance maps closely to the IEC 62443 Zone and Conduit model and applies directly to building automation systems.
The baseline for any BMS network connected to corporate infrastructure or the internet is VLAN segregation — placing all BMS controllers, the supervisory server, and any integration gateways on a dedicated network segment that is isolated from the corporate IT network by a firewall. Traffic between the BMS VLAN and the corporate network should be explicitly permitted only for the specific flows that are required — for example, allowing the BEMS dashboard server to receive HTTPS traffic from corporate devices, while blocking all other cross-segment communication. This is not complex to implement if it's planned from the start, but retrofitting it onto an existing flat network often requires a network redesign that buildings are reluctant to budget for.
Remote access to the BMS — for contractor access, remote monitoring, or off-site management — should be delivered exclusively through a VPN with multi-factor authentication, not through direct port forwarding of BACnet or proprietary protocols to the internet. Direct internet exposure of BACnet/IP ports is one of the most common findings on building security audits. The BACnet port (47808/UDP) is actively scanned by automated tools, and exposed devices appear in public databases like Shodan within hours of going online. This is not a theoretical risk — it is a routine attack vector.
For new BMS deployments, BACnet/SC (Secure Connect) — defined in ASHRAE Addendum bj to Standard 135 — provides TLS encryption and certificate-based authentication at the protocol level, eliminating the unauthenticated plaintext communication that characterises traditional BACnet/IP. BACnet/SC is increasingly being specified on new commercial projects, particularly where cloud connectivity is part of the design. For existing systems, VPN and VLAN controls at the network layer provide equivalent protection without requiring controller firmware upgrades.
The risks from a compromised BMS extend beyond data theft. An attacker with write access to BMS controllers can manipulate HVAC schedules, override temperature setpoints, disable fire damper controls, or interfere with access control integrations. In a healthcare or data centre environment, this can create immediate physical safety risks — not just operational disruption. In a commercial office building, a ransomware attack that encrypts the BMS supervisory server and demands payment to restore control can leave a building operator managing heating, ventilation, and access manually until the system is recovered, a process that can take days on a complex site.
The cost of a BMS security incident — including recovery, investigation, regulatory notification where personal data is involved, and reputational damage — is substantially higher than the cost of the preventive measures that would have stopped it. A VLAN redesign and firewall configuration for a mid-sized commercial building typically costs between £2,000 and £8,000 depending on the existing network infrastructure. A ransomware recovery on the same building is unlikely to cost less than £50,000, and may be significantly more.
If your BMS was installed more than five years ago and you don't know whether it's on a segregated network, the answer is almost certainly that it isn't. If your building has remote access configured for contractor use and that access is not through a VPN, that's a vulnerability that needs to be addressed now. If you're planning a BMS upgrade or a new installation, network security architecture should be in the design specification from day one — not added as an afterthought during commissioning.
Alpha Controls designs and commissions BMS networks with security architecture built in, including VLAN design, firewall rules, VPN configuration, and documentation of remote access arrangements. If you'd like a review of your existing BMS network security posture, get in touch with the team.
Our team of building automation specialists is ready to help you optimise your building's performance and efficiency.
Get in Touch
