fnPrime
Watch this webcast tips for streamlining operations and making better use of time and resources
The Orlando show takes place Oct. 15-16. Members receive complimentary Elite Level access
MANAGEMENT TOPICS
TECHNOLOGY TOPICS
TRENDING

JOBS
PRODUCTS
EDUCATION UPCOMING
MAGAZINES
INFO
SEARCH
Job Board
Post Jobs
Are You Hiring? Post Jobs


Rising Cybersecurity Risks in Building Management Systems

Due to the interconnected and smart nature of BMS, any security vulnerabilities pose a risk for a facility’s operations.   October 2, 2025


By Jeff Wardon, Jr., Assistant Editor


Building management systems (BMS) and building automation systems (BAS) are critical tools for the modern facility manager. When integrated into a facility, they help control and streamline different systems such as HVAC, lighting, elevators, security and energy. However, due to their interconnected and smart nature, they are inherently intertwined with the facility’s IT networks and internet. This poses a vulnerability for that facility’s cybersecurity walls. 

Claroty Team82’s recent “State of CPS Security 2025” report sampled more than 467,000 BMS devices across 529 organizations and found that 75 percent of organizations have devices with known exploited vulnerabilities (KEVs). KEVs are specific security flaws in software or hardware made known to the public that are actively used by cybercriminals in real attacks. The report also found that 69 percent of the organizations have devices with confirmed KEVs used in ransomware attacks. Fifty-one percent of organizations have BMS on their networks that not only are impacted by KEVs but also have insecure internet connections. 

Additionally, many BMS rely on legacy protocols such as BACnet, Modbus and KNX without encryption. Other risks include default credentials, unsupported systems and multiple third-party remote access tools. 

Related Content: Facility Managers Share Responsibility for Cybersecurity

What this all means for facility managers is something more than a data breach, as cyberattacks on BMS can disrupt HVAC, access control and more.  The scope of impact from a cyberattack is now the entire facility, as an attack on the BMS can knock out the operations of any system. Essentially, this ultimately leads to unwanted effects such as safety hazards, financial losses and reputational damage. 

The report recommends shifting from a traditional patch-based vulnerability management to risk-based continuous threat exposure management. It also recommends a five-step framework: 

  1. Scoping: Take into account critical processes by the type of device and department 
  2. Discovery: Identify devices, granular attributes and communication 
  3. Prioritization: Implement and follow a cybersecurity framework that accounts for the business impact and exploitability of exposures 
  4. Validation: Verify that a full spectrum of exposures are real and externally vulnerable 
  5. Mobilization: Reduce risk and secure operations with actionable mitigations and remediations 

As smart buildings expand, securing BMS will become highly critical to facility operations. Facilities managers can collaborate with IT and security teams to take stock of devices, close vulnerabilities and prioritize protections. Proactive risk management is a key factor to keeping facilities safe and operational with cyberattacks on the rise. 

Jeff Wardon, Jr., is the assistant editor of the facilities market. 

Next

Read next on FacilitiesNet

New Bill on Indoor Air Quality in Education Facilities Proposed

If passed, the legislation would establish an updated nation wide assessment of IAQ in schools and childcare facilities.

NFMT Remix 2025: What You Need to Know

Education sessions and networking opportunities are among the highlights of NFMT Remix.

Facilities Management is the Hidden Career: Key Takeaways from World Workplace 2025

Facility professionals from across the globe joined together at IFMA’s World Workplace show in Minneapolis.

SeaPort Manatee Strengthens Security with Scalable, Integrated Technologies

Case Study: The Florida port has modernized its security platform to streamline access, enhance situational awareness and generate actionable data.