fnPrime


Rising Cybersecurity Risks in Building Management Systems

Due to the interconnected and smart nature of BMS, any security vulnerabilities pose a risk for a facility’s operations.   October 2, 2025


By Jeff Wardon, Jr., Assistant Editor


Building management systems (BMS) and building automation systems (BAS) are critical tools for the modern facility manager. When integrated into a facility, they help control and streamline different systems such as HVAC, lighting, elevators, security and energy. However, due to their interconnected and smart nature, they are inherently intertwined with the facility’s IT networks and internet. This poses a vulnerability for that facility’s cybersecurity walls. 

Claroty Team82’s recent “State of CPS Security 2025” report sampled more than 467,000 BMS devices across 529 organizations and found that 75 percent of organizations have devices with known exploited vulnerabilities (KEVs). KEVs are specific security flaws in software or hardware made known to the public that are actively used by cybercriminals in real attacks. The report also found that 69 percent of the organizations have devices with confirmed KEVs used in ransomware attacks. Fifty-one percent of organizations have BMS on their networks that not only are impacted by KEVs but also have insecure internet connections. 

Additionally, many BMS rely on legacy protocols such as BACnet, Modbus and KNX without encryption. Other risks include default credentials, unsupported systems and multiple third-party remote access tools. 

Related Content: Facility Managers Share Responsibility for Cybersecurity

What this all means for facility managers is something more than a data breach, as cyberattacks on BMS can disrupt HVAC, access control and more.  The scope of impact from a cyberattack is now the entire facility, as an attack on the BMS can knock out the operations of any system. Essentially, this ultimately leads to unwanted effects such as safety hazards, financial losses and reputational damage. 

The report recommends shifting from a traditional patch-based vulnerability management to risk-based continuous threat exposure management. It also recommends a five-step framework: 

  1. Scoping: Take into account critical processes by the type of device and department 
  2. Discovery: Identify devices, granular attributes and communication 
  3. Prioritization: Implement and follow a cybersecurity framework that accounts for the business impact and exploitability of exposures 
  4. Validation: Verify that a full spectrum of exposures are real and externally vulnerable 
  5. Mobilization: Reduce risk and secure operations with actionable mitigations and remediations 

As smart buildings expand, securing BMS will become highly critical to facility operations. Facilities managers can collaborate with IT and security teams to take stock of devices, close vulnerabilities and prioritize protections. Proactive risk management is a key factor to keeping facilities safe and operational with cyberattacks on the rise. 

Jeff Wardon, Jr., is the assistant editor of the facilities market. 

Next


Read next on FacilitiesNet