Most UK building management systems carry real cyber risk. Claroty's 2025 global analysis of nearly half a million BMS devices found 75% of organisations have controls-network devices affected by known exploited vulnerabilities, and 51% have devices that are both linked to ransomware exploits and insecurely connected to the internet. An asset inventory, network segmentation and audited remote access close most of that gap.
An FM walks a plant room during a condition survey and finds a TeamViewer install on the BMS front-end PC that nobody remembers setting up. It went in during a call-out in 2021, when the controls contractor needed to fix a fault without driving to site. Nobody removed it afterwards. Nobody's checked the password since. On the same walk, tucked behind a riser panel, there's a 4G router wired straight into the controls network, put there by a subcontractor who needed connectivity for a commissioning job and never came back to take it out.
Neither of these things is unusual. They're the normal residue of how BMS work actually gets done on UK sites: engineers need remote access to fix things without a two-hour drive, and the fastest way to get it during a live fault is whatever tool happens to be to hand. The problem is that nobody owns the follow-up. IT doesn't know the device exists because it's not on their network. FM doesn't think of it as a security question because it's "just the heating controls." That gap between IT and FM is exactly where the risk sits.
A building management system controls plant, not spreadsheets, but it usually shares infrastructure with systems that matter to an attacker for other reasons. In a typical estate, the BMS supervisor and controllers sit on the same flat network as printers, Wi-Fi access points and sometimes corporate IT, because separating them was never part of the original design brief and nobody has revisited it since. Remote access is often whatever the controls contractor set up to support the system, which on older or smaller estates means a consumer remote-desktop tool rather than an audited VPN. Supervisor software and field controllers frequently run on default or shared credentials because changing them risks locking out an engineer who needs fast access during a fault, and unsupported legacy controllers can't be patched at all because the manufacturer has stopped issuing firmware for them.
None of this is a BMS problem in isolation. Claroty's Team82 research team analysed close to 500,000 internet-facing and network-connected BMS devices across more than 500 organisations globally for its "State of CPS Security 2025: Building Management System Exposures" report, and the headline numbers are hard to argue with: 75% of organisations have BMS devices affected by known exploited vulnerabilities, and 51% have devices that are simultaneously linked to ransomware-associated vulnerabilities and reachable from the internet. That's a global data set, not a UK-specific one, but there's no engineering reason to think a UK BMS estate looks structurally different from the rest of the developed world's stock of Trend, Siemens, Schneider and Distech installations.
Three things are moving at once. The Cyber Security and Resilience (Network and Information Systems) Bill was introduced to Parliament on 12 November 2025, has cleared the Commons, and has been before the House of Lords since 17 June 2026, with Royal Assent expected late in the year. It's still a Bill, not law, so nothing in it is enforceable yet, but its direction of travel is clear: it widens the scope of regulated "essential services" to cover managed service providers and data centres, and it gives the Secretary of State power to designate further sectors as the risk picture changes. Building operators who assume this doesn't touch them because they're not classed as critical national infrastructure should read the designation power carefully rather than assume it stays that way.
Alongside the Bill, the NCSC published version 4.0 of its Cyber Assessment Framework in 2025, and it's explicit that controls suitable for corporate IT can be inappropriate, or actively damaging, in operational technology environments: a BMS controller that reboots itself for a routine patch mid-cycle can lose control of plant, which a laptop patching overnight never will. That distinction matters because it's the excuse most FM teams have used for years to leave OT out of the security conversation entirely; NCSC is now saying the opposite, that OT needs its own tailored treatment, not exclusion.
And the protocol layer itself is catching up. BACnet/SC (Secure Connect) was published as an addendum to ANSI/ASHRAE Standard 135 and is now part of ASHRAE 135-2020, adding TLS encryption and certificate-based device authentication over a hub-and-spoke WebSocket architecture, and removing the need for BACnet Broadcast Management Devices that have historically been a soft point in BACnet networks. BACnet Testing Laboratories maintains a public list of conformance-tested BACnet/SC devices, so specifiers can check a product actually does what the datasheet claims. Vendors are moving too: Johnson Controls' Metasys 16.0, launched 29 June 2026, is marketed against IEC 62443-4-2 Security Level 2, which is a fairly direct signal that OT security has become a competitive feature rather than an afterthought.
We'll assess your controls and provide a detailed quotation with energy savings estimates.
The practical implications land in three places: insurance, procurement, and incident response. Cyber insurers are increasingly asking about OT and building systems as part of underwriting, not just corporate IT, because a BMS compromise that takes down HVAC, access control or fire interfaces is a business interruption event whether or not any data was stolen. Procurement is the second pressure point: Part L of the Building Regulations (Approved Document L Volume 2, 2021) already requires new non-domestic buildings with heating or air conditioning over 180 kW to have a building automation and control system, which means the population of connected BMS estates in the UK keeps growing by regulation, not by choice, and every one of those systems arrives with a network footprint that has to be secured from day one rather than retrofitted later. Third, incident response plans that only cover corporate IT leave a genuine gap: if the BMS goes down, who's authorised to isolate it, who has the as-built network diagram, and who can get plant back into a safe manual state while the investigation runs. Most FM contracts don't answer that question today.
At the network level, the core weakness is the flat topology: controls traffic and corporate traffic sharing the same switches and VLANs means a compromise anywhere on the LAN can reach the BMS, and a compromise of the BMS can reach everywhere else. At the controller level, the risk is a mix of default credentials that were never changed at handover and firmware that's simply too old to patch, because the manufacturer withdrew support years ago and the controller still does its job perfectly well on the mechanical side. At the supervisor level, remote access is the recurring issue: whatever tool got installed to support a fault visit, left running indefinitely, often without multi-factor authentication or any log of who connected and when. None of these are exotic attack surfaces. They're ordinary IT hygiene gaps that happen to sit on a network nobody in IT is watching.
"Nobody would bother attacking a building" assumes an attacker cares who the target is, when in practice most BMS compromises are opportunistic: an internet-connected device with a known vulnerability gets found by automated scanning, not by someone deciding your building specifically is worth their time. "Our BMS isn't connected" is usually wrong somewhere: a 4G router installed by a subcontractor, a cloud dashboard added for energy reporting, a remote-access tool left over from a service visit. And "air-gap means we're done" misunderstands what BACnet/SC and IEC 62443 alignment are actually for: they're designed to work alongside segmentation and controlled remote access, not to justify exposing controllers to the public internet or dropping network separation because the protocol is now encrypted.
The proportionate path doesn't require ripping out the BMS or treating it as an IT project overnight. It starts with an honest asset inventory: you can't defend what you haven't listed, and most estates have more connected devices than the FM team believes. From there: segment the controls network from corporate IT so a compromise on one side doesn't automatically reach the other; replace ad-hoc remote access with an audited VPN or zero-trust connection that logs who connected and when; fix default and shared credentials across supervisors and controllers; identify which legacy controllers can't be patched and either wrap them behind additional network controls or plan their replacement; and put the BMS explicitly inside the building's incident-response scope rather than leaving it as an unstated assumption. The owners who get ahead of this are the ones asking their controls contractor directly: what's connected to this network that I don't know about, who has remote access right now, and what happens to plant control if that access is compromised tomorrow.
The trigger doesn't need to be a breach. A controls refresh, a lease renewal, a new FM contract, or simply the next planned maintenance visit are all natural points to have the asset inventory and segmentation conversation, because the incremental cost of doing it as part of scheduled work is a fraction of doing it as an emergency response after an incident. If your BMS hasn't had a network review in the time it's taken the Cyber Security and Resilience Bill to move through Parliament, that's a reasonable prompt on its own.
On a recent 16-floor London office FCU controls upgrade (Trend controllers, LightFi sensors, weekend-only access to avoid disrupting occupied floors), network segregation and documented remote access were part of the handover conversation from the outset, not a bolt-on requested afterwards. That's a fair reflection of where this now sits: security has become part of how a controls upgrade gets specified and handed over, not a separate IT project that happens later or not at all.
A BMS that's been running quietly for years can still be the softest route into a building's wider network, and the fix is rarely dramatic: an inventory, some segmentation, better remote access discipline, and credentials that get changed on handover instead of forgotten. If you want a second pair of eyes on what's actually connected to your controls network, get in touch.
Specialist BMS installation, commissioning, and maintenance across London and the South East. SafeContractor Approved, BCIA Member.
Our team of building automation specialists is ready to help you optimise your building's performance and efficiency.
Get in Touch