Your building management system is a hacking target because its controllers often run on the corporate network with unchanged default credentials and unencrypted BACnet, giving attackers a soft entry point into IT systems, access control, and tenant data. Forescout research found around 75% of organisations have exploitable vulnerabilities in their operational technology.
Somewhere in your building right now, there is probably a BMS controller sitting on the network with the default username and password it shipped with five years ago. Nobody changed it during commissioning because nobody thought it mattered — it is just a controls system, not a bank. Except that controller is connected to the same network as your corporate IT systems, your access control, your fire alarm integration, and possibly your tenant data. And if someone gets into it, they do not just get to mess with the heating — they get a foothold into everything else on that network.
This is not a theoretical risk. In 2021, a water treatment facility in Oldsmar, Florida was accessed remotely through building operations software, and an attacker attempted to poison the water supply by adjusting chemical dosing levels. In 2013, Target's massive data breach — 40 million credit card numbers — started through a compromised HVAC contractor's remote access credentials. The attackers did not hack the firewalls. They walked in through the building controls.
The uncomfortable truth is that most BMS installations in the UK were designed for reliability and interoperability, not cybersecurity. The protocols are open by design, the controllers ship with known default credentials, and the networks are rarely segmented from corporate IT infrastructure. According to research from Forescout, approximately 75% of organisations have exploitable vulnerabilities in their operational technology environments, and building management systems are consistently among the least protected.
BMS cybersecurity is not about installing antivirus on a Trend controller. It is about securing the entire ecosystem: the controllers, the network they sit on, the supervisory software, the remote access pathways, the user accounts, and the integration points with other building systems.
A modern BMS typically communicates using BACnet, Modbus, or proprietary protocols over IP networks. These protocols were designed in an era when building controls networks were physically isolated — air-gapped from the internet and from corporate IT. The assumption was that if you could physically access the network, you were authorised to be there. That assumption has not been true for at least fifteen years, but most BMS architectures still operate as though it is.
BACnet, which is the dominant protocol in commercial BMS installations, has no native encryption, no authentication, and no access control. BS EN ISO 16484-5, the international standard that defines the BACnet protocol (also published as ASHRAE 135), specifies data exchange mechanisms but includes no mandatory security layer. BACnet Secure Connect (BACnet/SC), defined in Addendum bj to ASHRAE 135-2016, introduced TLS encryption and certificate-based authentication, but adoption in the field is still minimal. The vast majority of installed BACnet systems are running unencrypted on UDP port 47808, broadcasting device information to anything on the network that cares to listen.
The risk is not just about someone turning the heating off for a laugh — although that alone can cause serious commercial damage in a building with sensitive tenants or critical operations. The real risks fall into several categories.
The first is operational disruption. If an attacker can access BMS controllers, they can override setpoints, disable plant, trigger false alarms, or lock out the facilities team. In a hospital, that could mean losing temperature control in operating theatres or pharmaceutical storage. In a data centre, it could mean a cooling failure that takes servers offline. In a commercial office, it means tenant complaints, emergency callouts, and reputational damage.
The second is lateral movement. BMS networks that are not segmented from IT infrastructure give attackers a pathway into more valuable targets. The building controls system becomes the unlocked side door into the corporate network. This is exactly what happened in the Target breach — the HVAC system was the entry point, not the target.
The third is data exposure. Many modern BMS platforms run on Windows-based servers, store trend data in SQL databases, and connect to cloud dashboards. If these systems are compromised, the attacker gains access to building usage patterns, occupancy data, access schedules, and potentially tenant information. Under UK GDPR, that is a reportable data breach.
The fourth is ransomware. Building systems are increasingly being targeted by ransomware groups who understand that facilities managers will pay to restore heating, cooling, and access control — especially in hospitals, schools, and critical infrastructure. The National Cyber Security Centre (NCSC) has issued specific guidance on ransomware threats to operational technology environments, and BMS is firmly within that scope.
The most common cybersecurity failures on BMS installations are not sophisticated — they are basic hygiene issues that nobody addressed during commissioning because cybersecurity was not in the specification.
Default credentials are the single biggest vulnerability. Most BMS controllers and supervisory platforms ship with well-known default usernames and passwords. Trend 963 controllers, Siemens Desigo CC, Schneider EcoStruxure, Honeywell Niagara — they all have published default credentials that anyone can find with a five-minute internet search. If nobody changed them during commissioning, which is depressingly common, then anyone who can reach the device on the network can log in with full administrative access.
Flat network architecture is the second biggest issue. In many buildings, the BMS controllers sit on the same VLAN as the office PCs, the printers, and the guest Wi-Fi. There is no network segmentation, no firewall between the OT and IT environments, and no monitoring of traffic between them. This means that a compromised laptop on the guest Wi-Fi could potentially reach every controller in the building.
Unsecured remote access is the third major risk. During COVID, many BMS contractors set up remote access to building systems using VPNs, port forwarding, or cloud-based platforms — often as a temporary measure that became permanent. If these remote access points are not properly secured with multi-factor authentication, encrypted tunnels, and access logging, they represent an open door into the building controls network.
Unpatched supervisory software is also widespread. BMS head-end software running on Windows servers often goes years without security updates because the facilities team is afraid that patching will break the BMS application. The result is servers running outdated operating systems with known vulnerabilities, sitting on the network with no endpoint protection.
We'll assess your controls and provide a detailed quotation.
IEC 62443 is the primary international standard for industrial automation and control systems cybersecurity, and it applies directly to BMS installations. It defines security levels from SL1 (protection against casual or coincidental violation) to SL4 (protection against state-sponsored attack), and provides a framework for assessing risk, implementing controls, and maintaining security throughout the system lifecycle. Most commercial BMS installations should be targeting SL2 as a minimum — protection against intentional violation using simple means — but very few have even been assessed against this standard.
The NCSC Cyber Assessment Framework (CAF) provides UK-specific guidance for organisations that operate essential services or critical national infrastructure. While not all buildings fall into this category, the principles are directly applicable: managing security risk, protecting against cyber attack, detecting security events, and minimising the impact of incidents. The CAF is increasingly being referenced in building specifications for healthcare, government, and critical infrastructure projects.
ETSI EN 303 645, the European standard for cybersecurity of consumer IoT devices, establishes baseline security requirements including no universal default passwords, implementing a means to manage reports of vulnerabilities, keeping software updated, securely storing credentials, and communicating securely. While technically aimed at consumer IoT, the principles apply equally to building IoT devices and smart sensors that feed into BMS platforms.
BS EN ISO 16484-5, the BACnet standard, is worth understanding from a security perspective because it highlights what is not included: there is no mandatory encryption, no mandatory authentication, and no access control at the protocol level. BACnet/SC (Secure Connect) addresses this with TLS 1.3 encryption and X.509 certificate authentication, but requires controller hardware and software that supports it — which most installed base does not.
We recently assessed a multi-tenanted commercial office in central London where the BMS had been installed five years earlier by a contractor who was no longer in business. The Trend IQ4 controllers were all accessible on the corporate network with default credentials. The supervisory software was running on a Windows Server 2012 R2 machine that had not received a security update since 2019. Remote access was provided via a port-forwarded RDP connection with no multi-factor authentication. The BACnet traffic was completely unencrypted, and we could see every controller, every setpoint, and every schedule from any device on the network using a free BACnet discovery tool.
The fix was not complicated, but it required a structured approach. We changed all controller credentials and documented them securely. We worked with the client's IT team to move the BMS onto a dedicated VLAN with firewall rules restricting traffic to and from the corporate network. We replaced the port-forwarded RDP with a properly configured VPN with MFA. We updated the supervisory server operating system and applied all outstanding security patches. And we implemented network monitoring to flag unusual BACnet traffic patterns. The total cost was a fraction of what a single cyber incident would have cost — and the client's insurance broker confirmed that the improvements were necessary to maintain their cyber insurance coverage, which is a detail that surprises a lot of building owners.
A properly secured BMS installation starts with network segmentation. The OT network (controllers, field devices, BMS servers) should be on a separate VLAN from the IT network, with a firewall controlling traffic between them. Only the specific ports and protocols required for BMS operation should be permitted.
All default credentials should be changed during commissioning, documented securely, and subject to a password policy that includes regular rotation. Individual user accounts should be used rather than shared logins, so that access can be audited and revoked when staff leave.
Remote access should be provided through an encrypted VPN with multi-factor authentication, not through port forwarding or exposed web interfaces. Access should be logged, and sessions should time out after inactivity.
BACnet/SC should be specified for new installations where controller hardware supports it, providing TLS encryption and certificate-based authentication at the protocol level. For existing installations running standard BACnet/IP, network-level controls (segmentation, firewalls, monitoring) compensate for the protocol's lack of built-in security.
Supervisory software should be maintained on a supported operating system with regular security patching. Ideally, the BMS server should have endpoint protection and be included in the organisation's vulnerability management programme.
A cybersecurity assessment should be part of any BMS commissioning or upgrade project. This does not need to be a full penetration test — a structured review against IEC 62443 SL2 requirements will identify the most critical gaps and provide a prioritised remediation plan.
If your BMS was installed more than three years ago and nobody has reviewed the cybersecurity posture, it is almost certainly vulnerable. If your building has had any change in IT infrastructure — a network upgrade, a cloud migration, a new ISP — and the BMS was not included in the security review, there are likely gaps.
The triggers that should prompt immediate action are: if you do not know whether default credentials have been changed on your BMS controllers; if the BMS is on the same network as your corporate IT with no segmentation; if remote access to the BMS does not require multi-factor authentication; if the BMS supervisory server is running an unsupported operating system; or if your cyber insurance policy asks about operational technology and you cannot answer the questions.
The cost of a BMS cybersecurity assessment is typically a few thousand pounds. The cost of a cyber incident involving building systems — operational disruption, data breach notification, regulatory fines, insurance excess, reputational damage — can run into hundreds of thousands. That is not a difficult business case to make.
BMS cybersecurity is not a future problem — it is a current one. The systems are already installed, the vulnerabilities are already present, and the threat actors are already aware that building controls are soft targets. The good news is that the fixes are well understood, relatively straightforward, and do not require replacing the entire BMS. Network segmentation, credential management, secure remote access, and regular patching will address the majority of the risk.
If you are responsible for a building's controls infrastructure and you are not sure where your cybersecurity stands, a structured assessment is the right starting point. We carry out BMS cybersecurity reviews as part of our consultation and energy audit service, and we can work with your IT team to implement the remediation. If your BMS was designed for reliability but not for security — and most were — it is time to close that gap.
Get in touch with Alpha Controls to discuss a BMS cybersecurity assessment for your building, or request a quote to get started.
Specialist BMS installation, commissioning, and maintenance across London and the South East. SafeContractor Approved, BCIA Member.
Our team of building automation specialists is ready to help you optimise your building's performance and efficiency.
Get in Touch