The convergence of Building Automation and Control Systems (BACS) and smart building innovation within operational technology (OT) is helping to drive technological and environmental advances. However, it is also contributing to the emergence of significant security vulnerabilities and threats.
In this article, we outline the threats associated with the integration of BACS and smart building programs, the key security vulnerabilities observed by Kroll across the BACS industry and key mitigation strategies and best practices.
BACS oversee critical functions (Fig. 1)—such as HVAC, lighting, access control, elevators and energy management—across data centers, commercial, healthcare, financial, industrial and government facilities. A growing number of organizations around the globe are adopting smart building initiatives, enhancing BACS to align with broader business, environmental and technological objectives such as:
- Reducing energy costs to reduce operational costs
- Improving situational awareness for security and safety of employees
- Optimizing real estate and office use
- Improving corporate social responsibility (CSR) and brand value based on innovations
While this convergence enhances efficiency and intelligence, it exposes BACS to a growing number of modern and legacy cyber threats. Some real-life examples of cybersecurity incidents impacting BACS include:
- Target HVAC System Breach (2013): Attackers exploited a third-party HVAC vendor’s access to infiltrate target’s internal network, ultimately resulting in the theft of millions of credit card records.
- Boston Children’s Hospital HVAC Attack (2021): Attackers claimed access to the hospital HVAC system after they hacked the HVAC vendor access. The hacker had attempted to extort money from the HVAC vendor, but the ransom was not paid.
- Johnson Controls Ransomware Attack (2023): Johnson Controls, a major provider of BACS, suffered a ransomware attack disrupting their operations. While the impact appeared to be limited to Johnson Controls, the attack still had widespread consequences on their customers due to their role in critical infrastructure. It underscored the importance of OT system supply chain cybersecurity.
Key Cybersecurity Vulnerabilities Observed by Kroll Across the BACS Industry
These incidents demonstrate how vulnerabilities in BACS can jeopardize the safety of assets and employees or impact operational continuity of the organization. Below, we outline the major cybersecurity vulnerabilities that we have observed across different BACS assessments and provide strategies for mitigating risks.
- Legacy Systems with Insecure Protocols: Many BACS operate on legacy platforms using outdated communication protocols (e.g., BACnet and Modbus) that lack encryption or authentication mechanisms. These protocols were designed for interoperability and openness. In several cases, Kroll has observed that BACS network devices have outlived the vendor published End of Life (EOL) and End of Support (EOS) dates, leaving those devices vulnerable to exploited vulnerabilities.
- Default Credentials and Poor Authentication: BACS components are often found operating with default usernames and passwords or weak access controls. Administrative access often lacks multifactor authentication (MFA). These poor practices increase the risk of unauthorized access or escalation of privileges.
- Vendor Access and Third-Party Risks: BACS vendors and maintenance personnel often have remote access to systems for diagnostics and updates. These are often configured without any strong password policies. If vendor accounts are compromised or remote access is not properly controlled, attackers can exploit these channels to gain administrative privileges.
- Lack of Endpoint Protection Technologies: A lack of endpoint protection and monitoring on BACS workstations, servers and Human-Machine Interfaces (HMIs) introduces a critical vulnerability in building automation environments. These endpoints often serve as gateways to control systems and can be commonly targeted by malware, ransomware or unauthorized access attempts.
- Lack of Backups and Disaster Recovery: The absence of proper backup and disaster recovery (DR) mechanisms for BACS workstations, servers and HMIs represents a significant operational and cybersecurity vulnerability. In the event of a ransomware attack, system failure or accidental configuration changes, the inability to restore these critical components can lead to prolonged outages of essential building system components.
- Lack of Patch Management and System Updates: BACS may never get updates or may be subject to long update / upgrade cycles and not patched regularly. Known and exploitable vulnerabilities (e.g., CVEs and KEVs) may remain unaddressed for years, providing attackers with easily exploitable vectors.
- Absence of Monitoring and Logging: Most BACS installations lack centralized logging and cybersecurity events and incident monitoring. This results in poor visibility, severely impacting incident detection and response capabilities.
Strengthening BACS: Mitigation Strategies and Best Practices
As cyber threats targeting BACS continue to evolve, organizations must adopt a proactive approach to security. Effective mitigation strategies require a combination of robust security frameworks, continuous monitoring and industry best practices tailored to OT environments.
1) Maintain Asset Inventory and Risk Assessment
Maintain accurate inventory of all BACS assets and their connectivity points. Perform a risk assessment to identify the criticality of each asset, potential threat vectors and the impact of compromise.
2) Implement Network Segregation and Segmentation
Physically or logically isolate the BACS network from enterprise IT, internet-facing services and other high-risk zones. Where remote access or data exchange with corporate systems is necessary, implement a demilitarized zone (DMZ) to act as a buffer – housing services like remote monitoring portals, analytics tools or integration servers that need controlled communication with both BACS and IT network.
Within the segregated BACS network, apply logical segmentation (e.g. VLANs, ACLs or internal firewalls) to separate subsystems such as HVAC, access control, lighting and elevators. This limits lateral movement and contains potential incidents.
Finally, maintain the management plane for segmentation inside the OT environment.
3) Harden Devices and Enforce Strong Authentication
Maintain secure configurations for all endpoints. Remove or change all default credentials, enforce complex passwords, configure MFA for all administrative access and disable unused interfaces and services (e.g., telnet, FTP).
4) Implement Endpoint Protection tools
Where feasible, implement and install compatible endpoint protection tools on HMIs, workstations and servers that support and control the BACS.
5) Secure Remote Access
Implement a privileged remote access solution to consolidate and standardize remote access to BACS. Monitor and log all remote sessions.
6) Establish Patch and Vulnerability Management
Assess vulnerabilities and develop a patching schedule. Track vendor advisories for key safety and security updates to BACS components. Implement assets lifecycle management policies and processes to ensure outdated systems are upgraded in a timely manner.
7) Physical Security
Companies can generally address physical security with good perimeter security controls. However, securing BACS assets with appropriate physical access and video monitoring control is equally important.
8) Logging and Monitoring
Implement OT IDS tools to passively monitor the BACS network and assets. Deploy OT-aware intrusion detection systems (e.g., Nozomi, Tenable. OT) to monitor network traffic for anomalies. Integrate BACS logs into a centralized SIEM. Ensure that physical access logs and cyber anomalies are correlated to confirm complete oversight.
9) Document and maintain backup and DR plans
Document the backup and DR plan for each BACS implementation. Maintain system configuration backups, system image files to allow full system restoration.
10) Incident Response
Establish incident response plans and playbooks tailored to building automation threats. Document RACI to ensure necessary stakeholders are identified and documented.
11) Train Staff to Improve Awareness
Train IT, facilities and cybersecurity teams on BACS. Include BACS scenarios in tabletop exercises and regularly update standard operating procedures.
Securing BACS: No Longer Optional
BACS are integral to the operation of facilities and safety of assets and employees. However, they often represent a cybersecurity blind spot. As threat actors continue to focus on critical infrastructure and interconnected systems, securing BACS is no longer optional . By implementing layered defenses such as authentication, segmentation, monitoring and response, organizations can mitigate the risks and build resilient, cyber-secure environments.
Safeguard Your BACS with Kroll
At Kroll, we draw on firsthand experience and insight from examples like those outlined above to assess your OT security posture and put in place tailored and sustainable mitigation strategies. For organizations looking to strengthen their BACS security, our experts are here to help. Contact us today to assess your OT security posture and implement tailored solutions that protect your critical infrastructure from evolving cyber threats.
