Building automation systems occupy an unusual position in OT security discussions. They lack the dramatic headlines of power grid attacks or water treatment incidents, yet they are among the most widely deployed and least secured categories of operational technology. Every large commercial building, hospital, data centre, university campus, and government facility runs BAS infrastructure controlling HVAC, lighting, access control, elevators, and in healthcare facilities, critical environmental systems. Many of these systems are now IP-connected, inadequately segmented, and running software that hasn’t been patched in years.

Shodan regularly surfaces tens of thousands of BAS devices with internet-accessible management interfaces. The majority require no authentication or use default credentials. This is not theoretical exposure.

What Building Automation Systems Do

A building management system (BMS) — sometimes called a building automation system (BAS) or building controls system — integrates and controls the mechanical and electrical systems of a building:

HVAC: Heating, ventilation, and air conditioning control. In data centres, HVAC failure causes thermal shutdown of servers within minutes. In hospitals, maintaining specific temperature and humidity ranges is required for sterile environments and medication storage.

Access control: Electronic door locks, badge readers, and perimeter access systems are frequently integrated into the BMS — particularly in facilities that centralise physical and logical security management.

Fire suppression: Building automation systems often interface with fire alarm and suppression systems, though in many jurisdictions these are required to operate independently.

Lighting and power management: Energy optimisation, occupancy-based lighting, and UPS monitoring.

Environmental monitoring: Temperature, humidity, CO2 levels, pressure differentials for cleanrooms and critical environments.

The consequence of compromise is not simply data theft — it is operational disruption of a physical facility. An attacker who can manipulate HVAC setpoints in a data centre or disable access control systems has meaningful physical impact capability.

Protocol Landscape

BACnet (Building Automation and Control Networks) is the dominant standard protocol for BAS communication, standardised as ASHRAE 135 and ISO 16484-5. BACnet/IP runs natively over UDP/47808 and is frequently accessible across the network with no authentication on older deployments. BACnet does not have built-in encryption. Authentication was added in BACnet Secure Connect (BACnet/SC) but adoption is limited — most deployed infrastructure still uses the unauthenticated variant.

Modbus TCP is used extensively in older and simpler building control devices — particularly for PLCs and RTUs controlling HVAC equipment. Modbus TCP runs over TCP/502 and has no authentication or encryption. Any device that can reach the Modbus server can read or write coil and register values.

Tridium Niagara / JACE controllers are among the most common BAS integration platforms and supervisory controllers. Niagara is a Java-based application framework that aggregates multiple BAS systems. Niagara installations have been historically vulnerable — Cylance’s Project Basecamp (2012) documented significant vulnerabilities, and multiple CVEs have been published against Niagara versions since. Niagara runs a web-accessible management interface (Fox protocol) and is frequently exposed to the network with weak credentials.

LonWorks, KNX, Zigbee: Various other protocols appear in specific device categories, particularly European deployments and smart building systems. KNX IP is increasingly common for newer building installations.

The IT-OT Convergence Risk

The attack surface expansion came from convergence. Legacy BAS deployments ran on isolated serial buses — RS-485 networks physically separate from corporate IT infrastructure. The move to IP-based protocols (BACnet/IP, Modbus TCP, Niagara over IP) and the integration of BAS management into corporate networks created network paths that didn’t exist in the serial bus era.

The typical architecture of a converged facility now looks like this: a Niagara JACE controller sits on a “building network” VLAN that has routable access to the corporate LAN — because the facilities management team needs to access the BAS dashboards from their office computers. That corporate LAN has domain-joined workstations, Exchange, and access to the internet via a corporate firewall. When a ransomware affiliate compromises a workstation through phishing, they can reach the Niagara controller through the routable path that was created for convenience.

The 2013 Target breach illustrates this dynamic. Initial access was via a third-party HVAC vendor’s remote access credentials — a contractor who maintained building systems, not POS infrastructure. Lateral movement from the HVAC management network to the payment card network followed.

Hardening Priorities

Network segmentation

BAS networks should be isolated from corporate IT networks on separate VLANs with default-deny firewall rules. Permitted paths should be explicitly defined: only the specific management workstations or servers that need BAS access should have permitted routes to the BAS VLAN, and only on the required ports and protocols.

Remote access for facilities contractors — a common legitimate requirement — should go through a jump host or dedicated remote access solution, not direct VPN access to the BAS VLAN.

Where legacy BAS equipment requires network connectivity to function (supervisory controllers aggregating BACnet devices), the equipment should be on a dedicated OT segment with outbound-only internet access (for software updates) and no inbound connectivity from corporate networks.

Credential hygiene

Default credentials on BACnet controllers, Niagara JACE units, and BMS web interfaces are widely known and documented. Audit every BAS device for default credentials and change them. This sounds basic because it is — and it describes the state of the majority of deployed BAS infrastructure.

For Niagara deployments specifically, the management web interface should use TLS, enforce authentication, and use role-based access control. Niagara 4.x supports these features; older 3.x deployments do not.

Internet exposure elimination

Run a scan (Shodan or a commercial ASM tool) for your own IP ranges to determine if BAS management interfaces are internet-accessible. BACnet/UDP 47808 or Modbus TCP/502 accessible from the public internet should be treated as a critical finding requiring immediate remediation — these protocols cannot be secured at the protocol level when exposed to the internet.

Legitimate remote management requirements should be served through a properly authenticated VPN or remote access gateway, not through direct protocol exposure.

Patch management for BAS software

Niagara, Ignition, and similar BAS software platforms receive security updates that address known vulnerabilities. BAS software updates are frequently deprioritised because they require maintenance windows and vendor coordination — but running Niagara 4.0 (released 2016) on production infrastructure in 2026 means running software with multiple known exploitable vulnerabilities.

Establish a patch cadence for BAS software that mirrors the approach taken for IT infrastructure. CISA ICS advisories cover BAS platforms and should be monitored alongside ICS-CERT advisories.

Physical access control for BAS equipment

Building controllers and JACE units are typically in electrical rooms, mechanical rooms, or ceiling-mounted enclosures that are physically accessible to facilities staff and contractors. Physical access to a Niagara controller provides the same access as remote exploitation. Ensure physical access to BAS equipment is controlled and logged.

Monitoring

BAS anomaly detection is less mature than ICS monitoring for process control environments, but several approaches are applicable. Passive network monitoring of BACnet traffic — capturing object read and write operations — provides a baseline from which anomalous command patterns can be detected. Normal HVAC operation generates predictable patterns of BACnet reads; a write operation changing temperature setpoints or disabling an alarm outside of a maintenance window is detectable.

For Niagara environments, audit logs should be enabled and forwarded to a SIEM. Authentication events, configuration changes, and user privilege modifications are the highest-priority events to monitor.

The combination of network segmentation, credential remediation, internet exposure elimination, and basic monitoring addresses the majority of the realistic attack surface. None of these require new technology — they require application of existing security practice to building systems that have historically been treated as outside the security programme’s scope.

That scoping assumption is no longer defensible.

Tags
BASBMSBACnetbuilding-automationHVACaccess-controlOT-securityNiagaraTridiumIT-OT-convergence