Exposed and unaware? Smart buildings need smarter risk controls

75% of organizations have building management systems (BMS) affected by known exploited vulnerabilities (KEVs), according to Claroty.

Threats to building management systems

Digging deeper into the KEV-affected organizations, 51% are affected by KEVs that are also linked to ransomware and are insecurely connected to the internet. Within those organizations, 2% of devices contain the same level of risk, meaning that devices essential to business operations are operating at the highest level of risk exposure.

This combination of risk factors raises alarms given the widespread reliance on BMS in commercial real estate, retail, hospitality, and data center facilities to operate systems like HVAC, lighting, energy, elevators, security, and more.

Like most OT, many BMS were not built with internet connectivity in mind, much less support for cybersecurity. They communicate using legacy systems that do not natively support encryption.

Attackers may also find BMS devices still using default or hardcoded credentials, making unauthorized access easier. Using tools like Shodan, attackers can find internet-connected systems and launch brute-force attacks to break in and move laterally across networks.

Many BMS devices have been in place for years and may no longer be supported by their vendors. As a result, some software or firmware vulnerabilities remain unpatched because manufacturers have stopped providing updates for older devices.

Third-party access introduces additional risk. Vendors often use their own remote access tools, many of which lack key security features like MFA. A recent report found that over half of organizations use four or more remote access tools, some use as many as 16.

Rethinking building management systems risk management

The exposure of these devices offers adversaries easily accessible entry points, potentially leading to costly and dangerous disruptions. The findings in the report show the need for protection of these systems to be given greater priority, especially as they are brought online for operational and business reasons such as remote management and analytics.

By adopting an exposure management approach tailored to the unique needs of cyber-physical systems (CPS) environments, organizations can identify, assess, and prioritize their riskiest devices, saving valuable time and resources.

“Oftentimes, BMS and building automation systems (BAS) are being operationalized on the network without thinking about the cybersecurity implications,” said Grant Geyer, Chief Strategy Officer at Claroty. “What’s being gained in efficiency and convenience might be coming at a real risk if not effectively secured—for instance, the cooling of data centers or refrigeration of perishable goods in retail, which are critical systems to abruptly be taken offline if compromised.”

Organizations embracing digital transformation and taking steps to secure BMS when bringing it online have the opportunity to integrate the measurement of business impact and safeguard the operational criticality of those devices.

By understanding the full context of those systems they can reduce risk and avoid the highly consequential disruptions that might come from their failure. As buildings get “smarter,” organizations need to adopt a security framework that presents cybersecurity decision-makers and asset owners with a true assessment of their security posture, as well as a remediation plan tailored for action by risk management teams and understandable by executives.