Most building management systems exposed to cyber vulnerabilities, experts warn

Three out of four companies have building management systems vulnerable to hacking or cyberattack, according to a new research paper by Claroty, a cyber-physical systems protection company. More than half of affected organizations had systems insecurely connected to the internet with known exploited vulnerabilities that were linked to ransomware, it said. 

The report studied over 467,000 building management systems across 500 organizations. Within those organizations, 2% of devices essential to business operations were operating at the highest level of risk exposure, according to the report. 

The high exposure level of these devices provides malicious cyber actors with easily accessible entry points that “leave the door open to costly and potentially dangerous disruptions,” Claroty said Wednesday in a release. This combination of risk factors is concerning due to the widespread reliance on these systems to operate HVAC, lighting, energy, security and other systems in commercial real estate, retail, hospitality and data center facilities, the company said. 

Many building management systems are old and were not built with internet connectivity in mind. As a result, some may no longer be supported by their respective vendors, meaning vulnerabilities remain unpatched, Claroty says. 

While these systems were previously operated independently by facilities management staff, they are now more commonly connected and integrated using advanced building management and building automation systems, according to the report. But the benefits of connecting operational technologies and Internet-of-Things devices to the internet come with “very clear cybersecurity tradeoffs if not properly managed,” Claroty says. 

Third-party access provides another set of risks, with many vendors bringing in their own remote access technologies that may not be enterprise-grade or support security features like multifactor authentication, Claroty says. 

For facilities managers working to meet occupier demand for high-tech amenities, integrating vendor technologies can present trouble, according to Tom Karounos, global head of building technology at Tishman Speyer. 

“You start adding these things, you add complexity from other vendors coming in and plugging things into your network, [and] you always run the risk” of a cyber attack, Karounos said during a panel at the Realcomm IBcon conference earlier this month.

Making a plan to protect your business

Organizations undertaking digital upgrades have an opportunity when bringing BMS online to measure the business impact and safeguard the operational criticality of those devices, Claroty says. They can accomplish this by adopting a security framework that provides decision-makers and asset owners with a true assessment of security, as well as a remediation plan that can assist risk management teams and is understandable by executives, the company says. 

“With BMS controlling so much of modern-day CPS infrastructure, it’s critical to move from a reactive approach to a proactive strategy,” Claroty says. “Unless organizations use a comprehensive asset management solution to discover every device within a network, vulnerabilities and risks to critical assets can lurk unseen.”

The cyber-physical security firm advises a five-step action plan for this framework, including scoping, discovery, prioritization, validation and mobilization. By following these steps, operators can gain full visibility into assets and their exposure, assess the potential impact on business continuity and provide security and operations teams with information that can enable practical, non-disruptive risk reduction, per the report. 

Vetting vendors is especially important, according to Karounos, who says his company has a rigorous evaluation process.

“We do that on a yearly basis,” he said.“We take the vetting process very seriously, and we partner with our procurement team to keep us honest, so there’s no ambiguity there.”