The Cyber Side of BAS: Are You the Weakest Link?

May 1, 2025 | Cybersecurity, FM, Tips

In an era where buildings have become as smart as the devices in our pockets, the convergence of operational technology and information technology has transformed how we manage facilities. Building Automation Systems (BAS) now control everything from HVAC and lighting to access control and security cameras (ASHRAE Journal, “Cybersecurity for BAS,” May 2023). While these interconnected systems offer unprecedented efficiency and comfort, they’ve also created a new frontier of vulnerability that many facility managers are unprepared to defend (National Institute of Standards and Technology, 2023).

Hate to read? Listen to a podcast episode on this topic. Visit the NOXTalks Podcast for more episodes

When Smart Buildings Become Easy Targets

In 2017, a casino’s high-roller database was compromised not through sophisticated hacking of their security systems, but via an internet-connected thermostat in their aquarium (Darktrace Security Report, 2018). This oft-cited case illustrates a fundamental truth: your building’s security is only as strong as its weakest connected device.

More recently, in 2022, a breach of Johnson Controls systems exposed operational technology and building automation system data across multiple facilities (CISA Advisory, 2022). The incident demonstrated how vulnerabilities in widely deployed BAS components can create systemic risks across numerous properties simultaneously.

“What makes these attacks particularly effective is that they target systems most facility managers don’t consider part of their cybersecurity perimeter,” explains Jason Christman, VP and Chief Product Security Officer at Johnson Controls, in a personal interview conducted in March 2025. “Organizations must consider all connected systems as part of their security domain, not just traditional IT infrastructure.”

Shark fin on the surface of the ocean.

Understanding Your Attack Surface

The first step toward protection is awareness of what hackers see when they look at your building systems. Your BAS attack surface typically includes:

  1. Remote Access Points: Any system that allows offsite management or monitoring
  2. Vendor Connections: Third-party maintenance and analytics platforms
  3. IoT Devices: Smart sensors, meters, and connected equipment
  4. Integration Bridges: Systems connecting your BAS to other enterprise networks
  5. Legacy Systems: Older controllers and equipment never designed for internet connectivity

According to Honeywell’s “2023 Building Cybersecurity Report,” approximately 44% of building management systems operate with outdated software, creating numerous potential entry points for attackers (Honeywell, 2023).

Assessing Your Risk: Signs You May Be Vulnerable

How can you tell if your building systems might be at risk? Consider these warning signs:

  • Your BAS was installed or last upgraded more than five years ago
  • You can access building controls from personal devices or home networks
  • Your vendors have permanent access credentials that don’t expire
  • There’s no formal process for testing and applying security updates
  • Building systems share networks with corporate IT infrastructure with no segmentation
  • Your team lacks documented cybersecurity policies specific to building systems

A facility manager for a commercial property portfolio in Atlanta shared an instructive experience: “We had multiple contractors accessing our systems, all using the same generic login. We never thought about it until we discovered someone had been adjusting our setpoints remotely for months, causing enormous energy waste. It turned out to be a former contractor whose access was never revoked.” This type of access control failure is a common vulnerability in building systems.

Practical Protection Strategies for Non-IT Experts

The good news is that protecting your building systems doesn’t require becoming a cybersecurity expert overnight. Here are practical steps any facility management team can implement:

1. Create a Building Systems Inventory

You can’t protect what you don’t know exists. Document every connected device, controller, and access point in your BAS. Note the manufacturer, model, firmware version, and network connection for each component. This inventory becomes your roadmap for security planning.

2. Segment Your Networks

Work with IT to ensure building systems don’t share networks with corporate systems unnecessarily. “Network segmentation is like having fireproof doors in a building,” explains Fred Gordy, Director of Cybersecurity at Intelligent Buildings, in a webinar presentation on March 15, 2025. “If one area is compromised, the problem can be contained.”

3. Implement Access Control Best Practices

  • Require unique login credentials for each user and vendor
  • Implement multi-factor authentication for remote access
  • Review and purge access lists quarterly
  • Create role-based permissions so users only access what they need (CISA, “Cross-Sector Cybersecurity Performance Goals v1.0.1,” March 2023)

4. Develop a Firmware and Software Update Protocol

Outdated software is one of the most common entry points for attackers. Create a regular schedule to check for and apply updates, with a testing procedure to ensure updates don’t disrupt operations.

5. Build Resilience Through Backup and Recovery

Even with the best precautions, breaches can occur. Maintain offline backups of all BAS configurations and programming. Document manual override procedures for critical systems so you can operate essential building functions during a cyber incident.

6. Create a Cyber Incident Response Plan

Develop clear steps to follow when suspicious activity is detected. Who should be notified? What systems should be isolated? What external resources can you call on for help? Having this plan in place turns a potential crisis into a manageable event.

Building a Culture of Cybersecurity

Perhaps the most important protection is cultivating awareness among your entire team. “The human element remains both the greatest vulnerability and strongest defense in building system security,” notes James McHale, CEO of Memoori Research, in their “Smart Buildings Security Market Report 2023.” “Organizations should implement regular cybersecurity training sessions with staff meetings, where they discuss recent trends or conduct simple tabletop exercises.”

Miller’s team recently thwarted a potential breach when a maintenance technician received a suspicious email claiming to be from their BAS vendor, requesting remote access credentials for “emergency updates.” Because of the regular security discussions, the technician recognized the red flags and reported the attempt instead of complying.

The Path Forward: Collaboration is Key

As building systems continue to evolve, the boundaries between facilities management and IT will further blur. Forward-thinking organizations are creating cross-functional teams that bring together expertise from both domains.

“The most successful cybersecurity programs for building systems involve regular collaboration between IT security professionals and facility management teams,” says Michael Chipley, President of The PMC Group and contributor to the NIST Special Publication 800-82 (NIST, 2023). “Each brings crucial knowledge to the table—facilities teams understand the operational implications, while IT brings the technical security expertise.”

This collaboration is particularly critical when planning system upgrades or new installations. Security requirements should be included in all specifications and vendor selections, not added as an afterthought.

As our buildings become increasingly intelligent, protecting them requires an equally smart approach—one that combines technical safeguards with human vigilance. The question isn’t whether your BAS will face cyber threats, but whether you’ll be prepared when it does. By taking these practical steps today, you ensure your smart building remains a showcase of efficiency rather than becoming tomorrow’s cautionary tale.

Works Cited

ASHRAE Journal. “Cybersecurity for BAS.” May 2023, pp. 24-31. https://www.ashrae.org/journal

ASHRAE. “Guideline 13-2015: Specifying Building Automation Systems.” American Society of Heating, Refrigerating and Air-Conditioning Engineers, 2015.

CISA. “Cross-Sector Cybersecurity Performance Goals v1.0.1.” Cybersecurity and Infrastructure Security Agency, March 2023. https://www.cisa.gov/cross-sector-cybersecurity-performance-goals

CISA Advisory. “Johnson Controls Metasys Building Automation Systems Vulnerability.” Cybersecurity and Infrastructure Security Agency, June 2022. https://www.cisa.gov/news-events/ics-advisories/icsa-22-167-01

Darktrace Security Report. “Case Study: Smart Building Compromise Via IoT Thermostat.” March 2018. https://www.darktrace.com/blog/fish-tank-taught-us-about-iot-security

Honeywell. “2023 Building Cybersecurity Report.” Honeywell Building Technologies, June 2023. https://buildings.honeywell.com/us/en/resources/reports/building-cybersecurity-report-2023

IBM Security. “X-Force Threat Intelligence Index 2023.” IBM Corporation, February 2023. https://www.ibm.com/security/data-breach/threat-intelligence

McHale, James. “Smart Buildings Security Market Report 2023.” Memoori Research, September 2023. https://www.memoori.com/portfolio/smart-buildings-security

National Institute of Standards and Technology. “Special Publication 800-82 Rev. 3: Guide to Operational Technology Security.” U.S. Department of Commerce, September 2023. https://doi.org/10.6028/NIST.SP.800-82r3