In 2013, hackers infiltrated Target’s building systems network through a third-party HVAC contractor. From there, they accessed the retailer’s broader IT systems, ultimately stealing personal and financial information from over 40 million customers. The data breach remains one of the most widely cited examples of why cybersecurity in building automation systems (BAS) isn’t just an IT issue—it’s a facilities issue too.
As smart buildings become more connected, the importance of building automation system cybersecurity grows. Modern systems control everything from HVAC and lighting to access control and energy optimization. Without adequate protection, these building control systems can become entry points for cyberattacks or internal disruptions, placing life safety, system security, and energy efficiency at risk.
Why Building Automation Systems Cybersecurity Matters
A BAS typically connects numerous subsystems, HVAC, lighting, security, and more, into a unified platform using protocols like BACnet IP. While this integration improves efficiency and control, it also creates a larger attack surface. Outdated or misconfigured systems may expose operating technology (OT) networks to vulnerabilities that can disrupt operations or jeopardize sensitive information.
Common risks include:
- Weak or shared passwords
- Unsegmented networks (no separation between OT and IT)
- Lack of multifactor authentication
- Outdated controllers with no security updates
- Human error from untrained personnel
These vulnerabilities aren’t theoretical. In addition to high-profile breaches like Target, smaller-scale incidents occur regularly in hospitals, school districts, and local governments. For example, a university might suffer from HVAC shutdowns due to ransomware, or a municipality could experience unauthorized access to security systems through a misconfigured BAS interface.
Best Practices for Securing Your BAS
Conexus prioritizes system cybersecurity in every BAS integration. Drawing from both industry standards and lessons like the Target breach, we recommend the following best practices:
1. Change Passwords—Early and Often
Every user should have their own unique credentials. Shared logins increase the chance of unauthorized access. If possible, implement multifactor authentication to add an extra layer of security.
2. Isolate Your OT Network
Keep your building systems on a separate, secured network. Whether through VPNs or physically separate infrastructures, this segmentation helps prevent lateral movement from other networks (like guest Wi-Fi or corporate IT).
3. Develop an Incident Response Plan
Plan ahead. If a breach occurs, your team should know exactly how to isolate systems, preserve data, and recover operations. This is especially critical in high-stakes environments like healthcare and data centers.
4. Provide Cybersecurity Training
The majority of breaches result from human error. Equip your staff and service providers with basic cybersecurity awareness training to minimize risky behavior.
5. Migrate from Legacy Platforms
Older BAS platforms often lack even basic security features. Modern platforms like Niagara offer secure user authentication, better network segmentation, and easier monitoring. When legacy systems must remain in place, Conexus isolates them from core networks to minimize risk.
Industry-Specific Risks and Considerations
Not all buildings face the same cybersecurity risks. Depending on the facility type, the consequences of a BAS breach can vary widely. While the core threats may be similar, the stakes and regulatory pressures often differ. Here’s how cybersecurity concerns manifest in a few key sectors:
- Hospitals: Life safety and patient privacy are paramount. Unauthorized access to BAS could interfere with temperature-sensitive equipment or reveal operational data.
- Schools: Student safety and system reliability are key. A cyber attack on HVAC or security systems could result in closures or emergency response.
- Government Facilities: Often targeted for disruption or espionage. Strict access controls and auditing are essential.
In each of these settings, a breach isn’t just a technical failure—it can be a public relations crisis, a compliance issue, or a direct threat to safety.
Open vs. Proprietary Systems: A Cybersecurity Perspective
Choosing an open-protocol system (such as one built on BACnet IP) offers more transparency and flexibility in securing your BAS. Proprietary systems, by contrast, may obscure vulnerabilities or delay critical patches, especially if you’re dependent on a single vendor.
With open systems, you have the option to work with multiple service providers, review configurations more thoroughly, and apply cybersecurity best practices more consistently across all components of your building management system (BMS).
Aligning with Standards and Regulations
Cybersecurity expectations for BAS are evolving. Organizations like NIST and the Department of Energy have begun to release guidelines for securing OT networks, especially in critical infrastructure. Insurance companies and regulatory agencies are also beginning to assess BAS cybersecurity readiness when evaluating risk.
Building management systems that continuously monitor network activity, flag unusual behavior in real time, and isolate suspicious traffic provides a stronger layer of security. These capabilities help facilities stay ahead of potential cyber threats and demonstrate compliance with industry standards.
By staying proactive, building owners can avoid falling behind these expectations and position themselves as forward-thinking stewards of occupant safety and operational resilience.
Questions to Ask Your BAS Partner
If you’re evaluating a new system or upgrading an existing one, it’s critical to go beyond functionality and ask targeted questions about how your partner approaches cybersecurity. Consider asking:
- How do you isolate the BAS network from IT systems?
- Do all users have unique logins and MFA?
- How do you handle legacy systems during integration?
- What training do you provide for facilities staff?
- What is your incident response protocol?
These questions can help uncover hidden risks and ensure your integrator is taking cybersecurity seriously.
Cybersecurity Is Not Optional, It’s Operational
BAS cybersecurity isn’t just a technical issue; it’s a fundamental part of risk management for any facility. From hospitals and schools to government buildings and data centers, the cost of inaction can be severe.
At Conexus, we incorporate cybersecurity planning from day one—whether that means isolating networks, modernizing control systems, or training your facilities team. Our approach is rooted in transparency, client choice, and long-term support.
Ready to protect your BAS from cyber threats?