People are not aware that modern buildings are changing and have changed to an industrial control system. They are now embedded with IP-based technologies and are connected with controllers and sensors and management software. Now, by this, building owners can take advantage of low-cost management of their important assets with minimal staff. The building management solution can control and monitor your building environment. BMS are used in many sectors like IT, Banking, and commerce. Many BMS provide access through the web interface where they have an admin panel. The admin staff can control the assets of their building from this BMS admin panel.

Building Management System – Overview

BMSs are really useful for managing your building, but unfortunately, their web interfaces are exposed to the internet and can be accessed from anywhere on the internet. This allows threat actors to access the BMS admin panel. It has been observed that multiple BMS are prone to basic cyber attacks. Attacks like file inclusion and command injection can let an attacker do serious harm like they can control building doors, cameras, and lights or stop other important assets. As BMS have become so important for many infrastructures, managing their security is equally important. In this blog, we will see what are the cybersecurity issues these BMS are facing and why regularly auditing their security is important.

What is Building Management System

A Building Management System, also called the Building Automation System, is a computer-based controller. It’s used for monitoring and controlling the services and systems of the building. The picture below shows what are the components of BMS that can be managed through BMS. There are components like sensors, fans, boilers, HVAC Systems, Elevators, Security cameras, and card readers. Combining this is called a BMS.

BMS allow only authorized users in a building to. There are so many organizations like the government and the health sector that use such a user access control system to only allow authorized users into their facilities. Many access control systems use electronic door access controllers; these devices can be connected to other devices like fingerprint scanners and automated gates. They can provide the functionality to manage the entire access control from the internet.

Security of Building Management Systems

Remote access to these BMS can allow us easy management of a building. As the number of internet-accessible devices is increasing so is the BMS web interface. Exposing these devices to the internet, these components can be accessed by anyone over the internet. It can take little to no effort to find vulnerabilities and exploit them, and this can impact on integrity and confidentiality.

The risks associated with these attacks are: 

  • Viewing access logs to track movements
  • Manipulating the alarm function
  • Steal personal information 
  • Control elevator movement
  • Can lock or unlock doors remotely
  • Shutdown important services

How to Mitigate BMS Risks – OT Security Assessment

BMS environments sit at the intersection of OT and IT, controlling HVAC, access control, elevators, fire systems, and surveillance. Their growing connectivity has expanded the attack surface, making them highly vulnerable to unauthorized access, manipulation, and downtime. A compromised BMS doesn’t just disrupt operations; it can create real physical safety risks. That’s why a structured OT security assessment is essential.

OT Security Methodology

  • Asset & Architecture Discovery: Building a complete inventory of BMS components – PLCs, HMIs, controllers, sensors, workstations, and network devices.
  • Scope Definition: Identifying which subsystems (HVAC, access control, CCTV, fire systems, elevators, etc.) are included in the assessment.
  • Communication Path Review: Analyzing Ethernet, WiFi, serial, USB, and proprietary protocol channels for exposure.
  • Vulnerability Assessment: Testing web interfaces, admin consoles, network paths, and device configurations for weak authentication, default credentials, misconfigurations, and unsafe remote access.
  • Risk Evaluation: Assigning severity based on likelihood, operational impact, and cyber-physical consequences.
  • Reporting & Remediation Guidance: Providing evidence-backed findings with clear fixes, segmentation plans, and compensating controls.
  • Post-Remediation Validation: Re-testing all issues to verify complete mitigation and stability.

Kratikal Approach to OT Security

  • Structured, End-to-End Process: Beginning with detailed document analysis and network topology review before any active testing.
  • Full-Stack OT Coverage: Evaluating controllers, HMIs, PLCs, servers, workstations, and all underlying network infrastructure.
  • Safe Testing Aligned With Operations: Ensuring no disruption to live building systems while performing manual OT-focused assessments.
  • Comprehensive Protocol & Interface Review: Covering all communication paths and vendor-specific interfaces common in BMS environments.
  • Actionable Remediation: Delivering prioritised fixes, segmentation strategies, and compensating controls for legacy, unpatchable devices.
  • Cyber-Physical Focus: Prioritizing vulnerabilities that impact safety, availability, and critical building operations.
  • Re-Testing & Compliance Assurance: Validating fixes through a structured re-test cycle, ensuring the BMS meets required security baselines.

Number of Online Accessible BMS

The number of internet-connected web interfaces of BMS is growing. A threat actor can use an IoT search engine like Shodan, Zoomeye, and Censys to find online connected BMS. We used Shodan to get an idea of how exposed these online BMS are.

The above image shows, by just searching the vendor name on Shodan, how many exposed devices we were able to find. There could be more than this which can be found through other search engines. As these devices are internet accessible, so can also be abused as BMS can be of hospitals and government organization buildings. There is also the possibility of denial of service attacks, which can be done by an attacker from anywhere over the internet. 

Conclusion

BMS has the ability to badly harm your structure, but it may also make managing your property easier for you if it’s properly protected. Human dependability is gone because the Building Management System uses IP-based technology and includes web interfaces that can be accessed online, where hackers may easily access and use them literally from anywhere in the globe. We at Kratikal can assist you in selecting the best procedures to fulfil your BMS needs. We can create electronics and write firmware for building management systems with a range of functions with our extensive experience in BMS design. Our engineers have extensive experience developing reliable algorithms that determine the BMS Structure.

FAQs

  1. Why is OT security assessment necessary for a Building Management System?

    Because most modern BMS panels are online, attackers can exploit weak authentication, exposed web interfaces, and misconfigurations. An OT security assessment identifies these flaws before someone uses them to control doors, elevators, HVAC, or surveillance systems.

  2. What are the common cyber risks in internet-connected BMS environments?

    Weak passwords, default credentials, file inclusion flaws, command injection, and unsafe remote access pathways. These allow attackers to unlock doors, shut down systems, spy on cameras, or disrupt critical building operations.

  3. How does an OT security assessment improve BMS safety and reliability?

    It maps assets, tests every interface, finds misconfigurations, and evaluates cyber-physical risks. The output is a clear remediation plan – segmentation, hardened access, safer protocols, and validated fixes, reducing the chance of operational disruption or physical compromise.