OT Security in Building Automation Systems (BAS)

How Do BAS Networks Become Attack Paths into IT Networks?

The Target breach provides the clearest documented example of BAS-to-IT network attack path exploitation. Target's HVAC vendor had remote access credentials to the facility management network. Attackers compromised the HVAC vendor and used those credentials to access Target's network. From there, they pivoted to payment systems and eventually exfiltrated 40 million credit card records. The HVAC system itself was never the objective; it was the entry point into a network that contained high-value targets.

This attack pattern is reproducible in any organization that has connected BAS networks to IT networks without explicit security controls. Building management contractors and vendors routinely need remote access for monitoring and maintenance. These access paths, if not governed with the same rigor applied to OT remote access in industrial environments, create attack vectors that sophisticated actors will exploit.

Modern smart building platforms create additional IT-BAS connectivity. Cloud-based building management platforms that aggregate energy, HVAC, and occupancy data from multiple sites need bi-directional connectivity with building automation systems. IoT sensors for occupancy monitoring, indoor air quality, and energy metering add more connected endpoints to BAS networks. Each new connection, without corresponding security architecture, expands the attack surface that must be defended.

IT vs OT security - why building systems need the same treatment

What Are the Security Risks in Elevator and Access Control OT?

Elevator control systems are safety-critical OT that must not be accessible to unauthorized parties. Modern elevators communicate via proprietary or standard protocols between the elevator controller, the machine room, and the building management system. Some elevator systems now include remote diagnostic connectivity that allows the manufacturer or service provider to monitor performance and diagnose issues remotely. This remote connectivity, unless properly secured, creates an attack path to elevator control systems.

Physical access control systems, including card readers, door controllers, and visitor management systems, sit at the intersection of physical security and cybersecurity. A cyber attack that disables access control systems can either prevent authorized personnel from entering secured areas or allow unauthorized physical access by unlocking controlled doors. In a data center or a government facility, compromised access control can be a stepping stone to physical asset theft or destruction. Access control system network segments must be treated as security-sensitive OT, not as generic building infrastructure.

Fire suppression and life safety systems are the most consequence-critical BAS assets. Unauthorized activation of a suppression system can cause significant damage and injury; unauthorized deactivation can have catastrophic consequences in a fire event. Life safety systems are subject to fire code and building code requirements that mandate testing and maintenance; they must also now be subject to cybersecurity controls that prevent unauthorized digital access. Most fire alarm and suppression system vendors are still developing cybersecurity capabilities for their products, making compensating network controls particularly important.

[IMAGE: Photo of modern access control panel with card reader and door controller - search terms: building access control panel card reader door controller security]

How Do You Apply OT Security Controls to BAS Environments?

BAS security applies the same control framework as industrial OT security, adapted for building-specific protocols, vendor ecosystems, and operational constraints. Network segmentation is the highest-impact starting point: BAS networks must be separated from corporate IT networks through firewalls with explicit, minimal permit rules. The Target breach was enabled by the absence of this segmentation. Any organization that has connected its building management network to its corporate IT network without a security boundary between them should treat this as an urgent risk to remediate.

Asset discovery in BAS environments uses the same passive network monitoring approach as industrial OT. BACnet devices announce themselves on the network with device IDs and object lists; passive monitoring can build a complete BAS asset inventory from observed traffic without sending any discovery packets that could disrupt building operations. Many organizations discover during their first BAS discovery exercise that they have significantly more connected building automation devices than their documentation reflects, particularly in older facilities that have been upgraded in piecemeal fashion over the years.

Vendor access management for BAS is critical. Building management contractors need remote access for monitoring and maintenance. This access must be managed with the same rigor applied to industrial OT vendor access: time-limited, asset-specific, multi-factor authenticated, and session-recorded. Standing VPN credentials for building management vendors, without any of these controls, create the same risk that enabled the Target breach. Revoking and re-issuing vendor access on a time-limited basis for specific maintenance windows is the correct approach.

What Does Smart Building Connectivity Mean for BAS Security?

Smart building platforms that integrate energy management, space utilization analytics, and occupant experience applications create cloud connectivity for BAS systems that did not previously exist. These platforms aggregate data from HVAC, lighting, access control, and IoT sensors across an entire building or portfolio of buildings. Their value proposition, real-time energy optimization and space utilization insights, requires bi-directional connectivity with building automation systems. This connectivity must be architected with security controls: data from BAS should flow to cloud platforms through defined, controlled paths, while commands from cloud platforms to BAS systems require authentication and authorization.

IoT sensors added to smart buildings for occupancy monitoring, indoor air quality measurement, and asset tracking create additional endpoints on BAS-adjacent networks. These sensors, which use protocols like Zigbee, Z-Wave, LoRaWAN, and cellular, extend the attack surface of the building network into every room and corridor where sensors are deployed. Security requirements for these IoT additions must include default credential changes, network placement in appropriate zones, and monitoring coverage that extends to IoT network segments.

Operational technology security for smart buildings must be included in smart building project specifications from the design phase. Security requirements should appear in the building management system procurement specification, the IoT sensor platform evaluation criteria, and the smart building platform vendor assessment process. Retrofitting security onto a deployed smart building platform is significantly harder and more expensive than building it in from the start. For organizations deploying or assessing smart building OT security, Opsio's OT security services provide BAS-specific assessment and architecture guidance.

Frequently Asked Questions

Is BACnet the only vulnerable BAS protocol?

No. Modbus, LonWorks, KNX, and proprietary vendor protocols are also used in BAS environments and share similar security limitations. Modbus, in particular, has the same lack of authentication and encryption as BACnet and is widely used in HVAC and power management applications. LonWorks and KNX have some security extensions, but legacy implementations pre-dating those extensions are common. Any BAS protocol assessment should cover the full protocol mix in the environment, not just BACnet.

Should BAS security be owned by IT security or facilities management?

Joint ownership with explicit governance is the most effective approach. Facilities management understands BAS operational requirements, vendor relationships, and building system dependencies. IT security understands network architecture, threat landscapes, and security control design. Neither team alone has the full picture. A governance structure that includes both teams, with defined responsibilities for risk identification (both), control implementation (IT leads on network; facilities leads on device configuration), and vendor management (facilities coordinates, IT approves access controls), combines the necessary expertise effectively.

Do BAS systems need to comply with NIS2?

BAS systems in facilities operated by entities classified as essential or important under NIS2 are within scope for NIS2 compliance. A hospital's building automation systems are covered under the hospital's NIS2 obligations. An energy company's control building BAS is covered under the energy operator's NIS2 obligations. NIS2 does not exclude BAS from its operational technology requirements simply because it is building infrastructure rather than production infrastructure. Organizations subject to NIS2 should explicitly include BAS in their OT security scope assessment.

What is the risk of BAS attacks on data centers?

Data center BAS controls cooling systems whose failure can cause server temperatures to exceed safe operating limits within minutes. HVAC manipulation is one of the highest-consequence BAS attacks in data center environments. A coordinated attack that disables cooling while simultaneously overloading compute resources could cause widespread hardware failures. Data center BAS networks are typically isolated from production IT networks, but that isolation must be verified and maintained: IT infrastructure upgrades and operational connectivity changes can inadvertently create BAS-IT connections that compromise isolation.

Conclusion

Building automation systems are OT that many organizations have not yet included in their security programs. BACnet's lack of authentication, widespread internet exposure, BAS-to-IT connectivity patterns like the Target breach, and smart building expansion all make BAS security an urgent, concrete risk rather than a future concern.

The controls required are the same as for industrial OT: network segmentation, vendor access management, asset visibility, and protocol-aware monitoring. The operational context is different, requiring facilities management partnership alongside IT security engagement. The urgency is the same: 60% incident rates and 40% annual ransomware growth do not spare facilities that treat building systems as outside the security program's scope.

---

Author: Opsio Security Practice | Published: April 2026 | Last updated: April 2026