SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Asia

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Illustration interconnected smart building infrastructure digital pathways security gaps
#
Digital Transformation
#
Network Security
#
Cybersecurity

Three-quarters of building systems exposed to cyber risks

Today
Author image
By Sean Mitchell, Publisher

New research from Claroty has found that three-quarters of Building Management Systems (BMS) across more than 500 organisations are affected by known exploited vulnerabilities, while over half are insecurely connected to the internet.

The report, conducted by Claroty's Team82, analysed close to 500,000 BMS devices used in commercial smart buildings, retail warehousing, data centres, and hospitality venues. The findings indicate significant cybersecurity risks in facilities that rely heavily on BMS assets for day-to-day operations, such as managing heating, ventilation, air conditioning (HVAC), lighting, energy, elevators, and security systems.

Key statistics

Among the key findings, 51% of BMS systems were reported as being insecurely connected to the internet. Furthermore, 75% of organisations studied had BMS devices affected by known exploited vulnerabilities (KEVs), and 69% had BMS devices with critical KEVs implicated in previous ransomware attacks. The combination of these factors presents extensive risk to organisations, especially as such systems increasingly become networked for remote management and analytics.

According to the research, within those organisations where KEVs and insecure connectivity coexist, approximately 2% of devices present the highest level of risk exposure. These are often assets critical to operations, such as systems controlling cooling in data centres or refrigeration in retail, leaving them particularly vulnerable to cyber threats.

Expert response

Grant Geyer, Chief Strategy Officer at Claroty, raised concerns about the sector's current approach:

Oftentimes, BMS and BAS are being operationalised on the network without thinking about the cybersecurity implications. What's being gained in efficiency and convenience might be coming at a real risk if not effectively secured—for instance, the cooling of data centers or refrigeration of perishable goods in retail, which are critical systems to abruptly be taken offline if compromised."

The report highlights the need for organisations to reassess their approach to securing BMS environments. The growing connectivity of building management and automation systems, paired with a lack of inherent security features in many devices, increases the likelihood of unauthorised access and attacks. The potential consequences include costly disruptions and impacts on safety, particularly if essential systems are compromised.

Call for action

Claroty's research suggests that organisations should take an exposure management-based approach, focusing on identifying, assessing, and prioritising the riskiest devices in their networks. The report recommends that protection of BMS be given greater priority, urging provisioning of specific security measures suited to the unique nature of cyber-physical systems.

Geyer added, "Oftentimes, BMS are being operationalised on the network without thinking about the cybersecurity implications. What's being gained in efficiency and convenience might be coming at a real risk if not effectively secured—for instance, the cooling of data centres or refrigeration of perishable goods in retail, which are critical systems to abruptly be taken offline if compromised."

The report notes that as smart buildings become more common and the need for remote management grows, the risk landscape expands significantly. It states that greater integration of business impact assessment into security strategies could help organisations reduce risk and avoid severe disruptions.

Adoption of security frameworks

The report emphasises that organisations undergoing digital transformation have the opportunity to safeguard operational-critical BMS devices by applying a security framework tailored to the needs of asset owners and executives. This would allow a more accurate assessment of security posture and the creation of targeted remediation plans for risk management teams.

By understanding the full context in which BMS devices operate, organisations are better positioned to protect them from vulnerabilities and ensure continuity of operations even as new technologies are adopted.

Team82's findings provide a snapshot of the current state of BMS security across a range of industries and underscore the importance of addressing both technical vulnerabilities and strategic management of device exposure in an increasingly connected world.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Barracuda launches managed vulnerability security for stronger cyber resilience
KnowBe4 integrates with Microsoft to boost email threat defence
Cybercrime surge hits technology sector as AI & supply chain attacks rise
BackBox 8.0 automates hybrid network security & compliance
Retail ransomware attacks surge 40% as Safepay tops threats

Top stories

Veeam & HPE deepen partnership to boost enterprise data resilience
Refresh smarter, spend smarter: Why flexible IT financing is on the rise
Gigamon set to lead deep observability with 52 percent share by 2025
Bitdefender unveils EASM for proactive attack surface security
Most firms unprepared for rising supply chain cyber threats