> root@bms-assess:~# bacnet-discover --network 10.10.60.0/24 | grep 'Object-Name\|Vendor' | head -20<span class="cursor-blink">_</span>_
Every modern office building is a computer. Not metaphorically — literally. Behind the plasterboard, above the ceiling tiles, and inside the risers, thousands of sensors, actuators, and controllers form a networked system that manages every environmental and mechanical function: heating, ventilation, air conditioning, lighting, lifts, fire detection, energy metering, water treatment, and — increasingly — physical access control.
This system is the Building Management System — the BMS. It is the building's nervous system. It reads temperatures, adjusts dampers, modulates boilers, dims lights, monitors power consumption, and reports faults. In a modern smart building, the BMS may manage tens of thousands of data points across hundreds of controllers, communicating over protocols that were designed decades before cybersecurity was a consideration.
On this engagement, we assessed a newly constructed Grade A office tower in a major city centre. The building had been designed to BREEAM 'Excellent' sustainability standards, with a fully integrated smart building platform controlling HVAC, lighting, metering, and tenant access systems. The BMS was the most sophisticated operational technology environment we had assessed outside of industrial manufacturing — and it was the least secured.
The client was the building's managing agent — a commercial property management company responsible for the operation and maintenance of the tower on behalf of the freeholder. The building comprised eighteen floors of multi-tenant office space, a ground-floor reception and retail area, and three basement levels of car parking and plant rooms. Occupancy was approximately two thousand people across fourteen tenants.
The BMS had been installed by a specialist building services contractor during construction and was maintained under a facilities management contract. The system comprised a head-end server running the BMS supervisor application, forty-two field controllers distributed across plant rooms and floor risers, and several thousand field devices — temperature sensors, valve actuators, variable speed drives, lighting controllers, energy meters, and access control panels.
The managing agent had recently engaged an IT security consultancy to assess the corporate office network. During that assessment, the consultancy had noted the presence of BMS traffic on the corporate network and recommended a specialist assessment. We were engaged to conduct a BMS security assessment — the first in the building's three-year operational history.
The building's network architecture was designed with a degree of separation between IT and OT. The BMS had its own VLAN — 10.10.60.0/24 — connected through a managed switch infrastructure that served both the tenant IT networks and the building services. However, the separation was logical rather than physical, and the firewall rules governing access between VLANs were the focus of our first assessment.
The BMS VLAN was fully reachable from the building management office VLAN. The management office — where the facilities team's workstations sat — had unrestricted access to the BMS network. This was intentional: the facilities engineers needed to access the BMS head-end for daily operations. However, the access was not restricted to specific management workstations or authenticated users — any device on the management office VLAN could reach every BMS device.
More concerning, we tested reachability from a tenant VLAN. Each tenant had their own VLAN for their corporate IT. Firewall rules should have prevented tenant VLANs from reaching the BMS network.
The BMS head-end was reachable from tenant VLANs on BACnet port 47808 and HTTP port 80. A firewall rule — with the comment 'BACnet integration — tenant energy dashboards' — permitted this access. The rule had been created to allow tenant energy monitoring displays to read BACnet data points for their floor's electricity and gas consumption. The rule permitted access to the entire BMS head-end, not just the metering data points.
A firewall rule intended to permit tenant energy dashboard access to BACnet metering data points permitted unrestricted BACnet and HTTP access from all tenant VLANs to the BMS head-end server. Any compromised tenant workstation could interact with the building's BMS.
BACnet (Building Automation and Control Networks) is the dominant protocol for building management systems. Standardised as ISO 16484-5, it is used by the majority of commercial BMS installations worldwide. BACnet defines how building controllers communicate — sharing temperature readings, setpoint values, schedules, alarm states, and control commands.
Like many OT protocols designed in the 1990s, BACnet was designed for functionality and interoperability, not security. In its standard configuration, BACnet has no authentication and no encryption. Any device that can send a BACnet packet to port 47808 can read any data point, write any setpoint, and issue any command that the controller supports. BACnet does include an optional security extension (BACnet/SC — Secure Connect), but adoption is minimal and it was not implemented in this installation.
Forty-three BACnet devices discovered. The device names revealed the building's mechanical infrastructure in detail: air handling units in the basement plant rooms, fan coil units on every floor (identified by floor and zone), chillers on the roof, and the central supervisor. The naming convention mapped the building's mechanical layout — which plant serves which area, which controllers manage which floors.
We queried the BACnet objects on a representative floor controller to understand the data points available.
Complete visibility of the floor's environmental controls. Current temperatures, humidity, CO2 levels, valve positions, fan speeds, and setpoints — all readable without authentication. The setpoints and control values were writable — we could change the target temperature, override the occupied/unoccupied schedule, and modify fan speeds by writing new values to the BACnet objects.
With the client's explicit approval and the facilities manager present, we demonstrated the ability to modify environmental controls via BACnet.
Two demonstrations in ninety seconds. The first raised the temperature setpoint to 28°C — causing the heating system to activate at full capacity on a floor occupied by a tenant's workforce. The second forced the floor into unoccupied mode — dropping the temperature setpoint to 16°C, closing the fresh air dampers to minimum, and dimming the lighting to ten per cent. Both changes took effect within seconds.
In an occupied office, forcing unoccupied mode would make the space progressively uncomfortable over thirty to sixty minutes as temperature drifted and CO2 levels rose. The occupants would not know why. The facilities team would not receive an alarm — the controller was operating normally in its unoccupied programme. It simply believed the floor was empty.
The operational consequences extend beyond discomfort. Pharmaceutical tenants with temperature-controlled storage, financial services firms with server rooms dependent on building cooling, and medical practices with environmental compliance requirements would all be affected by uncontrolled temperature excursions.
The BMS head-end server at 10.10.60.10 ran the central supervisor application — the graphical interface used by the facilities team to monitor and control the entire building. The web interface was accessible on port 80.
Full administrative access to the building supervisor with a vendor-default password. The interface provided complete control over the building's environmental systems — setpoints for every zone, schedules for every floor, alarm management, trend data, and the ability to upload firmware to field controllers.
The alarm management capability was particularly concerning. An attacker who could silence or disable alarms could manipulate environmental conditions without the facilities team receiving notification. Combined with the ability to modify setpoints, an attacker could create conditions that would not trigger any alarm — because the alarm thresholds themselves could be changed.
The trend data — twelve months of historical temperature, humidity, energy consumption, and occupancy patterns — constituted an intelligence asset. Occupancy trends reveal when floors are empty. Energy patterns reveal operating hours. Temperature histories reveal which zones have persistent issues that might indicate poorly monitored areas.
The access control head-end at 10.10.60.100 managed the building's card access system — the readers at the main entrance, lift lobbies, tenant suite doors, plant rooms, and car park barriers. It was on the same BMS VLAN as the HVAC controllers.
The access control system — managing eighty-seven doors, one hundred and twelve card readers, and 2,341 cardholders — was accessible with admin / admin. From this interface, we could remotely unlock any door in the building, add new access credentials, revoke existing access, view the complete cardholder database (names, companies, card numbers, and access zones), and review the access event log showing who had accessed every door in the building.
The ability to remotely unlock doors transforms a cybersecurity compromise into a physical security compromise. An attacker with access to the access control system could unlock the main entrance at 3 AM, disable the car park barrier, open the server room door, or hold open a fire exit — all from a laptop. The convergence of building automation and physical access control on the same network, protected by the same default credentials, collapses the boundary between cyber and physical attack.
The building's access control system, managing 87 doors and 2,341 cardholders, was accessible with the manufacturer's default admin/admin credentials. Administrative access permits remote door unlocking, cardholder creation, access log review, and zone modification. The access control head-end was on the same VLAN as the BMS and was reachable from tenant networks.
| Step | Action | Weakness Exploited |
|---|---|---|
| 01 | Reached BMS VLAN from tenant network on BACnet and HTTP ports | Firewall rule for energy dashboards permitted broad BMS access |
| 02 | Enumerated 43 BACnet devices and ~4,200 data points | BACnet protocol — no authentication; all objects readable |
| 03 | Modified HVAC setpoints and occupancy modes on occupied floors | BACnet write access — no authentication on writable objects |
| 04 | Accessed BMS head-end with vendor-default credentials | Default password unchanged since commissioning (3 years) |
| 05 | Full building supervisor access — setpoints, schedules, alarms, firmware | Single default admin account with unrestricted privileges |
| 06 | Accessed access control system — 87 doors, 2,341 cardholders | admin/admin default credentials; same VLAN as BMS |
The most impactful immediate change is removing tenant VLAN access to the BMS network. The firewall rule that enabled tenant energy dashboards to query BACnet data should be replaced with a dedicated BACnet API gateway — a read-only proxy that exposes only the metering data points to the tenant dashboards, and nothing else. The proxy sits between the tenant VLANs and the BMS VLAN, translating tenant API requests into BACnet reads and returning the values. The tenants never communicate directly with the BMS.
Separating the access control system from the BMS VLAN is essential. HVAC and physical access are different security domains with different consequences of compromise. They should be on different VLANs with independent management interfaces and independent credentials. The convergence of both systems onto a single VLAN with identical default credentials created a compound risk that neither vendor's security model anticipated.
BACnet/SC (Secure Connect) is the long-term protocol-level solution. BACnet/SC adds TLS-based authentication and encryption to BACnet communications, preventing unauthenticated reads and writes. Adoption requires controller firmware that supports SC — a significant investment in a building with forty-two existing controllers — but should be specified as a requirement for any new controller replacements or new-build projects.
Including BMS security in the facilities management contract and tenant leases addresses the governance gap. The FM contract should specify password management, firmware update responsibilities, and security assessment obligations. Tenant leases should specify the network isolation controls that the managing agent will maintain between tenant VLANs and building services infrastructure.
This building was a showcase. BREEAM Excellent. Smart building platform. Integrated energy monitoring. Automated environmental control. It performed its primary function — keeping two thousand people comfortable, productive, and safe — with precision and efficiency.
But the system that achieved this — the forty-two controllers, the four thousand data points, the access control panels, the head-end server — was protected by the manufacturer's default passwords, communicated over a protocol without authentication, and was reachable from tenant networks through a firewall rule that nobody had reviewed since the building opened.
Buildings are not traditionally considered attack surfaces. They are considered places — offices, not endpoints. But every smart building is an OT environment, running the same class of protocols, with the same class of vulnerabilities, that we assess in factories and utilities. The difference is that factories know they are OT environments. Buildings, frequently, do not.
Until next time — stay sharp, stay curious, and check the password on the BMS. If it was set during commissioning, it has not been changed since.
This article describes a BMS security assessment conducted under formal engagement with full written authorisation from the building's managing agent. Environmental modifications were demonstrated under controlled conditions with the facilities manager present and were reverted immediately. No tenant systems were accessed. No cardholder data was exfiltrated from the access control system. All identifying details — including the building, its location, tenants, and system vendors — have been altered or omitted to preserve client confidentiality. Unauthorised access to building management systems may constitute offences under the Computer Misuse Act 1990 and may carry health and safety implications. Do not attempt to replicate these techniques without proper authorisation.
Hedgehog Security conducts BMS and smart building security assessments covering BACnet services, controller authentication, access control integration, network segmentation, and the IT/OT boundary. We understand building services protocols, operational constraints, and the multi-stakeholder governance that makes building security uniquely complex. Your building keeps people comfortable. We make sure it stays under your control.