Potential Threats to Building Automation Systems

Dec 27, 2022


Buildings offer a convenient and connected environment for the comfort and safety of its occupants while using energy efficiently . Buildings like these comprise critical assets from a variety of industries such as offices, retail, education, hotels, and public institutions. For instance, healthcare buildings must be equipped with life-saving equipment such as HVAC systems, emergency calling equipment, and healthcare gasses, while office buildings must provide access control equipment, firefighting equipment, and elevators, to name a few [1].

If a building experiences a malware attack, it could disrupt the operation of businesses and pose a direct threat to the safety of those within it. In keeping with the concept of an smart building, this article presents the widespread application of the Internet of Things (IoT) as a Building Automation System (BAS) as a viable solution:


  • Building Automation System (BAS): The Building Automation System (BAS) is a single platform that integrates lighting, HVAC, fire, and security systems, allowing it to promptly provide critical operating information from the building and enhance personnel security and convenience. As depicted in Figure 1, the control center area of the BAS is able to receive endpoint data from meters, HVAC systems, and physical access control, enabling operators to adjust the building’s operating mode based on industry requirements.


  • Grid-interactive Efficient Buildings System (GEB): The GEB is used to integrate and continually optimize energy consumption, as depicted by the black dotted line on the left side of the figure. A key feature of the GEB is the ability of its assets to communicate and receive and transmit signals flexibly, enabling the building to automatically implement the most advantageous energy usage decisions [2]. To achieve this, the system combines BAS analysis, utility price information, weather forecasts, available on-site generation, energy storage, and other relevant data.


  • Buildings OT protocol: In order for the controller to automatically operate the field equipment of the building and provide information to the Control Center, an OT (Operational Technology) protocol must be used for data transmission between assets. Examples of common OT protocols used in smart buildings are shown by the orange and brown lines in the figure, and include BACnet, Modbus, LonTalk, and IEC61850, among others. For example, the Control Center can transmit operation instructions to controllers or gateways located on different floors, which use the multiprotocol interface provided by various equipment manufacturers to convert the instructions into protocols such as Modbus RTU, LonTalk, or IEC61850 to operate the field devices.


  • Managed Network Services for IoT: A trend in smart buildings is depicted in the blue colored parts of figure 1, which is using IoT technology to connect various building systems and collect and analyze relevant building information in real time. With IoT hosting services, facilities can establish base stations and antennae to collect data from thousands of IoT devices [3]. Similarly, when the building system is connected to the Internet, residents can access the system through their own terminal devices, such as mobile apps or webpages. In addition to accessing building-related information, residents in a hotel building scenario can even use the application as a key to enter and exit the access control system.

Buildings Network Architecture OverviewFigure 1. Buildings Network Architecture Overview


Threats Faced by the Smart Buildings Industry

Now that we have building systems connected to the Internet, cyber attacks have become a major threat. For example, in October 2021, a building automation engineering firm in Germany was attacked by an adversary that penetrated the BAS through the UDP port exposed to the network, resulting in the loss of control of many field devices (such as light switches, motion detectors, shutter controllers, and others) [4]. In addition, HVAC and thermostats have been exploited in the past, allowing attackers to continuously infiltrate financial systems and casino databases, potentially threatening tens of millions of customers [5]. Therefore, we analyzed the system and network architecture of smart buildings and identified the following potential threats:


1. IoT devices are vulnerable to unpatched vulnerabilities and configuration errors that can allow attackers to continuously access and compromise the BAS, leading to disruptions in the operations of industries that depend on them.

In many cases, the vast array of Internet of Things (IoT) devices used in intelligent buildings can pose a challenge for managers trying to ensure the security of all device data. Even when equipment manufacturers provide guidelines for information security, it may be difficult for managers to implement these recommendations. According to Software Testing Help statistics [6], some of the most popular IoT devices in 2022 include the August Smart Lock, Belkin WeMo Smart Light Switch, Nest Smoke Alarm, and Nest T3021US Learning Thermostat. In the past, the August Smart Lock has had a security vulnerability that allowed attackers to access the user’s Wi-Fi network. The primary issue with this IoT device was that the encryption key was hardcoded into the application using an easily crackable cipher called ROT-13. As a result, hackers could intercept the user’s Wi-Fi password through the device’s easily cracked encryption method [7]. In another case, TrapX Security demonstrated that vulnerabilities in the Nest Thermostat could be exploited to load custom software onto the Nest ARM7 processor via USB. If successful, this would allow TrapX to obtain the password for the Wi-Fi network to which the Nest is connected, and attackers could potentially access information about whether the user is home and receive data from other devices connected to the same Wi-Fi network [8]. To minimize the impact of attacks on IoT devices in smart building environments, it is important to carefully monitor and control the data packets transmitted over the network. For example, it may be advisable to prevent the thermostat from sending control commands to the building automation system.


2. A privilege escalation vulnerability in HVAC systems with a HMI allows an attacker to remotely control the system, potentially posing threats to human life.

Heating, ventilation, air conditioning, and cooling (HVAC) systems are commonly used in hospital buildings, hotel buildings, retail buildings, and office buildings to control indoor temperatures. TXOne Networks research team examined the HVAC systems of various brands and found that many of them have human-machine interfaces (HMIs) that can be accessed over the network and are vulnerable to attacks such as credential leakage and privilege escalation [9]. For instance, in July 2021, we discovered that the Mitsubishi Electric Air Conditioning System’s web service had improperly implemented authentication algorithms, allowing attackers to escalate privileges and impersonate administrators to tamper with system configurations [10]. Additionally, in smart building environments, HVAC systems are often connected to other building systems and networked devices, providing more opportunities for attackers to remotely compromise HVAC systems. Depending on the type of building, this could potentially pose a threat to the safety of personnel and others within the building.


3. The OT protocol used by many buildings lacks security features, providing attackers with opportunities for packet sniffing and even tampering with key operating instructions.

Common OT communication protocols used in buildings include BACnet, Modbus, and KNX, and, like many old OT environments, they have numerous vulnerabilities that can be exploited through DoS or spoofing attacks. For example, while the building industry is gradually adopting BACnet Secure Connect (BACnet/SC) to improve network security in buildings, many legacy building systems still use outdated communication protocols due to the long service life of OT environments, providing attackers with the opportunity to intercept and tamper with key operating instructions. Additionally, in building environments with large numbers of deployed IoT devices, cost-cutting measures may lead to the use of Low Power Wide Area Networks (LPWANs), which are vulnerable to a range of attacks despite using simple encryption techniques. Research presented at the IOP Conference demonstrated that attackers could perform attacks such as Jamming, Replay, and Wormhole on LPWANs using LoRaWAN as an example [11].


4. Human error can be difficult to control, providing attackers with opportunities to compromise building systems through phishing, watering hole attacks, or ransomware attacks.

Although smart buildings have highly automated control capabilities, the system still needs to invest in human managers for auxiliary work. However, due to the wide range of industries involved in smart buildings, it is difficult to have personnel follow comprehensive information security regulations, so the system is prone to exposing the entire building to threats due to personnel errors. Intelligent Buildings pointed out that about 90% of their building system servers have been connected to email, social media and other websites for personal use[12], which gives attackers the opportunity to use phishing, watering hole attacks, or extortion software attacks and other methods to invade the building system, causing the security of smart buildings to collapse. In addition, smart building environments also face challenges in managing resident endpoint devices. If these devices are used on an unsecured network, they could potentially become infected and expose the entire smart building where the resident lives or works.

The adoption of cross-platform cloud solutions by BAS systems creates opportunities for attackers to exploit flaws in IoT communication protocols to attack building systems.

As the Internet of Things continues to thrive in smart buildings, BAS systems are increasingly adopting cross-platform cloud solutions. For example, some BAS systems use MQTT to transmit information collected from the control system and internal building information to the cloud for analysis, and automatically provide the best system control [13]. MQTT is a communication protocol based on the principle of publishing messages and subscribing to topics, so subscribers do not know who is publishing the message. This means that if attackers can access the network and publish messages to existing topics, they can easily tamper with or overwrite the original information, causing the building system to exhibit unsafe behaviors [14].



How to Mitigate Potential Threats to the Smart Buildings Industry

From the above analysis of potential threats, it is clear that smart buildings rely heavily on numerous IoT devices and lack proper management of endpoint devices used by personnel. Thus, TXOne Networks recommends that all industries implement complete visibility and security controls for their building automation systems to prevent attackers from executing catastrophic cyber attacks on buildings and disrupting industry operations:


1. Ensure that the IT network does not become an avenue for attackers to gain access to the BAS network and vice versa.

To ensure the security and reliability of the building automation network, it should be operated on a separate OT network infrastructure and isolated from IT networks. As an example, the router used for maintaining the building automation system should not have open and unprotected ports, such as HTTP, facing the Internet or other external networks. If external network access is necessary, a firewall should be configured for protection and a VPN should be set up for remote access. However, to further enhance network segmentation and provide in depth defense, it is advisable to adopt the concept of “Zones” and “Conduits” as outlined in the IEC62443 standard. A “security zone” refers to a group of physical or logical assets with shared security requirements and defined boundaries. The connections between these zones, known as “conduits”, should be equipped with security measures to control access, prevent denial of service attacks, shield vulnerable systems in the network, and maintain the integrity and confidentiality of communication.


2. It is advisable to restrict communication channels, establish secure communication and secure configuration through a trusted network list.

To prevent unauthorized or unsecured communications, we recommend disabling unsecured network protocols, deactivating unnecessary network services, and refusing to forward packets from unknown sources. Organizations can implement network policies with trust lists to effectively manage trusted communications and device access within their operational technology (OT) networks. Each zone should use a filter table to block IP addresses that should not be connected to the zone and prevent unauthorized BACnet/KNX and other equipment from accessing the BAS system. The OT zero trust network policies can detect abnormal communication patterns, unauthorized commands, and out-of-range values in critical assets. These abnormalities may include failed access attempts, changes to access privileges, and malicious port scanning, among others.


3. With enhanced visibility into BAS networks, organizations can fully identify attack vectors and shadow OT devices.

Security breaches often result from operational security issues that go undetected by managers, such as device vulnerabilities, misconfigurations, policy violations, weak security controls, and unauthorized changes. Organizations can implement a centralized management platform that can provide a comprehensive view of BAS network activity, enabling managers to examine the details of all BAS assets installed in the BAS environment and their connections, including devices behind BACnet gateways. Enhancing cybersecurity visibility enables managers to monitor the cybersecurity status of critical equipment continuously, ideally generating security alarms, trust lists of asset equipment, and suspicious event activities automatically. This facilitates the management of equipment changes, network configuration changes, attack vector identification, and blind spot identification.





[1] Michael Chipley, Tim Conway, “Next-Generation Cybersecurity for Buildings”, SANS Institute, Oct 2021, Accessed Dec 4 2022

[2] Office of Energy Efficiency and Renewable Energy, “Grid-interactive Efficient Buildings”, Office of Energy Efficiency and Renewable Energy, Apr 2019, Accessed Dec 4 2022

[3] Andorix, “Managed Network Services for IoT”, Andorix, Accessed Dec 4 2022

[4] Chris Beh, “Smart & Intelligent Buildings: Cyber Security Considerations”, Marsh, Nov 23 2022, Accessed Dec 4 2022

[5] Alina Matyukhina, “BACnet/SC- making building technologies as secure as internet banking”, Ingenuity, Aug 5 2020, Accessed Dec 4 2022

[6] Software Testing Help, “18 Most Popular IoT Devices In 2022 (Only Noteworthy IoT Products)”, Software Testing Help, Oct 25 2022, Accessed Dec 4 2022

[7] Neil J. Rubenking, “Exclusive: August Smart Lock Flaw Opens Your Wi-Fi Network to Hackers”, PCMag, Aug 10 2020, Accessed Dec 4 2022

[8] Aaron Tilley, “How Hackers Could Use A Nest Thermostat As An Entry Point Into Your Home”, Forbes, Mar 6 2015, Accessed Dec 4 2022

[9] Chizuru Toyama, Canaan Kao, “Occupy the HVAC system”, CYBERSEC 2022, Sep 21 2022, Accessed Dec 4 2022

[10] Chizuru Toyama, “Mitsubishi Electric Air Conditioning System”, CISA, Jul 1 2021, Accessed Dec 4 2022

[11] Smilty Chacko, Deepu Job, “Security mechanisms and Vulnerabilities in LPWAN”, IOP Conference, Apr 2018, Accessed Dec 4 2022

[12] Intelligent Buildings, “Smart Building Management System Cybersecurity”, Intelligent Buildings, Accessed Dec 4 2022

[13] Pom-huei Chen, “CTCI’s Three Intelligent Solutions: A New Model of Innovative Intelligent Buildings”, Accessed Dec 4 2022

[14] TXOne Networks Blog, “MQTT Series #2: Potential risks of exposed MQTT brokers”, TXOne Networks, Jan 2 2020, Accessed Dec 4 2022

TXOne image

Need assistance?

TXOne’s global teams are here to help!

Find support