Building Automation System (BAS) - The Brain You Forgot To Protect
How to think about security in the building automation system you just learned to run.
2026-Insider-Volume4
This newsletter is for educational purposes only. The frameworks and thinking approaches described here are starting points for developing professional judgment, not prescriptive procedures for any specific facility or application. Adapt these thinking approaches with the appropriate engineering and operational expertise for your context.
In this issue:
The Problem with Modern BAS: Why systems designed for reliability and uptime are now vulnerable due to IP-based communication and remote access.
Security Through the Lens of the Three Layers: A framework for analyzing and responding to the fundamentally different risk profiles at the Field, Control, and Management levels of the BAS architecture.
Two Common, Non-Sophisticated Vulnerabilities: Scenarios to work through, including the dangers of persistent vendor remote access and factory-default DDC controller credentials.
Three Dangerous Pitfalls to Avoid: The assumption of an “air-gapped” system, the struggle between IT and OT ownership, and neglecting security at the Control Layer.
Three Companion Resources (Thinking Frameworks): A connected asset inventory worksheet, a vendor remote access review guide, and a network segmentation primer.
The Problem: An Architecture Built for Reliability, Not Security
Building automation systems were not designed with cybersecurity in mind.
That’s not a criticism. It’s context. When the foundational architecture of modern BAS was being developed, the engineering objectives were reliability, uptime, and precise environmental control. The systems that emerged from that era performed precisely as intended. They controlled buildings effectively, often for decades, with minimal intervention.
The problem is that the world those systems were designed for no longer exists.
Over the past fifteen to twenty years, building automation has undergone a quiet but significant transformation. The proprietary, mostly isolated networks of the early DDC era have given way to
IP-based communication,
cloud-connected management platforms, and
remote access capabilities that allow an operator to monitor a building from anywhere.
That connectivity is genuinely useful. It also introduced a risk profile that the original architects of these systems never had to consider.
The same three-layer structure that makes a modern BAS powerful also creates an attack surface. Each layer connects to the one above it. The management layer often connects to a corporate IT network. And in more cases than building operators tend to realize, that management layer has at least some path to the internet, through remote access portals, vendor connections, or integrations that were added incrementally over time.
Real incidents have made the consequences concrete.
Hospitals have lost HVAC control.
Commercial buildings have had temperature and access systems manipulated.
BAS compromises have been used as a stepping stone into broader corporate networks because the building management software happened to share network space with business systems. These are documented events, not hypotheticals.
The people maintaining and operating these systems, many of them highly skilled in controls and mechanical systems, were almost never trained to think about them as a security concern.
That’s the gap this piece is about.
