Why Your Next Pentest Should Include the Building Management System

TLDR: Building Management Systems (BMS) are the most overlooked entry point in modern enterprise networks, often lacking basic security controls like firewalls or authentication. These systems frequently expose industrial protocols like BACnet and Modbus directly to the internet, providing attackers with a clear path for lateral movement. Pentesters should prioritize identifying these assets during reconnaissance to uncover high-impact vulnerabilities that are rarely patched.

Security researchers often obsess over the latest zero-day in a web framework or a complex chain in a cloud environment, yet they ignore the physical infrastructure running the building they are sitting in. Building Management Systems (BMS) and Building Automation Systems (BAS) are essentially the nervous system of any modern facility. They control everything from HVAC and lighting to fire safety and elevator access. When these systems are misconfigured, they become a massive, unmonitored attack surface that provides a direct route into the internal network.

The Myth of the Air-Gapped Network

Many organizations operate under the dangerous assumption that their building controls are air-gapped or otherwise isolated from the corporate network. In reality, these systems are increasingly interconnected to support remote monitoring and energy efficiency goals. During a typical engagement, you will rarely find a true air gap. Instead, you will find flat networks where the BMS resides on the same segment as printers, workstations, and other IoT devices.

When you perform reconnaissance using tools like Shodan or Censys, you can often find these systems exposed directly to the internet. The protocols they use, such as BACnet, Modbus, and the Fox protocol, were designed for reliability and speed, not security. They frequently lack encryption and robust authentication, meaning that anyone who can reach the service can often read or write to the registers controlling the building's physical state.

Lateral Movement via Industrial Protocols

The real danger lies in how these systems are integrated. A BMS might be connected to the corporate network to allow facility managers to pull reports or adjust temperatures remotely. If an attacker gains a foothold on a workstation, they can scan for these industrial protocols. Because these systems often lack proper network segmentation, an attacker can move laterally from a compromised laptop to the BMS controller with minimal effort.

Once inside, the impact is not just data theft. You are looking at the potential to manipulate physical systems. An attacker could disable fire suppression, lock down access control systems, or cause significant hardware damage by forcing HVAC units to operate outside of their safety parameters. This falls squarely into the A01:2021-Broken Access Control category, as these systems often rely on default credentials or no authentication at all.

Identifying the Weakest Link

During your next engagement, do not just focus on the web applications. Start by mapping the network for non-standard ports and industrial protocols. If you find a BMS, check for default credentials and look for exposed management interfaces. Many of these devices have web-based consoles that are just as vulnerable as any other web application.

One common issue is the lack of logging. If you exploit a vulnerability in a BMS, there is a high probability that the action will go completely unnoticed by the security operations center. These systems are rarely integrated into a SIEM, which means you can perform extensive reconnaissance and exploitation without triggering a single alert.

Defensive Realities

Defending these systems requires a shift in mindset. Organizations must stop treating building infrastructure as an afterthought. The first step is to implement strict network segmentation, ensuring that BMS traffic is isolated from the rest of the enterprise. If remote access is required, it must be handled through a secure VPN or a zero-trust architecture, never by exposing the controller directly to the internet.

Furthermore, asset management is critical. You cannot secure what you do not know exists. Every organization should maintain an accurate inventory of their building automation hardware, including the firmware versions and the vendors responsible for maintenance. When a vulnerability is disclosed, you need to know immediately if your facility is at risk.

What to Do Next

Stop ignoring the building controls. The next time you are on a network, take an hour to scan for industrial protocols. You might be surprised by what you find. If you identify a BMS, document the lack of authentication and the potential for lateral movement. Your report will be far more valuable if it highlights a path to the physical infrastructure rather than just another low-risk web finding.

Ask your clients who manages their building systems and whether those vendors have remote access. You will often find that the answer is a third-party contractor with a persistent, unmonitored connection to the network. That is your entry point. That is where the real risk lives. Start looking there, and you will find that the most critical vulnerabilities are often the ones that have been hiding in plain sight for years.