Beyond the Power Grid: Why Your Next Target Should Be the Building Management System

TLDR: Operational Technology (OT) security is often conflated with massive, air-gapped critical infrastructure, but the real risk for many researchers lies in the ubiquitous, poorly secured OT systems found in everyday buildings. A recent look at CVE-2025-46352 reveals how hardcoded credentials in fire alarm panels can lead to remote control and physical safety hazards. Pentesters should start auditing these systems during physical security assessments, as they are frequently overlooked by both IT and facilities management.

Most security professionals view Operational Technology through the lens of high-stakes, nation-state-level threats. We think of centrifuges, power grids, and massive water treatment facilities. This narrow focus creates a massive blind spot. While we are busy hunting for vulnerabilities in cloud infrastructure or enterprise web applications, the fire alarm panel in the lobby of your office building is likely running a VNC server with hardcoded credentials. These systems are not just "IT-adjacent"—they are the physical nervous system of our buildings, and they are currently being deployed with the same security maturity as a cheap smart lightbulb.

The Reality of Non-CNI OT

Operational Technology encompasses any hardware or software that monitors or controls physical processes. When we talk about Critical National Infrastructure (CNI), we are talking about systems where a compromise leads to loss of life or massive economic collapse. However, the vast majority of OT exists outside this definition. We are talking about elevators, HVAC systems, door access controllers, and fire safety systems.

These systems are rarely air-gapped. They are increasingly connected to building networks to allow for remote maintenance and monitoring. The problem is that these devices are designed for a 20-year lifecycle, not for the modern threat landscape. They prioritize availability above all else, often at the total expense of Identification and Authentication Failures. If a fire alarm panel needs to be available to trigger an evacuation, the manufacturer assumes that security controls—like complex password rotation—are just obstacles to that availability.

Exploiting the "Invisible" Infrastructure

The recent disclosure of CVE-2025-46352 is a perfect case study. The CS5000 Fire Panel was found to contain a hardcoded password for its integrated VNC server. Because the password is hardcoded in the binary, it cannot be changed by the end user. An attacker with network access to the panel can use a standard VNC client to gain full remote control of the interface.

# Example of a basic VNC connection attempt
vncviewer <target_ip_address>

Once inside, the attacker isn't just looking at logs. They can manipulate the panel's state. They can trigger false alarms, which, in a large building, causes immediate, chaotic evacuations. More dangerously, they can disable the detection devices entirely. If a real fire occurs while the panel is compromised or in a non-functional state, the system fails to alert occupants. This isn't just a data breach; it is a direct threat to physical safety.

Why Pentesters Need to Pivot

During a standard penetration test, we often stop at the edge of the corporate network. We might scan for open ports, find a web interface, and move on if it doesn't look like a standard server. We need to change this. When you are on-site, look for the "boring" hardware. If you see a network jack in a mechanical room or a dedicated VLAN for "Facilities," that is your target.

These systems often use common protocols like Modbus or BACnet, but they also frequently expose management interfaces like HTTP or VNC. Because these devices are rarely updated, they are often vulnerable to well-known exploits that have been patched in the IT world for years. If you find a device, check the manufacturer's official security advisories for the specific model. You will often find that the "patch" is simply a recommendation to "restrict network access," which is a polite way of saying the device has no internal security.

The Defensive Gap

Defending these systems is difficult because they fall into a regulatory gray area. While CNI is governed by strict frameworks like the NIS Directive, non-CNI OT is usually only subject to general health and safety regulations. These laws were written in an era where "security" meant a physical lock on a door, not a firewall rule.

Facilities managers are not security engineers. They are focused on keeping the building running. If you are working with a client, the most effective defensive step is network segmentation. These devices should never be reachable from the corporate network, let alone the internet. If they must be managed remotely, they should be behind a VPN with multi-factor authentication.

We have spent decades securing the digital world while ignoring the physical one. The next time you are walking through a building, look at the sensors on the ceiling and the panels in the basement. They are part of the network, and they are waiting for someone to notice them. Don't wait for a physical safety incident to start treating these systems with the same rigor you apply to your production databases. The tools are the same, the protocols are familiar, and the impact of a successful exploit is far more tangible than a leaked database.