Is your organisation NIS2 compliant?
Take the free check — results in 2 minutes →
BMS cybersecurity in smart building operational technology environment

BMS Cybersecurity: Securing Smart Building Systems

9 minutes reading time


BMS cybersecurity is no longer a technical afterthought. As smart buildings become fully connected digital environments, their Building Management Systems are now part of the organisation’s operational technology footprint and, by extension, part of its attack surface. Heating, ventilation, access control and safety systems are no longer isolated mechanical functions. They are networked, remotely accessible and increasingly exposed. Without a clear BMS cybersecurity strategy, these systems can become the weakest link in an otherwise mature security posture, creating operational disruption, regulatory exposure and reputational risk.

Many organisations still treat BMS cybersecurity as a secondary technical concern rather than a strategic operational priority. That assumption creates blind spots. A building management system that is connected but not monitored introduces exposure at the infrastructure level. Effective BMS cybersecurity means understanding what devices are connected, who can access them and how they interact with the broader OT environment.

Most BMS installations operate as part of the building’s operational technology (OT), not traditional IT. That means they are often managed separately, with little integration into the organisation’s broader cybersecurity strategy. And that is a problem. 

As these systems become more connected, they also become more exposed. Many building operators remain unaware that their BMS infrastructure is now a target and increasingly in scope of cybersecurity regulations like the EU’s NIS2 Directive

While legal accountability under NIS2 sits with executive leadership, the daily responsibility for keeping these environments secure often falls to operations, IT and facility teams. 

In this article, we look at why BMS environments are often overlooked, what makes them vulnerable and how to strengthen their cyber resilience without disrupting daily operations. 

Buildings are now digital ecosystems 

Gone are the days when a building’s infrastructure was purely mechanical. Today’s smart buildings rely on a network of connected devices and systems that communicate in real time. A typical BMS controls: 

  • HVAC (heating, ventilation, air conditioning) 
  • Lighting and energy management 
  • Physical access (doors, elevators, barriers) 
  • Fire detection and safety systems 
  • Occupancy and environmental sensors 
  • Video surveillance and intercoms 

Most of these are controlled via IP-based protocols, integrated into building networks or accessible remotely for efficiency. In short, your building has become a digital ecosystem, and that means it is also part of your attack surface. 

Why BMS cybersecurity is often overlooked 

The core issue is not a lack of technology but a lack of ownership. When BMS cybersecurity does not clearly belong to either IT or OT leadership, accountability becomes fragmented. Without defined governance, BMS cybersecurity controls are rarely tested, logged or reviewed at the same frequency as other operational systems.

There are a few common reasons why BMS falls through the cracks in cybersecurity planning: 

  • Responsibility is fragmented 

BMS is often managed by facility teams, outsourced vendors or integrators, not the internal IT or security department 

  • Legacy systems are common 

Many systems run for 10 to 15 years and rely on outdated operating systems or unpatched software 

  • Insecure protocols are still used 

BACnet, Modbus and FOX lack built-in authentication or encryption and are widely used 

  • Remote access is the norm 

External vendors often use remote desktop tools, VPNs or cloud dashboards, sometimes without strong access control 

  • Perceived as low risk 

Since BMS controls physical systems, not data, it is often seen as less critical — until something goes wrong 

This leads to a false sense of security. In reality, a compromise of the BMS can result in real-world disruption. 

Real-world impact of BMS breaches 

Several high-profile incidents have shown what can happen when attackers gain access to smart building systems: 

  • HVAC manipulation 

Attackers disable cooling in data centres or healthcare environments, causing overheating or equipment failure 

  • Access control abuse 

Doors, gates or elevators can be unlocked or disabled, allowing unauthorised movement 

  • Energy waste or downtime 

Systems are forced into inefficient states, increasing costs or forcing shutdowns 

  • Jumping into corporate networks 

BMS systems are often connected to the IT network, providing a bridge for lateral movement 

  • Ransomware and disruption 

Operations are halted or sabotaged as part of larger extortion campaigns 

Each of these incidents illustrates the same pattern. The attacker did not target the building system because it was valuable on its own. It was targeted because BMS cybersecurity controls were weak or absent. When monitoring, segmentation and authentication are insufficient, the building becomes an entry point rather than a protected asset.

BMS is part of your OT and needs to be treated as such 

Cybersecurity strategies often separate IT (information technology) and OT (operational technology). BMS clearly belongs in the OT category: it controls physical processes using networked systems. But it is often ignored in both IT and OT strategies. 

This gap in ownership leads to risks not being managed or even identified. And as buildings become smarter and more connected to other systems like energy grids, logistics flows or healthcare networks, the potential impact increases. 

Treating BMS as part of your OT network means giving it the same level of attention and protection as your industrial control systems or factory automation. 

What does NIS2 mean for smart buildings? 

NIS2 applies to essential and important entities in critical sectors. That includes energy, water, health, public administration and digital infrastructure, as well as many private operators of public or strategic facilities. 

Regulatory pressure is accelerating the need for structured BMS cybersecurity governance. Even if smart buildings are not explicitly mentioned in legislation, regulators increasingly expect demonstrable BMS cybersecurity measures where physical systems impact health, safety or continuity.

If your building is part of: 

  • A hospital, clinic or elderly care centre 
  • A government or judicial building 
  • An airport, data centre or telecom facility 
  • A high-volume logistics or transport hub 
  • A smart campus or research facility 

… then NIS2 is likely relevant to your organisation. 

Even if your company is not legally responsible, service providers, property managers and integrators are now expected to demonstrate cybersecurity controls, supply chain responsibility and incident readiness. That means you will need to prove what you are doing or risk being removed from the value chain. 

Signs your BMS might be at risk 

You do not need a breach to take action. Look for these common warning signs in your building environment: 

  • No up-to-date inventory of BMS components 
  • Shared or default passwords still in use 
  • Unmonitored remote access by external vendors 
  • BMS servers running outdated or unsupported OS versions 
  • Network segmentation between BMS and IT is missing or weak 
  • No anomaly detection or log monitoring in place 
  • No involvement of security teams in BMS-related projects 

These risks are not theoretical. Attackers actively scan the internet for exposed building systems and weak access points, especially in sectors like real estate, hospitality, healthcare, public buildings and logistics. 

The rise of regulation and liability 

Cyber incidents in physical infrastructure now attract regulatory attention. Laws and directives across Europe, including the EU’s NIS2 Directive, are raising the bar for cyber risk management. 

While BMS may not always be the focus, organisations are now expected to: 

  • Demonstrate visibility and control over connected systems 
  • Manage third-party access and supply chain risk 
  • Report major cyber incidents within strict timeframes 
  • Protect systems essential to health, safety and continuity 

These responsibilities fall under Article 21 of the NIS2 Directive, which outlines technical and organisational measures for cybersecurity. If your organisation is covered by the directive and fails to act, you may face financial penalties and personal liability for leadership. 

What you can do 

You do not need to replace your BMS or pause your building operations. A few practical steps can go a long way in reducing risk and increasing visibility. Improving BMS cybersecurity does not require a complete infrastructure overhaul. It requires visibility, segmentation and coordinated oversight. By treating BMS cybersecurity as part of your OT security architecture, risk can be reduced without disrupting daily building operations.

1. Start with a passive scan 

Use passive, non-intrusive monitoring tools that can detect all connected systems, IP addresses and protocols without affecting uptime. This creates a baseline of what is really in use. 

2. Map access and connectivity 

Document how internal staff and external vendors access the system. Review VPNs, remote desktop tools, cloud portals and physical connections. Who can access what, and how is that access controlled? 

3. Remove default credentials 

This simple step is often overlooked. Change factory passwords and avoid shared accounts. Enforce role-based access. 

4. Segment networks 

BMS systems should be isolated from the main business network and only communicate with authorised endpoints. 

5. Monitor for anomalies 

Install monitoring that understands OT protocols and behaviour. Anomaly detection can spot misuse or attack patterns early. 

6. Bring IT and facilities together 

Build a joint process between your cybersecurity, IT and facility management teams. Clarify who is responsible for monitoring, patching and responding to incidents. 

How Nautilus can help 

At Nautilus, we help organisations secure their OT environments, including smart buildings and BMS systems. 

With our platform, you gain: 

  • Full visibility of your BMS and OT network 
  • Passive asset discovery and protocol identification 
  • Risk scoring and anomaly detection 
  • Financial risk insights tied to operational disruptions 
  • Executive-level reporting to support strategic decisions 
  • Integration with your existing tools or SIEM platform 

We can integrate with your existing BMS setup, adding a cybersecurity layer on top of your managed IP assets without interfering with how your building is already run. 

Whether you manage a single smart facility or an entire real estate portfolio, we help you turn building visibility into building resilience. 

Want to find out how secure your building systems really are? 

Ultimately, BMS cybersecurity is about resilience. Smart buildings are operational assets, and protecting them demands the same structured approach applied to industrial control systems. Organisations that invest early in BMS cybersecurity reduce regulatory exposure, operational downtime and financial risk.

Schedule a baseline assessment or get in touch: 

jeroen@nautilus-ot.com 

Picture of Jeroen van Es

Jeroen van Es

Chief Commercial Officer | Nautilus OT

Share:

BMS cybersecurity in smart building operational technology environment

Related articles

Why MSSPs Are Leaving Industrial Clients Exposed and What to Do About It

Read more

NIS2 for operations leaders: the overlooked role in cybersecurity compliance 

Read more

OT Asset Visibility: What “Good” Looks Like 

Read more