New research from Claroty reveals alarming security risks across building management systems (BMS) and building automation systems (BAS), including widespread Known Exploited Vulnerabilities (KEVs), some tied to active ransomware campaigns, and unsecured internet-facing interfaces that leave these environments highly exposed.
While BMS and BAS platforms play a vital role in tracking energy usage, meeting environmental regulations, and supporting sustainability goals, their integration also introduces serious security gaps. Many organizations are leveraging these systems to drive operational efficiencies and reduce utility costs across distributed sites, but without proper security controls, the same systems pose a growing threat to business continuity and physical infrastructure.
Titled ‘State of CPS Security 2025: Building Management System Exposures,’ the Claroty Team82 report analyzes nearly half a million BMS across more than 500 CPS organizations, finding that 75 percent of organizations have BMS affected by KEVs. Digging deeper into KEV-affected organizations, sixty-nine percent have devices with confirmed KEVs previously used in ransomware attacks.
Additionally, 51 percent are exposed to KEVs that are not only linked to ransomware but are also insecurely connected to the internet, compounding the risk of exploitation. Within those organizations, two percent of devices contain the same level of risk, meaning that devices essential to business operations are operating at the highest level of risk exposure.
Claroty noted that, like most OT (operational technology), some BMS devices have been in place for substantial periods and may no longer be supported by their respective vendors. As a result, some vulnerabilities in firmware or software remain unpatched because a vendor has discontinued security or feature support for legacy versions of the BMS device.
Serious cybersecurity risks are posed in these environments by the use of unmanaged versions of Windows such as XP, 7, 8, 10, and Server 2003, just to name a few. These versions are no longer supported by Microsoft with security patches, and any KEVs that remain unpatched are forever-day vulnerabilities that must be mitigated using compensating controls, or by segmenting BMS away from the enterprise network in the event of an incident.
“Within our dataset, for example, 75% of organizations are managing BMS devices with KEVs,” Claroty reported. “The presence of KEVs, especially those linked to known ransomware attacks, should add a measure of urgency in terms of remediation, given that these flaws are known to have been exploited in publicly reported attacks. Insecure connectivity, meanwhile, compounds the risk given that most attackers can leverage this type of access as an initial foothold on the network.”
BMS also faces significant exposure due to weak authentication and access controls. Threat actors can use tools like Shodan to identify internet-connected BMS devices, then launch brute-force dictionary attacks to gain access and attempt lateral movement into the broader enterprise network. Third-party access introduces additional risk.
Furthermore, many vendors use their remote access technologies, which are often not enterprise-grade and may lack essential security features like multi-factor authentication. A recent Team82 report revealed that 55 percent of organizations use four or more remote access tools in their OT environments, with some deploying as many as 16, amplifying the attack surface.
Insecure connectivity is further compounded by BMS connections through open ports and unused services. These vulnerabilities are often the result of misconfigurations and are actively exploited by threat actors. Addressing them requires a thorough audit of firewall rules, enhanced logging, and tighter network segmentation to limit unauthorized access and reduce exposure.
Several high-profile cyberattacks have demonstrated how exposed building management systems (BMS) can be exploited with serious consequences. In 2021, two unnamed European engineering firms reported that their building automation systems were wiped after attackers exploited weaknesses in the KNX protocol, commonly used to manage lighting and HVAC (heating, ventilation, and air conditioning) systems. The attack effectively bricked the systems, rendering them inoperable.
In 2023, MGM Resorts experienced a major cyberattack in which attackers gained access to internal systems. The breach led to widespread operational shutdowns across more than 30 of its casino and hotel properties, severely disrupting business operations. Omni Hotels was targeted in 2024 in a sophisticated cyberattack that caused significant disruptions for guests, including manual check-ins, disabled room key systems, and offline Wi-Fi services. The attackers claimed to have stolen data on approximately 3.5 million guests, and the incident’s effects persisted for over a week.
Claroty concludes its research with a strong recommendation for BMS-reliant organizations to move beyond outdated vulnerability management practices. Traditional IT security frameworks often overemphasize CVSS (Common Vulnerability Scoring System) scores while ignoring other critical risk factors, such as legacy systems, unsupported software, direct internet connectivity, and weak access controls. These approaches also fail to account for business impact and operational importance, which can lead to poor prioritization and wasted remediation efforts.
To address the evolving threat landscape, organizations should adopt a continuous threat exposure management (CTEM) strategy. As defined by Gartner, CTEM enables ongoing evaluation of how accessible, exposed, and exploitable digital and physical assets are, an increasingly urgent need as building systems grow more connected and more vulnerable.
Claroty outlines a five-part framework to help organizations improve their security posture and guide risk mitigation. This includes mapping critical processes to specific device types and departments, identifying all devices and their communications, evaluating risks based on exploitability and business impact, validating the reality and reachability of exposures, and taking swift action through targeted, understandable mitigations.
The plan begins with scoping, which involves identifying critical processes by device type and department to understand operational dependencies. This is followed by discovery, where organizations catalog all devices, their attributes, and communication patterns to build a comprehensive asset inventory.
Next is prioritization, which uses a cybersecurity framework that factors in both business impact and the exploitability of identified exposures. Validation ensures that all exposures are real, externally reachable, and not just theoretical. Finally, mobilization focuses on reducing risk and securing operations through actionable mitigations and remediations that are effective and aligned with operational priorities.
The modern, risk-based approach helps security and business leaders align on cybersecurity priorities, protect smart building systems, and meaningfully reduce risk. It offers a targeted roadmap for BMS-reliant industries to build a robust exposure management program tailored to their operational realities.
Claroty believes this approach enables organizations to achieve three key outcomes that reduce risk and minimize business impact. First, it supports comprehensive CPS risk identification by providing full visibility into all assets and their exposures across IoT, OT, and BMS environments. This step helps uncover hidden risks and blind spots that might otherwise go undetected.
Second, it promotes business-centric risk assessment by evaluating exposures based on the operational importance of processes and their potential to disrupt business continuity, rather than relying solely on technical severity. Third, it enables prioritization and actionable remediation by equipping security and operations teams with validated, context-aware insights that support practical, scalable, and minimally disruptive risk reduction.
