New Claroty Research Unveils Alarming Vulnerabilities in Building Automation Systems

Claroty's New Research on Building Management Systems Security

Claroty recently released a comprehensive report analyzing the security vulnerabilities present in building management systems (BMS) and building automation systems (BAS). This investigation, conducted by the company's research team, Team82, covered nearly half a million building management systems across over 500 cyber-physical systems (CPS) organizations. The results are alarming and indicate that these vulnerabilities pose serious risks that require immediate attention.

According to the findings, a staggering 75% of the organizations surveyed have BMS affected by known exploited vulnerabilities (KEVs). Further analysis uncovered that 51% of these organizations are dealing with vulnerabilities linked to ransomware that are also insecurely connected to the internet. Shockingly, 2% of the devices within these organizations are subject to identical high-risk conditions, meaning that critical systems essential for operations are precariously vulnerable to cyberattacks.

Given the pivotal role of BMS in sectors like commercial real estate, retail, hospitality, and critical data centers, these vulnerabilities can provide adversaries with convenient access points. The potential for operational disruptions from attacks on HVAC, lighting, energy systems, elevators, and security measures is significant, highlighting an urgent need for improved protective measures.

Grant Geyer, Chief Strategy Officer at Claroty, remarked, “BMS and BAS are often integrated into networks without adequate consideration for cybersecurity risks. The efficiency and convenience gained must not come at the cost of serious vulnerabilities, especially for systems required to function without interruption, such as data center cooling systems or refrigeration in retail.”

Digital transformation initiatives can exacerbate these challenges, as organizations increasingly connect BMS to networks for operational efficiency, analytics, and remote management. However, this trend can also lead to greater exposure to threats if cybersecurity measures are not adequately implemented. Claroty's report emphasizes the importance of understanding the full context of BMS and BAS components when evaluating their security posture and potential operational impacts.

Organizations must adopt exposure management-centric approaches as they secure their systems, allowing for the prioritization of the most significant risks. This enables companies to separate critical systems from those that are less essential, optimizing the use of time and resources for risk management.

The report advocates for a tailored security framework that can offer a clear picture of an organization’s security status to decision-makers and asset owners. Having such insights allows for more informed actions concerning cybersecurity. By creating corrective plans that are readily understandable to executives and actionable for risk management teams, organizations can effectively mitigate risks related to their BMS and BAS.

As buildings embrace smart technologies, the need for robust cybersecurity frameworks becomes increasingly pressing. Organizations that proactively seek to understand the security implications of their BMS will be better positioned to safeguard their operations and avert the disruptive consequences of cybersecurity failures.

For further details and recommendations, stakeholders are encouraged to download the full report, "State of CPS Security 2025 Building Management System Exposures." This document contains extensive analysis and insights into current vulnerabilities and best practices for securing building management systems.

Conclusion

The findings from Claroty serve as a crucial wake-up call for businesses using BMS and BAS technologies. The imperative to secure these systems cannot be overstated, as reliance on digital solutions grows in tandem with advancing threats in the cybersecurity landscape. Thus, dedication to cybersecurity must be an ongoing priority for organizations aiming to protect their critical operational infrastructure.