What BMS Is and Its Operational Scope
A Building Management System (BMS) — also called a Building Automation System (BAS) — is the control infrastructure for a building's mechanical, electrical, and life-safety systems. A typical commercial BMS integrates HVAC (heating, ventilation, and air conditioning), electrical distribution and metering, lighting control, access control and physical security, elevator systems, fire detection and suppression, and parking management into a unified monitoring and control platform. Large campuses — corporate headquarters, hospitals, universities, data centers, government facilities — may integrate hundreds of buildings and tens of thousands of control points into a single BMS network.
The scale of BMS deployment is substantial: virtually every commercial building constructed after 1990 has some level of building automation, and the trend toward smart buildings and energy management has accelerated BMS adoption and connectivity. The global BMS market is valued at approximately $12 billion and growing at 10%+ annually. Claroty's expansion into commercial building security — treating BMS as a cyber-physical system category alongside OT and IoMT — validates the market significance of building automation security.
Security Challenges Specific to BMS
BMS environments present a distinctive security challenge because they are pervasive, often poorly inventoried, and increasingly connected to enterprise networks without the security controls that govern IT connectivity. The BACnet protocol — the dominant BMS communication standard, developed in 1987 and standardized as ASHRAE 135 and ISO 16484-5 — was designed for reliability in building automation environments, not security. BACnet/IP carries no native authentication; any device that can communicate on the BACnet network can read or write values to any BACnet object, including setpoints for HVAC systems, access control parameters, and alarm thresholds.
The Target breach of 2013 established the BMS-as-entry-point attack pattern that has since become a standard reference in OT security discussions. Target's network breach was initially achieved through a HVAC contractor's credentials — the contractor used a third-party BMS management platform that had network connectivity into Target's corporate network for billing and contract management purposes. Once the attacker compromised the HVAC contractor's systems, they had a path into Target's network that led ultimately to the point-of-sale system compromise and the theft of 40 million payment card records. The attack did not require compromising any HVAC control system functionality — the BMS connection was simply a convenient and unexpected entry point.
In campus and enterprise environments, BMS networks frequently coexist with IT networks on shared infrastructure or are connected to corporate networks for facilities management, energy reporting, and remote monitoring purposes. This connectivity is often established by facilities management staff or contractors without involvement from the IT security team, and without the network architecture controls (OT DMZ, segmentation, access management) that IT security would require.
How Zero Trust Controls Apply to BMS
The foundational BMS Zero Trust control is network isolation: BMS networks must be separated from corporate IT networks. The BMS network — including HVAC controllers, lighting control panels, access control systems, and their associated wiring closet equipment — should be on a distinct, segmented network that is not directly routable from the corporate LAN. Where enterprise integration is required (energy management reporting, space management systems, facilities help desk ticketing), that integration should flow through a monitored, policy-enforced control point rather than through direct network connectivity.
Vendor and contractor remote access to BMS systems is the highest-risk identity surface. BMS maintenance is typically performed by specialist contractors — the Siemens building automation team, the Johnson Controls service organization, the local Honeywell BMS integrator — who require remote access to building systems for monitoring, troubleshooting, and programming. Replace standing VPN credentials with vendor access management: time-bounded, session-recorded, MFA-enforced access through a jump server in a BMS DMZ. The contractor never gets direct network access to the BMS network.
Asset inventory is more challenging in BMS environments than in IT environments because BMS assets are distributed throughout building infrastructure — in ceiling plenums, electrical rooms, mechanical rooms, and field cabinets that are not routinely inventoried by IT. Passive BACnet discovery, using OT network monitoring tools that parse BACnet/IP traffic, provides an automated asset inventory that captures device types, object counts, and communication patterns without disrupting BMS operations.
Where BMS controllers can be reached for configuration hardening — a subset of newer BACnet controllers support it — enforce BACnet Secure Connect (BACnet/SC), the security extension to BACnet that adds TLS encryption and certificate-based authentication. Deployment of BACnet/SC is limited by the installed base of older controllers, but new BMS deployments and major controller replacements should specify BACnet/SC support as a procurement requirement.
Regulatory Frameworks
BMS security is not directly addressed by most critical infrastructure regulations, but it is covered indirectly in several contexts. NERC-CIP covers Electronic Security Perimeters that include BMS systems in facilities housing BES Cyber Systems. NIS2 covers building systems in data centers, hospitals, and other covered sector facilities. Federal agency facilities are subject to NIST SP 800-82 for OT environments, which includes building automation systems in its scope. The GSA has issued specific guidance on BAS security for federal buildings. CISA's Cross-Sector Cybersecurity Performance Goals address physical security systems — including access control and HVAC — as components of the overall security posture.
Market Context
The convergence of IT and OT security in building environments is an emerging market segment. Claroty explicitly identifies commercial buildings as a cyber-physical systems category alongside industrial OT and healthcare IoT. The growing regulatory attention to physical security systems — particularly for data centers, healthcare facilities, and critical infrastructure buildings — is driving BMS security investment that previously relied entirely on air-gap assumptions.