The Human Factor: Building Automation System Insider Threats

Quick Summary

When we talk about building security, we tend to imagine a hoodie-clad hacker halfway across the world cracking open a BAS from a laptop. But the reality is more unsettling — and much closer to home. The most dangerous threat to your building automation system (BAS) may already have a badge and know exactly where the controllers are. A disgruntled facility manager with physical access to BAS controllers, shared engineering credentials, and unfettered use of unmonitored workstations can inflict damage faster than any external attacker. This post breaks down why the insider threat in building management systems is real, how it happens, and what you can do about it.


The External BAS Attacker is Not The Only Risk

For years, the cybersecurity narrative around building automation systems has been dominated by one image: a sophisticated external hacker breaching the perimeter, exploiting a zero-day in a BACnet stack, and taking control of a building’s HVAC, lighting, or access controls. And yes — that scenario is possible and very real. External attacks on operational technology (OT) require significant skill, reconnaissance, and luck. They have to find an exposed port, bypass network segmentation, and understand proprietary control protocols well enough to cause meaningful damage.

Compare that to Jeff, the facility manager who has been running the building’s BAS for twelve years. Jeff knows exactly which panel in the electrical room controls the HVAC for the third-floor server room. He knows that the admin password for the supervisory controller hasn’t changed since the system was commissioned in 2018. He knows that no one monitors the engineering workstation after 6 PM.

Now imagine Jeff has just been passed over for a promotion. Or laid off without severance. Or he’s leaving for a competitor and wants to make a statement.
Jeff doesn’t need to exploit a zero-day. He already has the keys.

The Anatomy of an Insider BAS Attack

Insider threats in building automation systems fall into three broad categories, and a disgruntled facility manager can exploit all of them.

1. Physical Access to BAS Controllers

Building automation controllers — programmable logic controllers (PLCs), application-specific controllers (ASCs), and field-level devices — are typically installed in mechanical rooms, electrical closets, or above ceiling tiles. These spaces are rarely locked, and even when they are, the facility manager carries the key.

A motivated insider can:

  • Physically disconnect critical controllers, causing heating or cooling loss in sensitive areas (server rooms, labs, cold storage).
  • Re-program a controller with malicious logic that slowly degrades equipment — a subtle act of sabotage that mimics equipment failure and may go undetected for months.
  • Attach a rogue device (a Raspberry Pi or laptop) directly to the controller’s service port to exfiltrate programming or inject malicious commands.
  • Trip breakers or disable uninterruptible power supplies (UPS) to controlled equipment, causing cascading failures.

Physical access trumps every cybersecurity control you can name. You can have the best network monitoring, endpoint detection, and zero-trust architecture in the world, but none of it matters if someone can walk up to a controller and plug in a cable.

2. Shared and Stale BAS Credentials

One of the most persistent bad habits in BAS management is credential sharing. A 2023 survey by the Building Cybersecurity Institute found that over 60% of facility management teams use shared administrator accounts for their BAS. The reasoning is usually pragmatic: “We have shift workers, and we can’t have someone stuck on a weekend because they forgot their password.” But shared credentials mean no accountability. When an action is taken through a shared admin account — changing a temperature setpoint, disabling an alarm, modifying a schedule — there is no way to prove who did it. Worse, when an employee leaves or is terminated, their knowledge of those credentials leaves with them. If the credentials aren’t rotated immediately, the former employee retains god-level access to the building’s nervous system.

A disgruntled facility manager who still knows the shared admin password can log in from anywhere — their home computer, a phone, a coffee shop — and cause havoc remotely. They can:

  • Disable fire smoke damper interlocks.
  • Override access control schedules, leaving doors unlocked overnight.
  • Set boiler temperatures to dangerous levels.
  • Flood a building with CO2 by disabling ventilation scheduling.

3. Unmonitored BAS Engineering Workstations

The engineering workstation (EWS) is the crown jewel of any BAS. It runs the building management software, holds the master database of points and schedules, and has direct communications to every controller on the network. Yet in many facilities, the EWS is:

  • A dust-covered desktop sitting in a corner of the mechanical room.
  • Logged in 24/7 with the BAS software running.
  • Connected to both the BAS network and the corporate network (or worse, the internet).
  • Completely devoid of endpoint monitoring, antivirus, or user activity logging.

A facility manager who has been using that workstation for years can easily:

  • Export the entire BAS configuration (a detailed map of every controller, sensor, actuator, and programmed sequence).
  • Create hidden logic bombs: a schedule that will slowly increase chilled water temperatures starting 30 days after their departure.
  • Install a remote access tool (TeamViewer, AnyDesk) for future access.
  • Delete or corrupt the BAS database, forcing a costly and time-consuming recommissioning effort.

Real-World Parallels

While high-profile insider attacks on BAS are rarely publicized (building owners prefer to keep them quiet), the pattern is well-documented in adjacent OT sectors.
In 2023, a former employee of a water treatment facility in Pennsylvania used still-active remote access credentials to tamper with treatment processes at a plant they had left months earlier. The same year, a disgruntled IT administrator in Florida used his continued access to supervisory systems to shut down HVAC and access controls across a multi-building corporate campus after being fired. These incidents share a common thread: the damage was not caused by sophisticated hacking. It was caused by access that should have been revoked, credentials that should have been rotated, and systems that should have been monitored.

Mitigation Strategies: What Building Owners and Security Pros Can Do

The good news is that insider threats in BAS are largely preventable with the right combination of policy, technology, and operational hygiene. Here are the key strategies.

1. Implement Individual Accounts with Role-Based Access Control (RBAC)

Stop sharing the admin password. Every user — including contractors, shift workers, and third-party service providers — should have their own unique account with the minimum permissions needed to do their job. Modern BAS platforms support RBAC; you simply need to enforce it.
When a facility manager leaves, their account is disabled immediately. No shared password to change, no wondering who still has access.

2. Lock Down Physical Access

Every mechanical room, electrical closet, and controller enclosure should be locked with a core that is not part of the general building master key system. Maintain an access log. Use electronic locks with audit trails where possible. Treat controller cabinets the way you would treat a server rack — because that’s what they are.

3. Monitor the Engineering Workstation

Install endpoint detection and response (EDR) on every engineering workstation. Log all user activity, including file access, application launches, and USB device connections. Set up alerts for:

  • Bulk configuration exports.
  • Installation of remote access software.
  • Modification of schedules outside business hours.
  • Failed login attempts (indicating credential testing).

4. Rotate Credentials on a Regular Cadence

All BAS credentials — local accounts on controllers, supervisory software passwords, VPN credentials — should be rotated at least every 90 days. Immediate rotation is mandatory whenever an employee with administrative access departs, regardless of the circumstances.

5. Enable and Monitor Audit Logs

Most BAS platforms generate audit logs that record who changed what and when. These logs are often disabled by default or never reviewed. Turn them on. Review them weekly. For critical changes (fire system interlocks, life safety sequences), require a second-person approval and document it.

6. Conduct Offboarding Procedures

When a facility manager or BAS technician leaves — especially under strained circumstances — their digital and physical access must be terminated before they walk out the door. This means:

  • Disabling BAS accounts immediately.
  • Changing shared credentials.
  • Collecting keys, access cards, and badges.
  • Conducting an audit of recent changes made by that individual.

7. Segment the BAS Network

While this won’t stop a facility manager who already has physical access to controllers, it will limit their ability to pivot from the BAS to the corporate network (or vice versa). Use firewalls, VLANs, and one-way data diodes where appropriate. The engineering workstation should never have direct internet access.

Conclusion

We spend enormous energy defending against external threats — firewalls, SOC monitoring, penetration testing, vulnerability management. And all of that matters. But if you are not paying equal attention to the people who already have the keys, the badge, and the knowledge, you are leaving the most dangerous door wide open. A disgruntled facility manager doesn’t need to hack your building. They already know how to run it. Your job is to make sure that only the people you trust can actually do that — and that the moment trust ends, the access ends with it.


Key Takeaways

  • A disgruntled facility manager with physical access, shared credentials, and unmonitored workstation access can cause more damage faster than most external hackers.
  • Physical access to BAS controllers is the hardest risk to detect and mitigate — treat mechanical rooms like server rooms.
  • Shared BAS admin credentials eliminate accountability and create a persistent access risk for former employees.
  • Unmonitored engineering workstations are a goldmine for disgruntled insiders — install EDR, enable audit logging, and restrict internet access.
  • Individual accounts with RBAC, regular credential rotation, strict offboarding procedures, and weekly audit log reviews are the most effective countermeasures.
  • Network segmentation helps limit blast radius but does not protect against a trusted insider with physical controller access.
  • Insider threat mitigation for BAS requires a blend of technology, policy, and operational discipline — not just another cybersecurity tool.

Learn more about how DOME can protect your building automation system.