From Isolated to Always Connected: Evolving BAS Risks

Quick Summary

Smart building cyber threats have evolved alongside the shift from isolated, air-gapped BAS to always-connected systems. While connectivity boosts efficiency, it also exposes HVAC, lighting, and access controls to ransomware, weak protocols, and IT/OT convergence risks. To defend against these threats, facility managers must adopt Zero Trust and device-level security to ensure resilience.

Introduction

Not long ago, building automation systems (BAS) were designed to be self-contained and isolated. Facility operators relied on “air gaps”, physical separation from IT networks and the internet, to keep heating, ventilation, lighting, and access systems safe from tampering. Those days are over.

Today, smart buildings are always connected. BAS integrates with enterprise IT, cloud dashboards, vendor portals, mobile apps, and AI optimization. While this connectivity delivers efficiency, comfort, and real-time control, it has also eliminated the protective air gap, exposing building systems to cyber threats that their original designers never imagined.

This article explores how BAS threats have evolved over time, why attackers now see buildings as prime targets, and why defenses must adapt.

 

The Era of Isolation: BAS as Closed Systems

In the early days of building automation, systems were designed with one goal: operational efficiency. Security was assumed to come from isolation:

  • BAS used proprietary protocols and hardware.
  • Systems were accessible only to onsite engineers and technicians.
  • Physical access was the main barrier against intrusion.

This “security through obscurity” approach worked for decades. HVAC controllers, lighting systems, and access controls ran reliably, largely untouched by external threats. Cybersecurity wasn’t even part of the conversation.

 

The Shift Toward Connectivity

As technology advanced, building owners sought better efficiency, cost savings, and remote control. BAS evolved from isolated systems to networked environments:

  • IP-enabled devices began replacing proprietary connections.
  • Vendor portals allowed remote monitoring and maintenance.
  • Enterprise IT integration provided data sharing and central control.
  • Mobile apps enabled operators to adjust systems anytime, anywhere.

While these changes boosted convenience and performance, they also erased the air gap. Devices that once sat safely behind locked doors became part of the internet-connected world.

 

Smart Building Cyber Threats – The New Attack Surface

This connectivity introduced vulnerabilities not present in legacy designs:

  1. Protocol Weaknesses: Standards like BACnet, Modbus, and KNX were not originally designed with encryption or authentication, leaving devices open to spoofing or manipulation.
  2. Remote Exploitation: Attackers no longer need physical access; they can probe BAS remotely via cloud connections or poorly secured VPNs.
  3. Supply Chain Risks: Vendor portals and maintenance accounts create backdoors if credentials are stolen or third-party networks are compromised.
  4. IT/OT Convergence: Once separated, BAS often sits on the same networks as enterprise IT, providing a potential bridge for attackers into corporate systems.
  5. Ransomware Expansion: Building systems have become targets for ransomware groups, who know that downtime in HVAC, lighting, access control, or life safety systems creates immediate pressure to pay.

 

Why Old Defenses Don’t Work Anymore

Traditional defenses, such as firewalls and network segmentation, remain important, but they’re no longer enough. Once an attacker bypasses the perimeter, BAS devices still implicitly trust each other, allowing lateral movement inside the network. This exposure is why advanced ransomware and insider attacks can devastate even well-segmented environments.

 

Adapting to the New Reality

Defenses must evolve as quickly as threats. Key strategies for modern BAS cybersecurity include:

  1. Zero Trust Principles: Replace implicit trust with “never trust, always verify.” Every device and request must be authenticated and authorized.
  2. Device-Level Authentication and Encryption: Ensure that controllers, sensors, and endpoints cannot communicate unless they’re verified and encrypted.
  3. Secure Legacy Protocols: Solutions like Veridify’s DOME™ platform add security to BACnet and Modbus without requiring costly hardware replacement.
  4. Continuous Monitoring: Pair device-level protections with real-time visibility into anomalies and attempted intrusions.
  5. Crypto-Agility for the Future: Post-quantum cryptography will be critical to protect BAS from future quantum-enabled attacks.

 

Conclusion

The evolution from isolated to always connected has transformed how buildings operate, and how they are attacked. What was once protected by physical air gaps is now exposed to global cyber threats. Facility managers and building owners must abandon the outdated assumption of “safe by isolation” and embrace modern, Zero Trust defenses that protect every device and every connection.

By securing BAS at the device level, operators can enjoy the benefits of connectivity without opening the door to disruption, ransomware, or future quantum risks.

Key Takeaways

  • BAS were once protected by air gaps and proprietary systems; today, they’re internet-connected and exposed.
  • Connectivity introduces new risks: weak protocols, vendor portals, IT/OT convergence, and ransomware.
  • Old defenses like firewalls are not enough once attackers bypass the perimeter.
  • Zero Trust security ensures every device is authenticated and communications are encrypted.
  • Solutions like DOME™ protect legacy BAS without replacing hardware.
  • Preparing for post-quantum cryptography is vital to future-proof building security.

 

 

Table of Contents
Related Articles