,

Claroty Report Exposes Critical Security Flaws in Building Management Systems

A new report from cybersecurity firm Claroty has revealed serious vulnerabilities in Building Management Systems (BMS) and Building Automation Systems (BAS), exposing them to significant cybersecurity risks.

June 26, 2025

Bisma Farrukh

These vulnerabilities include those already exploited in ransomware campaigns and poorly secured internet-facing systems. While BMS and BAS platforms are essential for managing energy consumption, meeting environmental standards, and achieving sustainability goals, their widespread use and integration into organizational infrastructure have introduced major security weaknesses.

Many organizations rely on these systems to cut utility costs and boost efficiency across dispersed sites. However, they present increasing threats to business operations and critical infrastructure without proper safeguards.

The report, titled “State of CPS Security 2025: Building Management System Exposures,” from Claroty’s Team82, analyzed nearly 500,000 BMS devices across over 500 cyber-physical system (CPS) organizations. It found that 75% of organizations had BMS devices affected by Known Exploited Vulnerabilities (KEVs). Alarmingly, 69% of these had KEVs previously used in ransomware attacks, and 51% were not only impacted by ransomware-linked KEVs but also exposed directly to the internet, heightening the risk of remote exploitation.

Among the most critical findings: 2% of devices in affected organizations carried the highest level of risk, actively exploited, unpatched, and essential to core operations.

Legacy Systems and Outdated Software

Many BMS systems are running on outdated or unsupported versions of Windows, such as XP, 7, 8, 10, and Server 2003. These versions no longer receive security updates from Microsoft, permanently exposing known vulnerabilities. Vendors discontinued support for older firmware and hardware, so these systems remain unpatched and increasingly vulnerable.

“75% of organizations are operating BMS devices with KEVs,” Claroty reported. “These are not theoretical flaws; they’ve been used in real-world attacks. When combined with insecure internet connectivity, they provide attackers with a clear pathway into critical systems.”

Weak Authentication, Misconfigurations, and Overused Remote Access Tools

Beyond unpatched vulnerabilities, BMS systems often suffer from weak authentication mechanisms and insufficient access controls. Tools like Shodan allow threat actors to easily locate exposed BMS devices, which can be targeted using brute-force attacks. Once access is gained, attackers may attempt to move laterally within the broader enterprise network.

Remote access technologies, often used by vendors for maintenance, pose additional risks. These tools are frequently consumer-grade and lack essential protections like multi-factor authentication. According to Claroty, 55% of organizations use four or more remote access tools in their OT environments, with some using as many as 16, dramatically expanding the attack surface.

Open ports, unused services, and firewall misconfigurations increase exposure, offering attackers easy entry points. Proper segmentation, enhanced logging, and stricter access policies are critical to reducing risk.

Real-World Incidents Highlight the Urgency

Several major cyberattacks underscore the vulnerability of BMS systems:

  • In 2021, attackers exploited weaknesses in the KNX protocol to wipe building automation systems at two European engineering firms, effectively rendering them inoperable.
  • In 2023, a cyberattack on MGM Resorts disrupted operations at over 30 casino and hotel properties, affecting internal systems and customer services.
  • In 2024, Omni Hotels suffered a sophisticated breach that caused week-long disruptions, including manual guest check-ins and offline Wi-Fi. Attackers claimed to have exfiltrated data from 3.5 million guests.

Claroty stresses that traditional vulnerability management practices are no longer sufficient. Many organizations rely too heavily on CVSS (Common Vulnerability Scoring System) metrics, often missing broader risk indicators such as legacy hardware, internet exposure, and access control weaknesses.

To address these challenges, Claroty advocates adopting a Continuous Threat Exposure Management (CTEM) strategy, as outlined by Gartner. This approach emphasizes continuous assessment of asset exposure, accessibility, and exploitability, crucial as building systems become increasingly digitized and interconnected.

Claroty’s Five-Step Framework for Risk Reduction:

  1. Scoping – Map critical business processes to device types and departments to identify dependencies.
  2. Discovery – Build a complete inventory of all BMS assets and their communication patterns.
  3. Prioritization – Evaluate risk based on exploitability and the potential compromise’s operational impact.
  4. Validation – Confirm that exposures are real, externally reachable, and not theoretical.
  5. Mobilization – Implement targeted and practical mitigation steps aligned with business needs.

This structured, risk-based strategy helps organizations bridge the gap between IT and operational teams, enabling them to prioritize cybersecurity actions that protect business continuity without causing unnecessary disruption.

Leave a Comment

Cyberalertica delivers credible cybersecurity news, threat analysis, privacy insights, and digital security trend coverage.

Categories

Company

CyberAlertica © 2025