Building Automation Systems, the Forgotten Point of Access

Chances are when you came to the office today, you have swiped your card to get access. Overhead a security camera monitors the car park and doors.

Inside, the room is kept at a steady temperature, and the server rooms are kept cool and efficient through the air conditioning. It's fair to say that many corporate buildings are heavily dependent on these Building Automation Systems (BAS).

More recently these systems have gone from simple systems running on closed networks to more advanced and valuable tools. Through measurement of various environmental factors it is possible to improve the efficiency of some BAS Heating Ventilation and Air Conditioning (HVAC) systems. Google have recently announced that they have used such methods to reduce their "data center cooling bill by 40%" [1]. Many BAS vendors now offer "smart" BAS systems, allowing remote administration and detailed metrics. BAS has come a long way from the simple thermostat. So has security moved with it?

BAS Security

Maybe the first question that should be answered is "Should we be concerned about BAS security?". Clearly we should take some measures, but how much is enough? What threats should we be protecting against?

The first step is to understand what assets the BAS solution could impact, and what goals an attacker has that could be accomplished through security weaknesses in BAS.

For many systems, the BAS does not represent a target in itself. Certainly for Mr. Robot, the ability to damage computer systems through the HVAC system made it a valid target, and our building access control systems keep the burglars out. But for many solutions they are simply managing benign systems and would unlikely be the end target of a deliberate cyber attack

BAS have one issue that is often overlooked. Connectivity.

In 2008, two years before Stuxnet emerged, a pressure build up led to an oil pipeline exploding in Turkey. An investigation led to a sobering conclusion: The attackers had penetrated the pipeline's control systems through their IP security cameras [2]. Weaknesses in the camera's software enabled the attacker to connect to a camera, exploit the camera's servers and from there move deeper in to the internal network.

BAS often fall into the gap between engineers and IT teams. As a result they can be overlooked during security assessments, and missed when it comes to applying security policies. It is critical that they follow the security practices applied elsewhere in our businesses. Simple segregation may not be possible for modern BAS solutions requiring Internet access for cloud management. Instead each system should be reviewed to understand requirements for communications, what patching is possible from the vendor, and how they should be configured to maximize the devices' security.


Many BAS will work over multiple interfaces, not just Ethernet. It is important to include all of these routes when mapping potential paths an attacker could take and make sure that both ingress and egress of data is restricted to a white list. Many modern systems will use RF for transmissions. Although a more technically difficult attack vector, they should still be considered for the impact of man in the middle, injection or denial of service attacks. Any interface that is not needed should be disabled.

If cloud or other external access is featured then this should be reviewed to understand what the risk is if the remote end point was to be compromised. For many, cloud management is a nice to have, but outweighed by the risks and disabled. 

Principle of least privileges

Many users will need to have access to these systems, including, in some cases, the vendors themselves. It is important that only users that need access can access these systems, and that when employees leave the company, a process is in place to remove their access.

Host hardening

 A common issue for BAS and other embedded systems is the presence of hardcoded or default credentials. Where possible these should be changed. Other configuration settings may be available such as the enforcing of HTTPS instead of HTTP. Request information from the manufacturer for hardening guides.


Building Automation Systems are increasingly valuable to an attacker as they become more connected and feature rich. It is important that they are included in security controls, or may end up being the hidden weakness that undermine our controls.






MWR is an accredited member of The Cyber Security Incident Response Scheme (CSIR) approved by CREST (Council of Registered Ethical Security Testers).
MWR is certified under the Cyber Incident Response (CIR) scheme to deal with sophisticated targeted attacks against networks of national significance.
We are certified to comply with ISO 14001 in the UK, an internationally accepted standard that outlines how to put an effective environmental management system in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR are approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.
As members of CHECK we are measured against high standards set by CESG for the services we provide to Her Majesty's Government.
As a Certified Simulated Attack Manager and Certified Simulated Attack Specialist, MWR are authorized by CREST to perform STAR penetration testing services.