Common BAS Vulnerabilities and Mitigations

Building Automation Systems face unique cybersecurity challenges due to their long lifecycles, operational requirements, and convergence with IT networks. Understanding common vulnerabilities helps prioritize security investments and protect critical building infrastructure.

Why BAS Systems Are Vulnerable

Legacy System Challenges

• Long equipment lifecycles: Controllers deployed 15-20+ years ago lack modern security
• Proprietary protocols: Many lack encryption or authentication by design
• Operational constraints: 24/7 uptime requirements limit patching windows
• IT/OT convergence: Connection to enterprise networks exposes isolated systems

Common Attack Vectors

1. Network-based attacks: Exploitation via connected IT networks
2. Physical access: Unsecured controllers in accessible locations
3. Supply chain: Compromised firmware or software updates
4. Social engineering: Targeting facility staff credentials

---

Top BAS Vulnerabilities

1. Default and Weak Credentials

The Problem: Many BAS devices ship with default usernames/passwords that are never changed or are publicly documented.

Common Examples:

• Default admin/admin or similar combinations
• Manufacturer-documented service accounts
• Hard-coded credentials in firmware

Mitigations:

• Change all default credentials immediately upon installation
• Implement strong password policies (12+ characters, complexity)
• Use unique credentials per device/system
• Document credentials securely (not in control drawings)

2. Unencrypted Communications

The Problem: Traditional BAS protocols transmit data in plaintext, allowing eavesdropping and man-in-the-middle attacks.

Affected Protocols:

• BACnet/IP (standard port 47808)
• Modbus TCP
• HTTP-based web interfaces
• Telnet for configuration

Mitigations:

• Implement BACnet Secure Connect (BACnet/SC) where supported
• Use VPNs or encrypted tunnels for remote access
• Enable HTTPS on all web interfaces
• Segment BAS traffic from general network

3. Lack of Authentication

The Problem: Many BAS protocols have no built-in authentication - any device on the network can issue commands.

Real-World Impact:

• Unauthorized setpoint changes
• Equipment damage from malicious commands
• Occupant discomfort or safety issues
• Energy waste from manipulated schedules

Mitigations:

• Network segmentation with strict access control
• BACnet/SC with certificate-based authentication
• Application-level access controls where available
• Monitoring for unauthorized command sources

4. Outdated Firmware and Software

The Problem: BAS devices often run outdated software with known vulnerabilities that are never patched.

Contributing Factors:

• Fear of operational disruption
• Lack of vendor support for legacy equipment
• No automated update mechanisms
• Testing requirements for critical systems

Mitigations:

• Inventory all BAS devices and software versions
• Subscribe to vendor security advisories
• Establish regular maintenance windows for updates
• Test updates in non-production environments first
• Plan for end-of-life equipment replacement

5. Insecure Remote Access

The Problem: Remote access for service and monitoring often bypasses security controls.

Common Issues:

• Direct internet exposure of BAS interfaces
• Shared remote access credentials
• Unmonitored third-party access
• VPN configurations with excessive permissions

Mitigations:

• Never expose BAS directly to internet
• Use jump hosts or secure remote access platforms
• Implement multi-factor authentication
• Log and monitor all remote sessions
• Time-limit vendor access credentials

6. Insufficient Network Segmentation

The Problem: BAS networks connected directly to enterprise IT networks inherit all IT-side threats.

Attack Scenarios:

• Ransomware spreading from IT to OT
• Lateral movement from compromised workstation
• Phishing attacks gaining BAS access

Mitigations:

• Dedicated VLANs for BAS traffic
• Firewalls between IT and OT networks
• Allow only required traffic flows
• Monitor cross-segment traffic

---

Known BAS Vulnerabilities (ICS-CERT/CISA)

Historical Advisories

Security researchers and ICS-CERT have disclosed vulnerabilities in major BAS platforms:

Common Vulnerability Types:

• Authentication bypass: Accessing systems without valid credentials
• Command injection: Executing arbitrary code via input fields
• Buffer overflow: Crashing or compromising systems via malformed data
• Cross-site scripting (XSS): Attacking users through web interfaces
• Hard-coded credentials: Discovering undocumented access accounts

Finding Advisories:

• CISA ICS-CERT: https://www.cisa.gov/uscert/ics/advisories
• Vendor security bulletins
• CVE database: https://cve.mitre.org

Staying Informed

1. Subscribe to ICS-CERT mailing list
2. Monitor vendor security pages
3. Join industry information sharing groups (BACnet International, ASHRAE)
4. Engage with cybersecurity community

---

Vulnerability Assessment

Basic Assessment Steps

1. Inventory: Document all BAS devices, software, firmware versions
2. Network mapping: Identify all connections and data flows
3. Credential audit: Verify no default passwords remain
4. Configuration review: Check for unnecessary services/ports
5. Access review: Verify user accounts and permissions

Tools and Techniques

• Network scanning (with caution on OT networks)
• Vulnerability scanners (Nessus, OpenVAS)
• BACnet discovery tools
• Manual configuration review

Professional Assessment

Consider engaging specialists for:

• Penetration testing
• Architecture review
• Compliance audits
• Incident response planning

---

Incident Response Preparation

BAS-Specific Considerations

• Maintain offline backups of controller programs and configurations
• Document manual overrides for critical systems
• Establish communication plans with building occupants
• Know your critical systems and their dependencies

Response Priorities

1. Safety first: Ensure HVAC maintains safe conditions
2. Isolate affected systems: Prevent spread
3. Preserve evidence: Logs, network captures
4. Restore from known good state: Clean backups
5. Post-incident review: Improve defenses

---

Security Program Development

Starting Points

1. Risk assessment: Identify critical systems and threats
2. Policy development: Define security requirements
3. Training: Educate facility and IT staff
4. Monitoring: Implement logging and alerting
5. Continuous improvement: Regular reviews and updates

Framework Alignment

• NIST Cybersecurity Framework
• IEC 62443 (Industrial Automation Security)
• ASHRAE Guideline 13 (Building Automation Security)

---

References

• CISA ICS-CERT Advisories: https://www.cisa.gov/uscert/ics/advisories
• NIST SP 800-82 Rev 3: Guide to OT Security
• CVE Database: https://cve.mitre.org
• BACnet Secure Connect Addendum (ASHRAE 135-2020)
• ASHRAE Guideline 13: Specifying Building Automation Systems

---

Security is an ongoing process, not a one-time project. Regular assessment, continuous monitoring, and staying informed about emerging threats are essential for protecting building automation systems.