The Building Runs on Protocols with No Passwords

Commercial building automation systems (BAS) controlling HVAC, lighting, access control, elevators, and fire safety use protocols (BACnet, Modbus, LonWorks, KNX) designed in the 1980s–90s without authentication, encryption, or integrity checking. An attacker with network access to a BACnet-enabled building can read sensor values, override setpoints, disable fire alarms, unlock doors, and manipulate HVAC systems to cause equipment damage — all using standard protocol commands with no credentials required. As buildings add IoT devices and cloud-based management platforms, BAS networks that were previously isolated are being connected to enterprise IT networks and the internet, exposing decades-old vulnerabilities. The ASHRAE BACnet Secure Connect (BACnet/SC) addendum adds TLS encryption, but retrofitting existing BACnet infrastructure requires replacing controllers, routers, and software — at a cost of $5–15 per square foot for a typical commercial building.

Commercial buildings consume 35% of US electricity, and BAS systems directly control this consumption. A compromised BAS could be used to spike energy consumption across a building portfolio (economic attack), disable HVAC in hospitals or data centers (safety/availability attack), manipulate access control systems (physical security attack), or cause cascading failures in connected infrastructure. The 2021 Verkada breach — in which 150,000 security cameras including hospital and jail cameras were accessed — demonstrated the vulnerability of building IoT systems. Unlike IT systems that can be patched remotely, BAS controllers are embedded in walls and ceilings with 15–25 year replacement cycles, creating an installed base problem where the majority of deployed systems will remain unpatched for decades.

Network segmentation (VLANs separating BAS from IT networks) reduces attack surface but doesn't prevent attacks from within the BAS network or from compromised cloud management platforms. BACnet/SC provides a cryptographic upgrade path but requires controller hardware that supports TLS — the vast majority of deployed BACnet controllers (pre-2020) do not. Intrusion detection systems designed for IT networks cannot parse BAS protocols and thus cannot detect malicious BAS commands. Penetration testing of BAS is rare because building owners and facility managers typically lack cybersecurity expertise and don't perceive buildings as cyberattack targets. Vendor-specific security solutions create additional lock-in without addressing the fundamental protocol vulnerability.

Lightweight cryptographic wrappers that add authentication and integrity checking to legacy BAS protocols without requiring controller replacement — analogous to how HTTPS was layered over HTTP without changing the application protocol. BAS-specific intrusion detection systems that parse building automation protocol traffic and detect anomalous commands (e.g., setpoint changes outside normal operating ranges, alarm suppression, rapid cycling of equipment). Security certification frameworks for building automation systems, similar to UL listings for electrical safety, that create market incentives for secure products.

A team could set up a BACnet test network (using open-source BACnet stacks and simulated building equipment), demonstrate the attack surface of unauthenticated BACnet, and prototype a lightweight authentication wrapper. A cybersecurity team could develop a BAS-specific anomaly detection system that monitors BACnet traffic for suspicious command patterns, trained on normal building operation data. Relevant disciplines: cybersecurity, building science, embedded systems, electrical engineering.