Building management or automation systems (BMS) or (BAS) are computer based systems installed in buildings to control and monitor mechanical and electrical equipment such as heating, ventilation, cooling, power, fire alarms, fire suppression, lighting, security, and access control. Over the years the major vendors have built systems that follow a mix of both open and proprietary protocols, and most all are interoperable with Internet protocols. BMS systems are critically important and benefits include saving energy consumption.

Vulnerabilities can be expected in any computer system especially those that have not been built using best practices in security.

But frequently, in any system, till a security researcher proves the flaws exist little effort is put into finding and fixing them. The same is certainly true of BMS implementations.

Now we have proof that this same dynamic is underway in the BMS world. Extensive vulnerabilities are being found.

For more see: Security Week:

A researcher has discovered over 100 vulnerabilities in building management and access control systems from four major vendors. An attacker can exploit these flaws to gain full control of impacted products and manipulate the systems connected to them.

Roughly one year ago, Gjoko Krstic, a researcher at industrial cybersecurity firm Applied Risk, started analyzing building management (BMS), building automation (BAS) and access control products from Nortek, Prima Systems, Optergy, and Computrols. The products include Computrols CBAS-Web, Optergy Proton/Enterprise, Prima FlexAir, and two Nortek Linear eMerge products.

Krstic has identified a total of over 100 security holes in these systems to which nearly 50 CVE identifiers have been assigned; some of the issues are variations of the same flaw.

What can hackers do with these vulnerabilities? Since Shodan searches show thousands of buildings with these vulnerabilities are connected to the Internet, bad actors can access vulnerable buildings from afar and do things like trigger alarms, lock or unlock doors, control elevator access, intercept video and steal personal information.

What should your action be? If you own or manage buildings dig deep into your BMS. Ensure it is patched. Contact the provider not just to get their take on this story, but to give them your expectations for patches to any vulnerabilities. And ensure you are taking steps to disconnect your system from the Internet. And test that it really is disconnected.