
Claroty has announced new research on the riskiest exposures among building management systems (BMS) and building automation systems (BAS). The new report from Team82, State of CPS Security 2025: Building Management System Exposures, analyses nearly half a million BMS across more than 500 CPS organisations, finding that 75% of organisations have BMS affected by known exploited vulnerabilities (KEVs).
Digging deeper into the KEV-affected organisations, 51% are affected by KEVs that are also linked to ransomware and are insecurely connected to the internet. Within those organisations, 2% of devices contain the same level of risk, meaning that devices essential to business operations are operating at the highest level of risk exposure.
This combination of risk factors raises alarms, given the widespread reliance on BMS in commercial real estate, retail, hospitality, and data centre facilities to operate systems like HVAC, lighting, energy, elevators, security, and more. The exposure level of these devices provides adversaries with easily accessible entry points that leave the door open to costly and potentially dangerous disruptions.
The findings in the report show the need for protection of these systems to be given greater priority, especially as they are brought online for operational and business reasons such as remote management and analytics.
By taking an exposure management-based approach and focusing on the unique needs and challenges of CPS environments, organisations can identify, assess, and prioritise the riskiest devices, saving precious time and resources.
“Oftentimes, BMS and BAS are being operationalised on the network without thinking about the cybersecurity implications,” said Claroty Chief Strategy Officer Grant Geyer. “What’s being gained in efficiency and convenience might be coming at a real risk if not effectively secured, for instance, the cooling of data centres or refrigeration of perishable goods in retail, which are critical systems to abruptly be taken offline if compromised.”
Organisations embracing digital transformation and taking steps to secure BMS when bringing it online have the opportunity to integrate the measurement of business impact and safeguard the operational criticality of those devices. By understanding the full context of those systems they can reduce risk and avoid the highly consequential disruptions that might come from their failure.
As buildings get smarter, organisations need to adopt a security framework that presents cybersecurity decision-makers and asset owners with a true assessment of their security posture, as well as a remediation plan tailored for action by risk management teams and understandable by executives.