INDUSTRY // Build. tech
New research from Claroty’ s Team82 reveals riskiest building management system exposures
operational and business reasons such as remote management and analytics. By taking an exposure management-based approach and focusing on the unique needs and challenges of CPS environments, organisations can identify, assess and prioritise the riskiest devices, saving precious time and resources.
“ Oftentimes, BMS and BAS [ Building Automation Systems ] are being operationalised on the network without thinking about the cybersecurity implications,” said Grant Geyer, Chief Strategy Officer at Claroty.“ What’ s being gained in efficiency and convenience might be coming at a real risk if not effectively secured – for instance, the cooling of data centres or refrigeration of perishable goods in retail, which are critical systems to abruptly be taken offline if compromised.”
Claroty, a cyber-physical systems( CPS) protection company, has announced new research on the riskiest exposures among building management systems( BMS) and building automation systems( BAS). The new report from Team82, State of CPS Security 2025: Building Management System Exposures, analyses nearly half a million BMS across more than 500 CPS organisations, finding that 75 % of organisations have BMS affected by known exploited vulnerabilities( KEVs). Digging deeper into the KEV-affected organisations, 51 % are affected by KEVs that are also linked to ransomware and are insecurely connected to the Internet. Within those organisations, 2 % of devices contain the same level of risk, meaning that devices essential to business operations are operating at the highest level of risk exposure.
This combination of risk factors raises alarms given the widespread reliance on BMS in commercial real estate, retail, hospitality and data centre facilities to operate systems like HVAC, lighting, energy, elevators, security and more. The exposure level of these devices provides adversaries with easily accessible entry points that leave the door open to costly and potentially dangerous disruptions. The findings in the report show the need for protection of these systems to be given greater priority, especially as they are brought online for
Organisations embracing Digital Transformation and taking steps to secure BMS when bringing it online have the opportunity to integrate the measurement of business impact and safeguard the operational criticality of those devices. By understanding the full context of those systems they can reduce risk and avoid the highly consequential disruptions that might come from their failure. As buildings get smarter, organisations need to adopt a security framework that presents cybersecurity decision-makers and asset owners with a true assessment of their security posture as well as a remediation plan tailored for action by risk management teams and understandable by executives.
To access Team82’ s complete set of findings, in-depth analysis and recommended security measures, download the State of CPS Security 2025: Building Management System Exposures report. p
www. intelligentcio. com INTELLIGENTCIO EUROPE 43