BUILDINGS & BAS
OT Security for Building Automation
Discover internet-exposed BACnet, Modbus, and building management systems across commercial and industrial facilities.
Threat Landscape
Building automation systems (BAS) represent one of the fastest-growing segments of internet-exposed OT. Smart building deployments are accelerating, but security controls consistently lag behind connectivity.
BACnet devices, HVAC controllers, access control systems, and energy management platforms are increasingly internet-connected for remote management and analytics. 62% of internet-exposed BAS devices show default or no authentication, making them trivial targets for attackers seeking initial access or lateral movement into connected IT/OT networks.
ShiftSix discovers your internet-exposed building automation assets before attackers do—mapping every BACnet device, Modbus controller, and BAS gateway reachable from the internet.
Relevant OT Protocols
BACnet
The dominant protocol in building automation. Exposed BACnet devices reveal facility operations, occupancy patterns, and HVAC control points that can be manipulated remotely.
Modbus/TCP
Used in legacy BAS systems and energy management platforms. Exposed Modbus registers can control physical processes including HVAC, lighting, and power distribution.
Compliance Requirements
Building operators face growing cybersecurity requirements:
- NIST CSF 2.0 — Asset management (ID.AM) and access control (PR.AC) functions require visibility into internet-exposed BAS systems
- NIS2 Directive — EU requirements covering building management for critical infrastructure facilities
- Cyber Insurance Requirements — Increasingly require demonstration of OT security controls including external exposure management
- GSA Cybersecurity Standards — Federal building requirements for BAS security controls
Customer Story
Commercial Facilities Operator
Challenge
A facilities management company operating 15 commercial buildings suspected some BAS systems were internet-accessible but couldn’t quantify the scope.
Discovery
ShiftSix discovered 12 exposed BACnet devices across 8 buildings, including Tridium Niagara controllers with default credentials and BAS gateways with self-signed certificates.
Results
53% of BAS infrastructure had internet exposure, mostly through vendor remote access and IT/OT convergence points in default configurations.
Outcome
Default credentials rotated and unauthorized remote access closed within one week.
See Your OT Exposure
See What Attackers See
Get a free external exposure assessment of your organization’s OT attack surface.
See What Attackers See
Get a free external exposure assessment of your organization’s OT attack surface.