Claroty Team82’s State of CPS Security 2025 Report: Building Management System Exposures

In sectors such as commercial real estate, retail, hospitality, and data centers, building management systems (BMS) play a vital role in literally keeping the lights on. As part of an organization’s cyber-physical systems (CPS) infrastructure, BMS can be linked to other smart devices that perform automated tasks such as monitoring energy consumption and sustainability thresholds. And for a number of strategic and bottom-line reasons, buildings in these sectors are increasingly tying their HVAC, lighting, energy, elevators, security, and more to BMS. 

Historically, BMS were operated by facilities management without being connected to public internet. With these systems being brought online for the first time, however, organizations are realizing that while they increase efficiency and streamline operations, they also introduce significant cyber risk. 

Claroty’s Team82 covers this dilemma extensively in its State of CPS Security 2025 report on BMS exposures. The goal of this report is to provide insights into the riskiest exposures to BMS across asset-intensive enterprises in various industries that rely on these assets for operational sustainability. 

With all this in mind, here are some key findings from the report, based on an analysis of more than 467,000 BMS operating in 529 organizations across commercial real estate, retail, hospitality, and data centers (which we collectively refer to as “commercial” organizations), as well as those in the industrial and healthcare sectors. 

Key Findings

Our findings detail a specific set of risk factors called known exploitable vulnerabilities (KEVs.) These are the most accessible entry points for a threat actor to gain access to a CPS environment, and pose the biggest risks of a company-wide security incident. KEVs are also present in nearly every organization we analyzed, underscoring the criticality of prioritizing risk reduction for each device on an enterprise network.

• 75% of organizations have BMS devices affected by known exploitable vulnerabilities (KEVs)

• 69% have devices with KEVs used in confirmed ransomware attacks

• 51% have BMS on their networks that not only affected by KEVs—including those linked to ransomware—but also are insecurely connected to the internet

Legacy Technology Issues

• BMS face severe cybersecurity threats due to their legacy design (such as protocols like BACnet and Modbus lacking native encryption), widespread use of default/hardcoded credentials, prevalent unpatched vulnerabilities in unsupported or legacy devices and operating systems, an absence of strong authentication, insecure internet exposure, and significant risks introduced by unmanaged third-party remote access tools and open network ports. 

Exposures Aren’t Industry-Centric

• Team82’s findings revealed that 75% of organizations have BMS with KEVs. BMS vulnerabilities pose critical, cascading risks for asset-intensive enterprises (such as data centers, retail, food production, hospitality, logistics, and smart buildings) by directly threatening operational continuity, essential service delivery, and worker safety through potential shutdowns of essential environmental, security, and physical control systems. The potential consequences include uptime disruptions, financial losses, and significant reputational damage; all of which could cascade into a service outage across entire ecosystems.

Planning a Long-term Risk Reduction Strategy 

As buildings continue to get “smarter,” e.g. more interconnected and being brought online with greater prevalence, organizations will discover that many of these systems don’t support cybersecurity functionality. Directly connecting them to the enterprise network or public internet will continue to pose new risks and challenges to the business. 

Our report details a five-step action plan that BMS-reliant organizations can use in the development of an exposure management program. This plan will facilitate three core outcomes that will reduce risk and the subsequent impact on the business. 

• CPS Risk Identification. Gain full visibility into all assets and their exposures. This foundational step uncovers hidden risks and blind spots that would otherwise remain undetected.

• Business-Centric Risk Assessment. Assess exposures based on the operational criticality of processes and the potential impact on business continuity, rather than on technical severity alone.

• Prioritization & Actionable Remediation. Empower security and operations teams with validated, context-aware findings that enable practical, non-disruptive risk reduction at scale.

With BMS controlling so much of today’s mission-critical infrastructure, properly securing them requires moving from a reactive approach to a proactive strategy. To do this, organizations must evolve beyond traditional vulnerability management to a more comprehensive, dynamic exposure management program that takes business impact and operational criticality into consideration.

Get full access to the complete report here.