All Articles Problem/Solution

Legacy BMS Cybersecurity: Protecting Older Building Systems

Security considerations and strategies for aging building automation systems.

December 18, 2025 12 min read Controls NYC
Legacy BMS Cybersecurity: Protecting Older Building Systems

Building automation systems weren't designed with cybersecurity in mind. Systems installed 10-20 years ago predate modern security threats — yet they increasingly connect to networks and the internet.

The Risk is Real
Legacy BMS systems are increasingly targeted. In 2021, a hacker accessed a Florida water treatment plant's control system and attempted to poison the water supply. Building systems face similar risks.

Why Legacy BMS Systems Are Vulnerable

0
Authentication
0
Encryption
0
Security Updates
Risk Exposure

No Authentication

BACnet MS/TP, Modbus, and older proprietary protocols have no authentication. Anyone on the network can send commands.

No Encryption

All communication happens in plaintext. Passwords, commands, and data can be observed by anyone with network access.

Outdated Operating Systems

Workstations running Windows XP or 7 have known vulnerabilities that will never be patched.

Real-World Risks

Operational Disruption
  • Equipment turned off unexpectedly
  • Setpoints changed causing discomfort
  • Schedules modified disrupting operations
  • Alarms disabled masking problems
💰
Financial Impact
  • Ransomware holding systems hostage
  • Physical damage from manipulation
  • Freeze/water damage from disabled HVAC
  • Reputation damage from public incident

Security Strategies for Legacy Systems

#1 Priority: Network Segmentation
The single most important protection — isolate your BMS from other networks:
  • Place BMS on dedicated VLAN
  • Firewall between BMS and corporate network
  • Firewall between BMS and internet
  • Allow only necessary traffic between segments

Additional Security Layers

  • Limit network exposure: No direct internet access; remote access only through VPN
  • Access control: Change all default passwords; individual accounts for each user
  • Monitoring: Log access, monitor for unusual activity, alert on failed logins
  • Physical security: Lock mechanical rooms, secure network equipment

Remote Access Security

Never Expose Directly
Legacy BMS software should never be directly accessible from the internet. Always use:
  • VPN for network-level access
  • Secure remote access appliance
  • Cloud gateway with modern authentication
If your BMS doesn't support MFA, implement it at the VPN or gateway level.

Planning for Upgrade

Security concerns are a significant driver for BMS upgrades:

  • Modern systems have built-in security features
  • Current software receives security updates
  • Newer protocols include authentication and encryption
  • Cloud-connected systems benefit from vendor security investment
If your legacy system's security limitations are significant, factor that into upgrade planning. The cost of a breach often exceeds the cost of modernization.

Getting Help

At Controls NYC, we help building owners assess and improve their BMS security posture. We can evaluate your current situation, recommend practical improvements, and implement security measures appropriate for your system.

Contact us to discuss security for your building automation system.

Ready to Discuss Your Building?

Whether you're evaluating an upgrade, dealing with a failing system, or just want a second opinion — we're happy to talk through your options.

Schedule a Free Consultation

Continue Reading

Browse All Articles