Interdependencies of Sustainability and Cybersecurity in Building Management Systems: A Comprehensive Review of Critical Infrastructure

Luz Karime Lobo

doi:10.18535/ijsrm/v14i05.ec05

Abstract

The transition to sustainable energy sources and effective water management increas-ingly relies on automated systems centralized within Building Management Systems (BMS). This review explores the interconnectedness between environmental sustaina-bility and cybersecurity in critical infrastructure contexts. A systematic literature re-view was performed, covering studies from 2020 to 2024 using databases such as IEEE Xplore, Scopus, and Web of Science, focusing on BMS vulnerabilities, communication protocols, and documented cyberattack incidents. Findings indicate that 75% of organ-izations operate BMS with known vulnerabilities that are actively exploited, including those utilized in ransomware attacks. Legacy communication protocols like BACnet, Modbus, KNX, and LonWorks lack inherent encryption or authentication measures, which puts HVAC, energy management, and water systems at risk of data tampering, model inversion attacks, and unsafe operations. The Colonial Pipeline incident in 2021 highlighted how ransomware can disrupt essential services across a wide area. An ex-amination of IEC 62443 and NIST security frameworks shows a significant mismatch between suggested defenses and specific risks associated with BMS. Failing to incorpo-rate cybersecurity into design processes creates systemic vulnerabilities. For resilient infrastructures, it is crucial to adopt cyber-risk budgets, implement zero-trust network segmentation strategies, ensure secure-by-design development practices, and maintain ongoing monitoring. This review also provides a vulnerability matrix specific to proto-cols along with a defense checklist tailored for engineers and facility managers.

Keywords

Building Management Systems cybersecurity sustainability critical infrastructure IoT IEC 62443 BACnet Modbus KNX smart buildings zero-trust

1. Introduction

In the contemporary world, human existence hinges on the robustness of intertwined environmental and digital systems. The energy transition is facilitated through smart grids alongside automated irrigation systems, HVAC units, water treatment facilities, and IoT air quality sensors—all typically managed via Building Management Systems (BMS). These systems oversee mechanical, electrical, and security components within commercial buildings, hospitals, data centers, and industrial sites. The integration of operational technology (OT) with information technology (IT) merges data handling into a singular time-sensitive workflow encompassing data → model/sync → actuation—thus broadening potential vulnerability points.[1][2] Securing building automation systems is vital for any commercial design project since responsibility for cybersecurity ultimately falls on building owners while involving various stakeholders.[1] The goals of this review include: (1) identifying protocol-specific vulnerabilities in prevalent BMS communication standards; (2) assessing documented cyber incidents relative to sustainability objectives; and (3) evaluating mitigation techniques based on IEC 62443 and NIST guidelines.

2. Materials and Methods

A narrative systematic review was executed adhering to PRISMA 2020 protocols. Five databases—IEEE Xplore, Scopus, Web of Science, ACM Digital Library, and PubMed—were explored until June 2024 using search terms such as ("Building Management System" OR "BMS" OR "Building Automation System") AND ("cybersecurity" OR "vulnerability" OR "attack") AND ("BACnet" OR "Modbus" OR "KNX" OR "LonWorks"). Inclusion criteria encompassed peer-reviewed articles as well as technical reports addressing vulnerabilities in BMSs affecting critical infrastructure. A total of 124 studies were included out of an initial pool of 1,276 records..

3. Results

3.1. Protocol-Specific Vulnerabilities in BMS*

BMS utilize various open-source or proprietary communication protocols to connect field devices; many were developed prior to the prioritization of cybersecurity concerns resulting in limited built-in encryption or authentication protections.[3] Table 1 presents prominent protocols alongside identified vulnerabilities and exploitation methods. [3]

Table 1 Vulnerability matrix for dominant BMS communication protocols

Protocol	Year Released	Native Security	Know Vulnerabilities	Common Exploits	Title	Impact on Sustainability
BACnet/IP	1995	No encryption, optional BACnet/SC	No device authentication; plaintext credentials; broadcast storms	Port 47808 scanning; device spoofing; DoS via Who-Is floods		HVAC shutdown affecting energy targets; data center cooling failure
Modbus TCP	1979	No encryption, no authentication	No integrity checks; function code injection; slave ID spoofing	Man-in-the-middle; unauthorized register writes; replay attacks		Water treatment disruption; pump/valve manipulation
KNX	1990	KNX Secure optional	Telegram injection if Secure not enabled; group address enumeration	Bus sniffing; unauthorized commands to actuators		Lighting/energy waste; unauthorized access control
LonWorks	2000	Proprietary, weak	20,000+ devices exposed on port 1911; default credentials	Shodan enumeration; direct internet access		Full BMS takeover; data exfiltration from subsystems

Analysis indicates that over half (51%) of organizations have BMS containing known exploitable weaknesses along with insecure internet connectivity arrangements—with three out of four businesses vulnerable due primarily to outdated software lacking necessary updates.[4]

3.2. Attack Vectors

Notable risks associated with digital twins within industrial control environments encompass threats such as data poisoning or unsafe actuation mechanics. Malware like ShadowPad has been used against BAS leveraging Microsoft Exchange vulnerabilities while groups such as WASSONITE target configuration databases linked with DCIM platforms.[2][5]

The Colonial Pipeline breach in 2021 exemplified how one compromised IT asset could lead to widespread fuel shortages along the U.S East Coast. Additionally documented incidents include equipment failure caused by cyberattacks affecting service availability across sectors including banking services during chiller outages observed in Australia’s facilities.[6][5]

3.3. Impact on Operational Sustainability Objectives

Cyberattacks targeting hydroelectric facilities can jeopardize potable water availability for urban centers like Bogotá while also impacting hospital operations or disrupting climate-monitoring capabilities at data centers reliant on cooling systems controlled via BMS without adequate protective barriers implemented.[2]

4. Discussion

4.1. Discrepancies Between Standards & Practical Implementation

Mitigation techniques currently recommended feature adversarial training programs alongside secure middleware solutions while emphasizing compliance adherence towards IEC62443/NIST guidelines overall limitations exist when comparing proposed defensive measures against actual deployments given that most installations use flat networks lacking required segmentation provisions.[2][4]

4.2. Secure-by-Design Principles for BMS

Incorporating strong cybersecurity fundamentals during design phases is imperative: practices should include modifying all default passwords immediately after installation alongside disabling unnecessary controller services while ensuring restricted network access down through controller levels followed by securing remote connectivity pathways via VPN implementations maintaining physical security around sensitive data points remains equally significant .[7] Furthermore additional recommendations involve establishing firewall barriers deploying Virtual Private Network infrastructures implementing Intrusion Detection & Prevention Systems enforcing multifactor authentication mechanisms adopting rigorous password policies providing comprehensive personnel training concerning response procedures aligned with established incident response plans fostering organizational cultures centered around security awareness .Table mapping essential controls against IEC62443-3-3 System Requirements specifically applicable towards BMS environments appears below:

Table 2 BMS cybersecurity checklist mapped to IEC 62443-3-3 SR.

Control	IEC 62443-3-3 SR	Implementation in BMS	Priority
Network segmentation	SR 3.1 Network segmentaion	VLANs separating OT, IT and gest networks; firewall between BAS and enterprise.	High
Device authentication	SR 1.1 Identification and authentication control	BACnet/SC with device certificates; 802.1X for IP controllers.	High
Encrypted communications	SR 4.1 Information confidentiality	TLS for BACnet/SC; VPN for remote access; KNX Secure	High
Patch management	SR 7.1 Control system backup; SR 7.3 Control system recovery	Monthly firmware updates; test environment for patches	Medium
Default credentials	SR 1.2 Software process and device identification	Change all default passwords; disable unused accounts.	Critical
Audit logging	SR 2.8 Auditable events	Syslog to SIEM; retain logs 90 days minimum.	Medium
Physical access	SR 3.2 Security function isolation	Locked control panels; CCTV on critical controllers	Medium
Incident response	SR 6.1 Incident response plan	Defined playbook for BMS compromise; tabletop exercises.	High

The responsibility encompasses ensuring comprehensive site assessments regarding risk management fall under ownership obligations concerning both physical/cyber protection frameworks must be defined thoroughly outlined proactive approaches proactively mitigate exposure risks effectively throughout entire lifecycles associated these assets including continuous monitoring efforts contributing resilience overall effectiveness maintained long-term viability envisaging future developments driving advancing technologies forward sustainably responsibly managing impact factors shaping industry landscapes today.

5. Conclusions

Operational sustainability cannot be achieved without integrating robust cyber-resilience measures effectively into existing frameworks underpinning architectural designs guiding implementation methodologies throughout lifecycle stages spanning diverse applications sectors where convergence occurs introducing distinct challenges necessitating sector-specific adaptations extending previously established guidelines incorporating simulation-based testing methodologies employing adversarial tactics assessing emerging trust metrics formulated collaboratively addressing evolving threats collectively faced navigating complexities present modern context moving forward priorities aligning concurrently enhancing protective measures safeguarding interests stakeholders promoting collaborative engagements partnerships fostering strategic alliances broadened scope towards achieving overarching objectives comprehensive solutions emerge harmoniously evolving landscapes shaped innovation creativity driving progress together.[2]

Abbreviations

The following abbreviations are used in this manuscript:

Table 3

BMS	Building Management System
HVAC	Heating, Ventilation and Air Conditioning
IEC	International Electrotechnical Commission
NIST	National Institute of Standards and Technology
IEEE	Institute of Electrical and Electronics Engineers
BACnet	Building Automation and Control networks
LONWorks	Local Operating Network
Modbus	Modicon Bus

References

Bernstein, R. Cybersecurity for building automation systems. ASHRAE J. 2023, 65, 5. DOI ↗ Google Scholar ↗
Xu, Z.; et al. A Critical Review of Cyber-Physical Security for Building Automation Systems; Pacific Northwest National Laboratory: Richland, WA, USA, 2024. DOI ↗ Google Scholar ↗
TechTarget. An introduction to building management system vulnerabilities. Available online: DOI ↗ Google Scholar ↗
Claroty Team82. State of CPS Security 2025: Building Management System Exposures; Claroty: New York, NY, USA, 2025. DOI ↗ Google Scholar ↗
Datacenter Dynamics. The cybersecurity blind spot in data center building systems. 2025. Available online: DOI ↗ Google Scholar ↗
U.S. Department of Energy. Colonial Pipeline Cyber Incident. 2021. Available online: DOI ↗ Google Scholar ↗
Lloret Group. Use building management systems checklist to prevent cybercrime. Schneider Electric Blog, 2024. Available online: DOI ↗ Google Scholar ↗

[ref-R1] Bernstein, R. Cybersecurity for building automation systems. ASHRAE J. 2023, 65, 5. DOI ↗ Google Scholar ↗

[ref-R2] Xu, Z.; et al. A Critical Review of Cyber-Physical Security for Building Automation Systems; Pacific Northwest National Laboratory: Richland, WA, USA, 2024. DOI ↗ Google Scholar ↗

[ref-R3] TechTarget. An introduction to building management system vulnerabilities. Available online: DOI ↗ Google Scholar ↗

[ref-R4] Claroty Team82. State of CPS Security 2025: Building Management System Exposures; Claroty: New York, NY, USA, 2025. DOI ↗ Google Scholar ↗

[ref-R5] Datacenter Dynamics. The cybersecurity blind spot in data center building systems. 2025. Available online: DOI ↗ Google Scholar ↗

[ref-R6] U.S. Department of Energy. Colonial Pipeline Cyber Incident. 2021. Available online: DOI ↗ Google Scholar ↗

[ref-R7] Lloret Group. Use building management systems checklist to prevent cybercrime. Schneider Electric Blog, 2024. Available online: DOI ↗ Google Scholar ↗