Widespread Building Management System Flaws Exposed, Hospital HVAC Systems Emerge as New Ransomware Target
Published
- Pervasive vulnerabilities: 75% of organizations have Building Management Systems with known exploited vulnerabilities, including hospitals.
- Internet exposure: More than half of organizations have at least one insecurely connected BMS device and ransomware-leveraged KEVs.
- Patient Safety Risk: Disabling a hospital's HVAC system can disrupt precise temperature and humidity controls in operating rooms and ICUs.
Severe security exposures in building management systems (BMS) and building
automation systems (BAS) across critical industries, revealing that a majority of organizations are running systems with actively exploited vulnerabilities.
The findings were published in a new report from cybersecurity firm Claroty, "State of CPS Security 2025: Building Management System Exposures."Â
Key Findings on BMS Cybersecurity Risks
The Claroty 2025 report identifies a critical intersection of risk factors following the analysis of data from over 467,000 devices. A striking 75% of the 529 organizations analyzed have BMS devices with at least one known exploited vulnerability (KEV).Â
Compounding this issue, 51% of these organizations have BMS assets that are insecurely exposed to the internet, providing a potential entry point for threat actors, and 54% of organizations are exposed to KEVs that have been specifically linked to ransomware campaigns, creating a direct pathway for disruptive and financially motivated attacks.Â
These exposures present a real and imminent threat to operational sustainability in the commercial real estate, retail, hospitality, healthcare, and data center sectors, which rely on Heating, Ventilation, and Air Conditioning (HVAC) systems.
Many hospitals rely on BMS infrastructure designed in the 1990s and early 2000s, a time when modern cybersecurity considerations were not yet a priority.
The potential for hospital HVAC ransomware attacks poses a direct risk to patient care, as disabling heating or cooling could compromise sterile environments, disrupt operating rooms, and endanger vulnerable patients.
Securing Critical Infrastructure
The report emphasizes that as buildings become "smarter," the insecure online connectivity of legacy BMS platforms introduces significant new risks to business operations and critical infrastructure security.Â
To mitigate these threats, Claroty recommends a five-step action plan that moves beyond traditional vulnerability management. The framework includes identifying high-risk assets, implementing network segmentation, managing insecure remote access, and developing a tailored remediation plan.Â
This strategic approach enables organizations to prioritize their most significant exposures and strengthen their overall security posture against sophisticated cyber-physical threats.
Healthcare was among the most impacted industries in a recent cybersecurity report, with a surge in high-severity incidents. One critical case involving cyberattacks that target hospitals is Qilin’s 2024 NHS cyberattack, which partially contributed to one patient's death.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular