Ask a data center security team about their attack surface and you will hear about the corporate network, tenant environments, perimeter firewalls. Ask about the building management system and you will hear about the facilities team. This is the mismatch that keeps me up at night.
In a hyperscale or colocation data center, the BMS controls cooling delivery, power switching, leak detection, and — increasingly — physical access. A BMS compromise is a production compromise. And yet most BMS environments are run on the security maturity of an early-2000s enterprise network.
What we see in the field
Across 23 data center assessments in 2025, a consistent set of BMS findings emerged:
- Default or weak credentials on more than 60% of BMS devices inspected
- Flat or minimally segmented networks shared with camera traffic and DCIM sensors
- Integrator remote-access pathways that bypassed facility firewalls
- Supervisor hosts running Windows Server versions that are out of mainstream support
- Firmware that had not been updated since facility commissioning
None of this is hypothetical. These are the findings we document, with screenshots and packet captures, in actual engagements.
Why BMS ends up this way
Two structural reasons. First, BMS is procured through facilities and construction, not through IT or security. The vendor selection process rarely includes security review, and the commissioning team's job ends at "does it work?" — not "is it defensible?"
Second, BMS is operated on a "don't touch what isn't broken" principle that is, to be fair, completely reasonable from a facilities perspective. Firmware upgrades risk breaking carefully-tuned HVAC sequences. Patch cycles create change-management friction. The path of least resistance is to leave the system alone.
That path is now a business-continuity risk.
What responsible BMS operation looks like
Start with three things:
- Segment BMS onto a dedicated network. Not a VLAN shared with cameras, sensors, and guest Wi-Fi. A dedicated enclave with firewall-enforced boundaries.
- Put integrator remote access through a jump host. MFA. Session recording. Per-integrator credentials. No more shared passwords or split-tunnel VPNs straight into the supervisor.
- Inventory and own the firmware. Know what version is running on every device. Know when it was last updated. Have a plan for planned upgrades, not "we'll do it when we upgrade the rest of the site."
Do those three things and your BMS goes from "uncomfortably undefended" to "defensible" — and the cost is measured in weeks of work, not years of platform deployment.
The common objection
"Our BMS is on a separate physical network from corporate."
In our experience, that statement is true in intent and false in reality about 40% of the time. There is usually a workstation somewhere with a foot in both networks, or an integrator laptop that VPNs to corporate and connects to BMS over Wi-Fi, or a supervisor with a forgotten second NIC. The claim does not survive contact with a physical walkthrough.
Test it. Walk the IDFs. Map the supervisors. Trace the vendor access paths. You will find the seam.
The takeaway
BMS is OT. It deserves the same security rigor you apply to any other production-critical system. If you operate a Pacific Northwest data center and your BMS security posture has not been independently reviewed in the last 24 months, consider this an invitation.
This article was written by the Cascadia OT Security practice, which advises Pacific Northwest data centers and manufacturers on industrial cybersecurity. For engagement inquiries, reach our practice team.