Building Management Systems in data centers control the life support infrastructure: power distribution, cooling systems, environmental monitoring, and physical access. A BMS outage doesn't directly crash servers, but it can disable cooling, trigger power failures, or prevent emergency response. A BMS compromise enables attackers to sabotage physical infrastructure, steal environmental data, or restrict access to the facility.
Many data centers treat BMS as separate from IT security, often outsourcing BMS operations to building contractors. This siloed approach creates security gaps: BMS systems run outdated software, lack network segregation, and have minimal access controls. Integrating BMS security into overall data center security strategy is essential.
BMS Architecture and Components
Most data center BMS systems consist of field controllers (connected to HVAC units, power distribution units, environmental sensors) communicating with a central BMS server. The BMS server collects data, displays it on dashboards, and triggers alerts when thresholds are exceeded. Many use BACnet or Modbus protocols over Ethernet for communication.
The BMS server typically runs on a Windows machine or specialized appliance, often with legacy software (building automation software from 10-20 years ago). Updating or patching these systems is operationally complex: changes can affect building operations. As a result, many BMS systems run with known vulnerabilities and are never patched.
BMS Security Controls
- Network Segmentation: BMS networks must be isolated from data center IT networks and the internet. Use dedicated switches, VLAN segregation, and industrial firewalls. BMS should not have direct internet connectivity. Remote access must occur through a jump server with multi-factor authentication and session logging.
- Access Control: Restrict who can access the BMS server and modify configurations. Many BMS systems use weak or default credentials; change them immediately. Implement role-based access: technicians can view status, supervisors can modify setpoints, only administrators can change configurations.
- Audit Logging: Enable all available logging on the BMS system: who accessed what, when, what was changed. Store logs on a secure, isolated log server. Many BMS outages result from unauthorized configuration changes; audit logs are the primary way to detect and investigate them.
- Monitoring and Alerting: Monitor BMS for anomalies: setpoints changing without operator action, unexpected network traffic, failed authentication attempts. Integrate BMS alerts into your data center monitoring infrastructure so alerts reach on-duty personnel immediately.
Operational Integration and Vendor Management
If your BMS is supported by a building contractor or HVAC vendor, clarify security responsibilities in your service agreement. Who patches the BMS? Who has physical access to BMS controllers? Who monitors for unauthorized changes? Many vendor agreements assume the customer will monitor and enforce security; this should be explicit.
For critical data centers, consider redundant BMS: two independent systems monitoring the same infrastructure, either of which can operate the facility. This provides both fault tolerance and security: if one BMS is compromised, the other continues operating and can alert on discrepancies.
BMS security is often overlooked in data center security programs, but physical infrastructure control is as critical as server security. We help data centers integrate BMS security into their overall security posture, including vendor management and operational monitoring. Contact us to assess your BMS security.
This article was written by the Cascadia OT Security practice, which advises Pacific Northwest data centers and manufacturers on industrial cybersecurity. For engagement inquiries, reach our practice team.