Organizations Hacked Via BMS: Everyone’s Problem

Share this post

Building Management Systems (BMS) have been a powerful resource for organizations to achieve superior efficiency. The problem is that, when poorly implemented and maintained, these same systems become serious liabilities.

Companies of all sizes are paying the price for vendors’ and installers’ negligence when it comes to BMS. Malicious parties are leveraging vulnerabilities in these systems to hack their way into private infrastructure and commit a wide variety of cybercrimes.

Target and its HVAC Hack

In 2013, Target was the victim of a cyberattack that leveraged a vulnerability in the HVAC system. By using stolen credentials from Fazio Mechanical Services, a Pennsylvania-based HVAC provider, the criminal party entered Target’s network. This triggered a series of events that ultimately unveiled two things: that victims were in the millions and that the giant retailer was not the only corporate victim.

This HVAC provider has been working with other important supply chains such as Whole Foods, Trader Joe’s, and BJ’s Wholesale Club. The circumstances led to a major investigation involving the U.S. Secret Service.

To start with, the faulty BMS installed by Fazio Mechanical Services had access to Target’s network. Experts claimed that this happened because retailers often grant extended access to allow workers to monitor indicators such as energy consumption and temperatures for savings purposes.

The consequences of this attack? Around 40 million debit and credit card accounts exposed within three weeks as hackers successfully installed their malware on the busy Point Of Sale POS devices.

Retailers’ Problems are Everyone’s Problems

The protagonist during that 2013-2014 event was, of course, Target. With 40 million debit and credit card accounts exposed, this chapter became a major topic for both the authorities and the public, the latter being the real victims.

However, as we mentioned before, other retailers were probably exposed to such vulnerabilities as well. By working with the same installer, major retailers as Whole Foods suffered the same risk.

These big names play a significant role in the industry. Millions of customers are in constant interaction with these businesses, meaning that almost everyone suffers the risk of being exposed to cybercriminals. BMS doesn’t only affect the organization in question, but all the individuals that get in contact with it.

Google’s Wharf 7 Exposed

Before the story around Target, another big organization suffered the cost of negligence related to Business Management Systems. Independent security researchers found that they could hack the BMS at Wharf 7, Google’s headquarters in Sydney, Australia. 

They made an emphasis on showing how easy it would be to access the system. Tridium Niagara AX platform used back then had severe vulnerabilities. On Google’s side, there were poor security practices in place, a surprising fact coming from such a tech company.

It Comes to the Organization

The chosen platform for your BMS plays a major role in the obtained results. Major vendors put much work into their platforms to build a reliable product. But, every day, there are new vulnerabilities discovered in those systems. Companies must act responsibly and take steps to protect their BMS.

Companies such as Fazio Mechanical Services, that provide, install, and maintain BMS, do not understand cyber-security. Often, they create unrestricted access to the company’s network. Because of negligent actions, they cause the same vulnerabilities caused by a lack of cyber knowledge.

Protecting your BMS

The last decade gave us plenty of evidence on the importance of properly implemented and secured BMS. In the years to come, big organizations should cover these weak spots, guaranteeing that not only are they safe but their customers. This begins by recognizing the business risk. Basic Network Anomaly Detection service will detect network-based cyberattacks and expose vulnerable configurations. As an added value, it will give better visibility and continuously monitoring BMS infrastructure for flows and vulnerabilities.

More Articles by Julie Security

Why Julie Security

We have you covered with full hands-on, end-to-end support


No upfront investment needed.
Easy and fast onboarding.


Continuous, predictable, and automatic cybersecurity.

Incident Response

Cyber-specialists ready to mitigate cyber-threats for your facility.

Juliesecurity Logo

Download a sample report

The best way to understanding our value is to see it with your own eyes. A risk assessment report is a powerful tool helping mitigate cybersecurity vulnerabilities.

Welcome to Julie Security

Map your OT and IoT assets. Monitor your networks. Protect your facility from cyber attacks. Do it with the Julie Security Intrusion Detection Platform.

By clicking the “Sign Up” button, you are creating a Julie Security account, and you agree to the
Terms of Use and Privacy Policy.