Skip to content

SC-078: Smart Building Management System Compromise

Scenario Overview

Field Detail
ID SC-078
Category Commercial Real Estate / Corporate / ICS
Severity Critical
ATT&CK Tactics Initial Access, Discovery, Lateral Movement, Impact
ATT&CK Techniques T0858 (Change Operating Mode), T0816 (Device Restart/Shutdown), T1046 (Network Service Discovery), T1021 (Remote Services), T1078 (Valid Accounts), T1565 (Data Manipulation)
Target Environment Corporate HQ building management system (BMS), BACnet/IP controllers, HVAC systems, physical access control, fire suppression, data center environmental controls
Estimated Impact Unauthorized HVAC manipulation causing data center overheating (sustained 42°C for 23 minutes); bypass of physical access control on 3 floors; fire alarm suppression on server floor; $2.1M estimated damage to server infrastructure; building evacuation triggered

Narrative

Pinnacle Financial Group (PFG), a fictional multinational financial services firm, occupies a 42-story corporate headquarters in a major metropolitan area. The building is managed by a converged Building Management System (BMS) manufactured by TridentBMS (fictional vendor), accessible at bms.pinnacle-hq.example.com (10.200.1.10). The BMS controls HVAC (heating, ventilation, and air conditioning), lighting, elevator management, physical access control (badge readers and door locks), fire detection and suppression, and data center environmental systems across the facility.

The BMS network operates on a dedicated VLAN (10.200.0.0/16) using BACnet/IP protocol for controller communication. However, a network audit gap has left two BACnet controllers on floors 38-40 (the executive and data center floors) bridged to the corporate IT network at 10.100.0.0/16 through a misconfigured switch at 10.200.1.254.

In March 2026, a threat actor group designated CONCRETE WOLF targets PFG with a dual-objective attack: steal proprietary trading algorithms from the data center (floor 39) and cause maximum operational disruption to mask data exfiltration. The attack begins with the discovery of exposed BACnet services during an external reconnaissance scan and escalates through the BMS to achieve both physical access and environmental manipulation.

Attack Flow

graph TD
    A[Phase 1: BACnet Discovery<br/>External scan finds exposed controllers] --> B[Phase 2: BMS Initial Access<br/>Default credentials on BACnet controllers]
    B --> C[Phase 3: Building Reconnaissance<br/>Enumerate all BMS endpoints and zones]
    C --> D[Phase 4: Access Control Bypass<br/>Unlock doors on floors 38-40]
    D --> E[Phase 5: HVAC Manipulation<br/>Data center cooling shutdown]
    E --> F[Phase 6: Fire Alarm Suppression<br/>Disable alerts for server floor]
    F --> G[Phase 7: Detection<br/>Temperature anomaly + access correlation]
    G --> H[Phase 8: Emergency Response<br/>Manual BMS override + building evacuation]

Phase Details

Phase 1: BACnet Discovery

ATT&CK Technique: T1046 (Network Service Discovery)

CONCRETE WOLF performs reconnaissance against PFG's external network perimeter. A misconfigured firewall rule at the building's network edge permits inbound UDP traffic on port 47808 (BACnet/IP) to reach the bridged controllers on the executive floors. The attacker uses standard BACnet discovery tools to enumerate building automation devices.

# Simulated BACnet discovery scan (educational only)
$ bacnet-scan --target 198.51.100.50 --port 47808

BACnet/IP Device Discovery Results
====================================
Device ID: 390001 | Name: "FL39-HVAC-AHU-01"
  Address: 198.51.100.50:47808
  Vendor: TridentBMS Corp
  Model: TBM-9400 Advanced Air Handler
  Firmware: v6.2.1
  Location: "Floor 39 — Data Center"
  Services: ReadProperty, WriteProperty, SubscribeCOV

Device ID: 390002 | Name: "FL39-HVAC-CRAC-01"
  Address: 198.51.100.51:47808
  Vendor: TridentBMS Corp
  Model: TBM-7200 Precision Cooling
  Firmware: v5.8.3
  Location: "Floor 39 — Data Center — Row A"

Device ID: 400001 | Name: "FL40-ACCESS-CTRL-01"
  Address: 198.51.100.52:47808
  Vendor: TridentBMS Corp
  Model: TBM-AC500 Access Controller
  Firmware: v4.1.0
  Location: "Floor 40 — Executive Suite"

# 3 devices discovered — BACnet/IP exposed to external network

Phase 2: BMS Initial Access

ATT&CK Technique: T1078 (Valid Accounts)

The attacker authenticates to the exposed BACnet controllers using default vendor credentials. TridentBMS devices ship with a default BACnet operator password of admin/TridentBMS2024 — a credential pair documented in the vendor's publicly available installation guide. PFG's facilities team had changed the web management password but left the BACnet protocol authentication at default.

# Simulated BACnet authentication (educational only)
$ bacnet-client --host 198.51.100.50 --port 47808 \
    --user admin --pass REDACTED

[*] Authenticating to FL39-HVAC-AHU-01 (Device 390001)
[+] Authentication successful — Operator level access
[*] Available object types:
    Analog Input (AI):  24 objects (temperature, humidity, pressure sensors)
    Analog Output (AO): 16 objects (valve positions, fan speeds, setpoints)
    Binary Input (BI):  12 objects (door contacts, occupancy, alarms)
    Binary Output (BO):  8 objects (dampers, relays, lockouts)
    Schedule:            4 objects (HVAC schedules)
    Trend Log:          18 objects (historical sensor data)

Phase 3: Building Reconnaissance

ATT&CK Technique: T1046 (Network Service Discovery)

From the compromised BACnet controllers, CONCRETE WOLF enumerates the entire BMS network. BACnet's Who-Is/I-Am service discovery protocol allows any authenticated device to discover all other devices on the BACnet network, regardless of VLAN segmentation within the BMS network itself.

# Simulated BMS enumeration (educational only)
$ bacnet-client --host 198.51.100.50 --cmd whois --range 0-4194303

BACnet Device Enumeration — Full Building
==========================================
Floor | Device Count | Systems
------|-------------|------------------
1-10  | 42          | HVAC, Lighting, Access Control
11-20 | 38          | HVAC, Lighting, Access Control
21-30 | 35          | HVAC, Lighting, Access Control
31-37 | 28          | HVAC, Lighting, Access Control
38    | 12          | HVAC, Access Control, CCTV integration
39    | 18          | HVAC, Precision Cooling, Fire Suppression,
      |             | Access Control, Environmental Monitoring
40    | 8           | HVAC, Access Control, Executive Safety

Total: 181 BACnet devices discovered
Critical: Floor 39 has fire suppression and precision cooling

# Floor 39 detailed device list
Device 390001: FL39-HVAC-AHU-01     (Air Handler Unit)
Device 390002: FL39-HVAC-CRAC-01    (Computer Room AC — Row A)
Device 390003: FL39-HVAC-CRAC-02    (Computer Room AC — Row B)
Device 390004: FL39-HVAC-CRAC-03    (Computer Room AC — Row C)
Device 390005: FL39-FIRE-PANEL-01   (Fire Detection Panel)
Device 390006: FL39-FIRE-SUPPR-01   (Fire Suppression Controller)
Device 390007: FL39-ACCESS-MAIN     (Main Door Access Controller)
Device 390008: FL39-ACCESS-CAGE-01  (Server Cage A Access)
Device 390009: FL39-ENV-MONITOR-01  (Environmental Monitor)

Phase 4: Access Control Bypass

ATT&CK Technique: T0858 (Change Operating Mode)

CONCRETE WOLF uses BACnet WriteProperty commands to manipulate the access control system on floors 38-40. The attacker changes the door lock mode from "badge required" to "unlocked" for the data center main entrance and server cage doors, creating a window for physical intrusion by a local operative.

# Simulated access control manipulation (educational only)
$ bacnet-client --host 198.51.100.50 --device 390007 \
    --cmd writeproperty

[*] Target: FL39-ACCESS-MAIN (Device 390007)
[*] Writing to Binary Output BO-1 (Main Door Lock)
    Property: Present_Value
    Current: ACTIVE (locked — badge required)
    New:     INACTIVE (unlocked)
    Result:  SUCCESS

[*] Writing to Binary Output BO-2 (Mantrap Inner Door)
    Property: Present_Value
    Current: ACTIVE (locked — badge + PIN required)
    New:     INACTIVE (unlocked)
    Result:  SUCCESS

# Simultaneously modifying access logs
[*] Target: FL39-ACCESS-MAIN — Trend Log TL-1
    Action: Disable logging (Priority: 8 — Manual Operator)
    Result: SUCCESS

# Physical access to Floor 39 data center is now unrestricted
# Access event logging has been disabled

Phase 5: HVAC Manipulation

ATT&CK Technique: T0858 (Change Operating Mode), T0816 (Device Restart/Shutdown)

With access control bypassed, CONCRETE WOLF simultaneously attacks the data center cooling systems. The attacker issues BACnet commands to shut down all three Computer Room Air Conditioning (CRAC) units on Floor 39 and sets the air handler unit to recirculate (no fresh air intake). This causes the data center ambient temperature to rise from the nominal 21°C to over 42°C within 23 minutes.

# Simulated HVAC manipulation (educational only)
# Step 1: Disable CRAC units
$ bacnet-client --host 198.51.100.50 --device 390002 \
    --cmd writeproperty --object AO-1 --prop PresentValue --value 0
[*] FL39-HVAC-CRAC-01: Compressor speed set to 0% (OFF)

$ bacnet-client --host 198.51.100.50 --device 390003 \
    --cmd writeproperty --object AO-1 --prop PresentValue --value 0
[*] FL39-HVAC-CRAC-02: Compressor speed set to 0% (OFF)

$ bacnet-client --host 198.51.100.50 --device 390004 \
    --cmd writeproperty --object AO-1 --prop PresentValue --value 0
[*] FL39-HVAC-CRAC-03: Compressor speed set to 0% (OFF)

# Step 2: Set AHU to recirculate mode (no outside air)
$ bacnet-client --host 198.51.100.50 --device 390001 \
    --cmd writeproperty --object AO-3 --prop PresentValue --value 0
[*] FL39-HVAC-AHU-01: Outside air damper set to 0% (CLOSED)

# Temperature rise timeline
Time    | Temp (°C) | Status
T+0 min | 21.2      | CRAC units shut down
T+5 min | 24.8      | Warming — within normal variance
T+10 min| 29.3      | WARNING threshold (28°C) exceeded
T+15 min| 34.1      | CRITICAL threshold (32°C) exceeded
T+20 min| 38.7      | Server thermal throttling begins
T+23 min| 42.1      | Emergency shutdown threshold reached

Phase 6: Fire Alarm Suppression

ATT&CK Technique: T0816 (Device Restart/Shutdown)

To prevent automatic emergency response to the rising temperatures, CONCRETE WOLF disables the fire detection panel and suppression controller on Floor 39. The attacker sets the fire panel to "maintenance mode," which suppresses all alarms and notifications to the central monitoring station.

# Simulated fire system manipulation (educational only)
$ bacnet-client --host 198.51.100.50 --device 390005 \
    --cmd writeproperty --object BI-1 --prop PresentValue --value 0
[*] FL39-FIRE-PANEL-01: Smoke detection — DISABLED (maintenance mode)

$ bacnet-client --host 198.51.100.50 --device 390005 \
    --cmd writeproperty --object BO-1 --prop PresentValue --value 0
[*] FL39-FIRE-PANEL-01: Alarm notification — SUPPRESSED

$ bacnet-client --host 198.51.100.50 --device 390006 \
    --cmd writeproperty --object BO-1 --prop PresentValue --value 0
[*] FL39-FIRE-SUPPR-01: Pre-action sprinkler valve — LOCKED CLOSED

# Central monitoring station receives NO alerts from Floor 39
# Fire suppression will NOT activate even if temperatures exceed
# safe thresholds — creating a safety hazard

Phase 7: Detection

The attack is detected at T+15 minutes through two independent channels:

Channel 1: Environmental Monitoring — The IT infrastructure team's independent data center monitoring system (separate from BMS) triggers a CRITICAL temperature alert when Floor 39 ambient temperature exceeds 32°C. This system uses dedicated temperature sensors connected to the IT network, not the BMS network.

Channel 2: Physical Security Correlation — A security guard on Floor 38 notices the mantrap doors to the Floor 39 data center are in "unlocked" state during a routine patrol. The guard reports the anomaly to the Security Operations Center, which correlates the door unlock event with the absence of any corresponding badge swipe in the access control logs.

# Simulated detection alerts (educational only)
[2026-03-15 14:32:00 UTC] IT MONITORING — CRITICAL ALERT
  Source: dc-temp-sensor-rack-a12.pinnacle-hq.example.com
  Alert: DATA_CENTER_TEMPERATURE_CRITICAL
  Current: 34.1°C | Threshold: 32°C
  Location: Floor 39, Row A, Rack 12
  Trend: Rising (+2.8°C/5min)
  Action required: IMMEDIATE — investigate cooling failure

[2026-03-15 14:35:00 UTC] PHYSICAL SECURITY — ANOMALY REPORT
  Source: Guard Station Floor 38
  Report: Floor 39 mantrap doors found UNLOCKED
  Badge log check: NO unlock events in past 4 hours
  BMS status check: Access controller shows "maintenance mode"
  DISCREPANCY: No maintenance ticket filed for Floor 39 access system

[2026-03-15 14:38:00 UTC] SOC CORRELATION — COMPOUND INCIDENT
  Alert 1: DC temperature critical (rising, no cooling)
  Alert 2: Access control anomaly (unauthorized unlock)
  Alert 3: Fire panel status — MAINTENANCE MODE (no ticket)
  Assessment: COORDINATED ATTACK ON BUILDING SYSTEMS
  Priority: P1 — CRITICAL

Phase 8: Emergency Response

Upon identifying the coordinated building systems attack, PFG activates its Building Cyber-Physical Incident Response Plan:

Immediate Actions (0-1 hour):

  1. Manual BMS override — Facilities engineering team physically accesses BMS controllers on Floor 39 and performs hardware override to restore CRAC units and fire systems
  2. Building evacuation — Floors 38-40 evacuated as a precaution due to compromised fire suppression
  3. Network segmentation — BMS network isolated from corporate network at switch 10.200.1.254; external BACnet access blocked at perimeter firewall
  4. Physical lockdown — Security team manually secures all Floor 39 access points; 24/7 guard posted
# Simulated incident response timeline (educational only)
[2026-03-15 14:40:00 UTC] ALERT: Building CSIRT activated — Level 1
[2026-03-15 14:42:00 UTC] ACTION: Facilities team dispatched to Floor 39
  Manual CRAC restart: CRAC-01, CRAC-02, CRAC-03
  Hardware override switch engaged on all 3 units
  AHU damper manually opened to 100%
[2026-03-15 14:45:00 UTC] ACTION: Fire panel restored from maintenance mode
  Manual key switch: Normal operating mode restored
  Suppression system: Pre-action valve OPENED (manual override)
  Central station: Alarms re-enabled — test signal confirmed
[2026-03-15 14:48:00 UTC] ACTION: Floors 38-40 evacuation initiated
  Personnel evacuated: 312 employees
  Evacuation time: 11 minutes
[2026-03-15 14:55:00 UTC] ACTION: Network segmentation enforced
  Switch 10.200.1.254: Port 23 (bridge to IT VLAN) — DISABLED
  Firewall rule: DENY UDP 47808 inbound — ALL zones
[2026-03-15 15:20:00 UTC] STATUS: DC temperature declining
  Current: 36.4°C (down from 42.1°C peak)
  Estimated recovery to 21°C: ~45 minutes

# Temperature recovery timeline
T+0 min  | 42.1°C | CRAC units restarted (hardware override)
T+10 min | 36.4°C | Cooling engaged, temperature falling
T+25 min | 29.8°C | Below warning threshold
T+45 min | 23.1°C | Approaching nominal
T+60 min | 21.4°C | Nominal operating temperature restored

Forensic Analysis (1-48 hours):

  • BACnet traffic captures reveal unauthorized WriteProperty commands from 203.0.113.72
  • Switch configuration audit confirms VLAN bridging misconfiguration predating the attack by 14 months
  • BMS audit logs (where not disabled by attacker) show systematic enumeration of all 181 building devices
  • Access control log gaps correlate with the attacker's trend log disabling commands
  • Physical security camera review identifies an unescorted individual on Floor 39 during the unlock window

Recovery (48 hours - 2 weeks):

  • Complete BACnet network segmentation from IT and external networks
  • All BMS credentials rotated; default passwords eliminated
  • BACnet traffic monitoring deployed (allowlisted commands only)
  • Independent environmental monitoring expanded to all critical floors
  • Physical security enhanced with biometric + badge dual-factor on data center floors

Detection Opportunities

BACnet Traffic Monitoring

Detection Point Method Indicator
BACnet WriteProperty to safety systems Protocol-aware IDS Any write command to fire panel or suppression controllers
HVAC setpoint changes outside schedule BMS audit logging Setpoint modifications outside maintenance windows
Access control mode changes BMS + physical security correlation Door unlock without corresponding badge event
BACnet device discovery Network monitoring Who-Is broadcasts from unexpected sources
External BACnet access Firewall logging Any BACnet/IP (UDP 47808) traffic from external networks

Environmental Anomaly Detection

# Educational example: Data center temperature anomaly detection
from dataclasses import dataclass
from datetime import datetime, timedelta

@dataclass
class TempReading:
    sensor_id: str
    temperature_c: float
    timestamp: datetime

def detect_cooling_failure(readings: list[TempReading],
                           window_minutes: int = 10,
                           rate_threshold_c: float = 3.0) -> dict | None:
    """Detect abnormal temperature rise indicating cooling failure or attack."""
    if len(readings) < 2:
        return None

    recent = [r for r in readings
              if r.timestamp > datetime.utcnow() - timedelta(minutes=window_minutes)]

    if len(recent) < 2:
        return None

    temp_start = recent[0].temperature_c
    temp_end = recent[-1].temperature_c
    rate = (temp_end - temp_start) / window_minutes

    if rate > rate_threshold_c / window_minutes:
        return {
            'alert': 'ABNORMAL_TEMPERATURE_RISE',
            'sensor': recent[-1].sensor_id,
            'current_temp': temp_end,
            'rate_c_per_min': round(rate, 2),
            'window_minutes': window_minutes,
            'timestamp': datetime.utcnow().isoformat(),
            'recommendation': 'Check CRAC units and BMS for unauthorized changes'
        }
    return None

# Example usage (synthetic data only)
# alert = detect_cooling_failure(sensor_buffer, window_minutes=10)
# if alert: trigger_incident("COOLING_ANOMALY", alert)

BACnet Command Allowlisting

# KQL — Detect unauthorized BACnet commands (educational)
BACnetTrafficLog
| where TimeGenerated > ago(1h)
| where CommandType == "WriteProperty"
| where ObjectType in ("BinaryOutput", "AnalogOutput")
| where DeviceCategory in ("FirePanel", "FireSuppression", "AccessControl")
| where SourceIP !in (allowed_bms_operators)
    or TimeGenerated !between (scheduled_maintenance_window)
| project TimeGenerated, SourceIP, DeviceID, DeviceName,
          ObjectType, PropertyName, OldValue, NewValue
| sort by TimeGenerated desc

Lessons Learned

Key Takeaways

  1. BACnet/IP must never be exposed to untrusted networks — BACnet was designed for trusted building networks and has minimal built-in security. Exposing BACnet/IP ports to external networks is equivalent to granting full building control to any attacker.

  2. IT/OT convergence creates cross-domain attack paths — The VLAN bridging misconfiguration allowed an IT network attack to become a physical safety incident. Building networks must be strictly segmented from corporate IT networks with monitored firewall rules.

  3. Default credentials in building systems are endemic — BMS devices frequently ship with well-known default credentials that are rarely changed. Organizations must include BMS devices in their credential management and rotation programs.

  4. Independent monitoring prevents single-point-of-failure — The IT team's independent temperature monitoring system detected the attack when the BMS-native monitoring had been suppressed. Critical environmental parameters must have independent, out-of-band monitoring.

  5. Physical and cyber security must be correlated — The security guard's observation of unlocked doors was a critical detection element. Physical security anomalies should automatically trigger cyber investigation, and vice versa.

  6. Fire safety system manipulation is a life-safety risk — Cyber attacks that disable fire detection and suppression create immediate danger to building occupants. Fire systems must have hardware-level overrides that cannot be bypassed via network commands.

MITRE ATT&CK Mapping

Technique ID Technique Name Phase
T1046 Network Service Discovery Discovery
T1078 Valid Accounts Initial Access
T1021 Remote Services Lateral Movement
T0858 Change Operating Mode Impact (ICS)
T0816 Device Restart/Shutdown Impact (ICS)
T1565 Data Manipulation Impact