Presence of KEVs, KEVs Linked to Ransomware, and Insecure Internet Exposure Found to be Pervasive Among BMS, BAS According to New Report
NEW YORK—June, 25, 2025—Claroty, the cyber-physical systems (CPS) protection company, today announced new research on the riskiest exposures among building management systems (BMS) and building automation systems (BAS). The new report from Team82, “State of CPS Security 2025: Building Management System Exposures,” analyzes nearly half a million BMS across more than 500 CPS organizations, finding that 75% of organizations have BMS affected by known exploited vulnerabilities (KEVs). Digging deeper into the KEV-affected organizations, 51% are affected by KEVs that are also linked to ransomware and are insecurely connected to the internet. Within those organizations, 2% of devices contain the same level of risk, meaning that devices essential to business operations are operating at the highest level of risk exposure.
This combination of risk factors raises alarms given the widespread reliance on BMS in commercial real estate, retail, hospitality, and data center facilities to operate systems like HVAC, lighting, energy, elevators, security, and more. The exposure level of these devices provides adversaries with easily accessible entry points that leave the door open to costly and potentially dangerous disruptions. The findings in the report show the need for protection of these systems to be given greater priority, especially as they are brought online for operational and business reasons such as remote management and analytics. By taking an exposure management-based approach and focusing on the unique needs and challenges of CPS environments, organizations can identify, assess, and prioritize the riskiest devices, saving precious time and resources.
“Oftentimes, BMS and BAS are being operationalized on the network without thinking about the cybersecurity implications,” said Grant Geyer, Chief Strategy Officer at Claroty. “What’s being gained in efficiency and convenience might be coming at a real risk if not effectively secured—for instance, the cooling of data centers or refrigeration of perishable goods in retail, which are critical systems to abruptly be taken offline if compromised."
Organizations embracing digital transformation and taking steps to secure BMS when bringing it online have the opportunity to integrate the measurement of business impact and safeguard the operational criticality of those devices. By understanding the full context of those systems they can reduce risk and avoid the highly consequential disruptions that might come from their failure. As buildings get “smarter,” organizations need to adopt a security framework that presents cybersecurity decision-makers and asset owners with a true assessment of their security posture, as well as a remediation plan tailored for action by risk management teams and understandable by executives.
To access Team82’s complete set of findings, in-depth analysis, and recommended security measures, download the “State of CPS Security 2025: Building Management System Exposures” report.
Methodology
The "State of CPS Security 2025: Building Management System Exposures" report is a snapshot of the vulnerability and exposure trends in BMS and BAS devices across CPS organizations observed and analyzed by Team82, Claroty's threat research team, and our data scientists.
About Claroty
Claroty has redefined cyber-physical systems (CPS) protection with an unrivaled industry-centric platform built to secure mission-critical infrastructure. The Claroty Platform provides the deepest asset visibility and the broadest, built-for-CPS solution set in the market comprising exposure management, network protection, secure access, and threat detection – whether in the cloud with Claroty xDome or on-premise with Claroty Continuous Threat Detection (CTD). Backed by award-winning threat research and a breadth of technology alliances, The Claroty Platform enables organizations to effectively reduce CPS risk, with the fastest time-to-value and lower total cost of ownership. Claroty is deployed by hundreds of organizations at thousands of sites globally. The company is headquartered in New York City and has a presence in Europe, Asia-Pacific, and Latin America. To learn more, visit claroty.com.
