Black Hat Europe 2025: Was that Device Designed to Be on the Internet at All?

The Black Hat Europe briefing underscored a broader trend: legacy industrial software is increasingly being thrust onto the public internet without the security controls it was never designed to support. While the building‑management market has evolved rapidly, many vendors still rely on codebases written before modern threat models existed. This mismatch creates a fertile ground for attackers who can exploit outdated protocols, weak authentication, and unpatched vulnerabilities to infiltrate physical infrastructure, from HVAC systems to fire suppression controls.

From a risk‑management perspective, the exposure of building‑automation platforms illustrates the hidden attack surface that landlords and facility managers often overlook. Tenants may assume that the building’s IT is separate from their own, yet a compromised BMS can disrupt server rooms, manipulate environmental controls, or even grant unauthorized physical access. The financial and reputational fallout of such incidents can dwarf typical data breaches, prompting regulators and insurers to scrutinize the security posture of critical‑infrastructure services more closely.

Mitigating these threats requires a shift from reactive patching to proactive architecture redesign. Organizations should inventory all internet‑exposed control systems, enforce network segmentation, and adopt zero‑trust principles such as mandatory VPN tunnels or mutual TLS for remote access. Regular third‑party code audits, especially after mergers and acquisitions, are vital to uncover hidden legacy components. By treating building‑automation software with the same rigor as corporate applications, enterprises can close the gap between physical and cyber security, safeguarding both operational continuity and stakeholder trust.