Known Systems. Hidden Risks. | Episode 3 - Modern Building Control Protocols: Understanding BACnet, KNX and MODBUS - and the Cybersecurity Risks Emerging Behind Them

By Luke, Co-Founder and Technology Leader, CMC Consultancy Partnership

Introduction

For decades, building control systems operated largely in isolation.

Heating systems spoke only to heating controllers. Lighting systems remained confined to dedicated wiring infrastructure. Access control, CCTV, public address, ventilation and metering systems frequently existed as entirely separate ecosystems with little or no interaction beyond the physical building itself.

That model has fundamentally changed.

Modern buildings increasingly rely on integrated control systems that allow lighting, HVAC, energy management, security, AV and life safety systems to communicate across shared networks. The objective is straightforward: centralised monitoring, improved efficiency, automation, reduced operational costs and richer data analytics.

At the heart of this transformation sit several core communication protocols — most notably BACnet, KNX and MODBUS.

While each protocol was developed with different objectives and technical philosophies, they now coexist across many commercial buildings, industrial sites, education facilities and critical infrastructure environments.

However, the shift toward IP networking, cloud connectivity and remote management has also introduced a significant cybersecurity challenge: systems originally designed for isolated operational technology (OT) environments are increasingly being exposed to enterprise IT networks and, in some cases, directly or indirectly to the internet.

Understanding these protocols is therefore no longer solely the responsibility of controls engineers. It is now equally relevant to cybersecurity teams, network architects and operational risk managers.

BACnet — Building Automation and Control Networks

What is BACnet?

BACnet (Building Automation and Control Networks) is an open communication protocol developed specifically for building automation and control systems. Originally standardised by ASHRAE in the 1990s, BACnet was designed to allow interoperability between building systems from different manufacturers - particularly HVAC, lighting, access control and fire integration systems. Before BACnet, many building management systems were effectively vendor-locked proprietary ecosystems. BACnet aimed to change that.

How BACnet is Transmitted

BACnet supports multiple transport methods:

• BACnet/IP — transmitted over standard Ethernet and IP networks

• BACnet MS/TP — transmitted over RS-485 serial infrastructure

• BACnet Ethernet — legacy Ethernet framing

• BACnet/SC — modern secure connect implementation using TLS/WebSockets

Today, BACnet/IP has become the dominant deployment model.

Where BACnet Sits Within a Building

BACnet is typically used as the supervisory integration layer within commercial buildings. It commonly interfaces with HVAC plant, air handling units, fan coil controllers, chillers and boilers, lighting systems, energy monitoring, lift and escalator monitoring and security integration layers. In practice, BACnet frequently acts as the language used by a Building Management System (BMS) platform to aggregate data from numerous subsystems.

KNX — Distributed Building Control

What is KNX?

KNX is a decentralised building control protocol primarily focused on smart building and building automation applications. Unlike BACnet, which often operates as a higher-level supervisory protocol, KNX was designed around distributed field-level control. Devices themselves contain intelligence. Switches, sensors, actuators and controllers communicate directly across the KNX bus without requiring heavy centralised processing. KNX is particularly prevalent in smart homes, premium residential developments, hospitality, commercial lighting control, blind and shading systems and room automation.

How KNX is Transmitted

KNX supports several physical transport layers — KNX TP (Twisted Pair), KNX RF (radio frequency), KNX PL (power line) and KNX/IP (Ethernet). Historically, KNX installations were largely isolated from enterprise networks due to their dedicated twisted-pair infrastructure. However, KNX/IP has increasingly become common for remote programming, integration gateways, visualisation platforms and mobile app control.

Where KNX Sits Within a Building

KNX is often deployed closer to the edge of the building — lighting circuits, presence detection, blind control, room temperature management, scene recall and occupancy automation. Rather than operating as a central management platform, KNX devices frequently interact directly with each other in a peer-to-peer architecture.

MODBUS — Industrial Simplicity That Never Went Away

What is MODBUS?

MODBUS is one of the oldest and most widely deployed industrial communication protocols still in active use today. Originally developed in 1979 for programmable logic controllers (PLCs), MODBUS was intentionally simple. Its objectives were reliability, low overhead and straightforward implementation. That simplicity is precisely why it remains heavily deployed decades later. MODBUS is now found across industrial control systems, energy infrastructure, generator systems, power monitoring, fire systems, public address systems, HVAC equipment, metering devices and audio DSP platforms.

How MODBUS is Transmitted

MODBUS exists in two primary forms — MODBUS RTU, which uses serial communication over RS-485, and MODBUS TCP, which is encapsulated over Ethernet and IP, typically on TCP port 502. MODBUS RTU historically benefited from a degree of practical isolation because physical serial infrastructure limited exposure. MODBUS TCP fundamentally changes that risk profile.

Where MODBUS Sits Within a Building

MODBUS is commonly deployed at the operational layer — plant controllers, metering devices, power systems, audio and voice alarm systems, generator monitoring, UPS infrastructure and HVAC field devices. It frequently acts as the machine-level protocol beneath higher supervisory systems such as BACnet or SCADA platforms.

Why Does Industry Use These Protocols?

Despite their differences, BACnet, KNX and MODBUS exist for similar strategic reasons. Interoperability — buildings increasingly contain equipment from dozens of manufacturers and protocols provide a common method of communication between otherwise incompatible systems.

Centralised monitoring — operators require unified visibility across HVAC, energy, lighting, security, environmental systems and life safety infrastructure.

Automation and efficiency — modern buildings aim to reduce energy consumption, operational costs and maintenance overhead through occupancy-based automation, dynamic HVAC control and predictive maintenance.

Scalability — protocols allow buildings to expand incrementally without complete system replacement.

The Cybersecurity Problem Emerging Across Building Systems

Historically, many control systems benefited from what was effectively physical isolation. A serial RS-485 network connected to a local controller represented a relatively constrained attack surface. That is increasingly no longer true.

Modern operational requirements now demand remote monitoring, mobile applications, cloud analytics, centralised estates management, multi-site integration and remote maintenance access. To achieve this, organisations deploy BACnet/IP gateways, KNX/IP interfaces, MODBUS TCP converters, serial-to-Ethernet bridges and IoT gateways.

The problem is that many legacy protocols were never designed with cybersecurity in mind.

Legacy Protocols Were Not Designed for Hostile Networks

Most older OT protocols fundamentally lack encryption, authentication, integrity validation, session security and role-based access control. MODBUS commands are typically transmitted in plaintext. An attacker capable of reaching the device network may potentially read and write registers, manipulate operational states, disable systems and trigger outputs — with little or no native authentication.

BACnet/IP deployments frequently rely on broadcast discovery mechanisms. Poorly segmented networks can expose device inventories, system topology, operational metadata and control interfaces. BACnet Secure Connect improves this significantly but adoption remains inconsistent.

Early KNX/IP deployments similarly lacked robust security controls. While KNX Secure now exists, many deployments still rely on older implementations with weak or absent authentication models.

The Hidden Risk: Serial-to-IP Converters

One of the most overlooked risks in modern building infrastructure is the widespread use of serial-to-IP conversion devices. These devices bridge RS-232, RS-422 and RS-485 onto standard Ethernet networks. From an operational standpoint they are incredibly useful. From a cybersecurity standpoint they can become dangerous. A system that once required physical access to a serial port may suddenly become reachable across corporate networks, VPN infrastructure, Wi-Fi environments, remote access systems and cloud-managed gateways. Organisations unintentionally transform isolated OT infrastructure into IoT endpoints.

When Building Systems Become the Threat Vector - Real World Cases

The risks described above are not theoretical. The following incidents illustrate how building control systems have been used as pathways into wider enterprise environments — and in some cases as targets in their own right.

The Retail Chain Breach — Third Party HVAC Access

In a well-documented large-scale retail breach, attackers initially gained access not through the corporate IT network but through credentials stolen from a third-party HVAC contractor. That contractor had been granted remote access into the wider network for monitoring and billing purposes associated with building systems.

Once inside, attackers pivoted laterally before eventually compromising payment systems and stealing data relating to tens of millions of customers.

The HVAC infrastructure was not the ultimate target. It was the bridge. The building systems provided the initial foothold that made everything else possible.

The Casino Aquarium

A North American casino was compromised through an internet-connected smart thermometer installed in a lobby aquarium. Attackers used the insecure IoT device to gain network access before exfiltratingapproximately 10GB of data relating to high-value customers.

The device was not considered critical infrastructure. It was an environmental monitoring sensor in a fish tank. Yet it became the entry point for a significant data breach — because it sat on a network with no meaningful segmentation between it and systems containing sensitive information.

The Commercial Building Lockout

In a reported incident at a commercial office building, attackers compromised operational building systems and remotely triggered alarms, locked doors and caused sustained operational disruption — using physical disruption as leverage for extortion demands.

This represents a significant evolution in how building control systems are being targeted. The attack surface was not data. It was the building itself.

BACnet Exposure Research

Security researchers have repeatedly demonstrated exposed BACnet systems accessible online — unauthenticated devices, exposed BMS front ends, insecure remote interfaces and discoverable building controllers. Researchers demonstrated that attackers could potentially manipulate HVAC operation, alter temperatures, disable alarms, enumerate building topology and pivot into connected enterprise networks.

This is not an isolated finding. It represents a systemic industry-wide exposure.

KNX False Data Injection

Academic research demonstrated successful man-in-the-middle attacks against KNX-based building automation systems, including false temperature injection, manipulated sensor data, altered automation behaviours and measurable operational and energy impacts. Protocol-level weaknesses exist where insecure implementations are deployed.

Why This Matters Operationally

Poorly segmented building control systems can potentially provide pathways into corporate IT networks, security systems, payment infrastructure, occupancy systems, environmental controls and life safety systems.

In many real-world deployments, building systems still exist on flat or poorly segmented VLAN architectures. Broadcast-heavy protocols combined with insecure gateways create an environment where visibility expands far beyond original design intentions.

Integration is increasing faster than security maturity. The modern building increasingly behaves like a converged IP platform. AV systems, CCTV, access control, HVAC, energy management and life safety infrastructure are now frequently interconnected. Operational efficiency has improved dramatically.

Cybersecurity governance often has not evolved at the same pace.

Conclusion

BACnet, KNX and MODBUS remain foundational technologies within modern building infrastructure. Each protocol serves different operational objectives — BACnet enables supervisory integration, KNX supportsdistributed building automation and MODBUS delivers simple and reliable industrial communication.

Collectively, they underpin much of the modern built environment.

However, the industry's rapid migration toward IP connectivity, cloud integration and remote access has fundamentally altered their security profile. Systems once protected by physical separation are now increasingly exposed through Ethernet gateways, IP conversion devices and interconnected enterprise networks.

The challenge facing industry is therefore no longer simply one of integration. It is one of secure integration.

As operational technology converges with enterprise IT infrastructure, organisations must begin treating building control systems not merely as facilities infrastructure, but as active cybersecurity assets requiring segmentation, monitoring, access control, patch management and long-term governance.

Because increasingly, the building itself has become part of the network.

CMC assesses, designs and protects connected building infrastructure — ensuring that as systems converge, security converges with them. Before systems go in and after they go live. Delivered through our Connect & Protect methodology.

CMC Consultancy Partnership · cmc.partners · referrals@cmc.partner