Johnson Controls was hit with a severe ransomware incident in September 2023 that escalated well beyond a simple IT outage. The company has confirmed the event included unauthorized access, data exfiltration and deployment of ransomware to a portion of its internal IT infrastructure, and reported roughly $27 million in direct impacts to net income for the quarter ending December 31, 2023 as a result of response and remediation.

Public analysis and reporting tied the intrusion to a visible ransomware operation known as Dark Angels. The group claimed it had stolen large volumes of corporate data, encrypted VMware ESXi virtual machines, and demanded a multi million dollar ransom. Those claims were widely reported during the fall 2023 disclosures and subsequent coverage.

Why this matters to building owners and facility security teams is blunt and simple. Johnson Controls is not a peripheral supplier. It supplies building automation, physical security, HVAC controls and software platforms used in critical facilities worldwide. A ransomware gang that can move from an initial foothold into enterprise virtualization layers poses a real danger to building management systems that either sit on or bridge to corporate IT. The mechanism of impact in this case included ESXi level compromise, which allows attackers to take virtualized workloads offline and to encrypt or destroy backups.

The risk surface is twofold. First, product vulnerabilities in building management systems create unneeded exposure. Johnson Controls and CISA released advisories in late 2023 about exploitable flaws in Metasys and related products that could lead to denial of service and other impacts if left unpatched. That advisory also reiterated standard ICS guidance: do not expose control system interfaces to the internet and isolate OT from IT.

Second, supply chain and enterprise level compromise can turn trusted vendors into attack corridors. When an intruder gains a persistent foothold in a vendor environment they can enumerate customers, steal engineering documents, network diagrams and credentials, and then strike production environments or customers downstream. Double extortion, meaning the combination of encryption plus data theft used to coerce payment, is now a standard playbook.

If you operate or manage buildings, act on two immediate truths. One, assume attackers will target hypervisor layers, management consoles and backup systems when they want to maximize impact. Two, assume vendor environments are attractive targets and that your BMS could be collateral damage even if the vendor says core product services are unchanged. Treat both assumptions as operational requirements, not hypotheticals.

Hard, practical steps for facility and security leaders:

  • Enforce strict network segmentation. Put BMS controllers, supervisory engines and field controllers behind firewalls on segregated VLANs with one way or tightly controlled access from corporate IT. Do not expose building control endpoints to the public internet. Follow CISA ICS guidance for segmentation and isolation.

  • Protect the virtualization and backup stack as a priority asset. Patch ESXi hosts, restrict management plane access to a minimal set of jump hosts, log and monitor hypervisor activity, and protect backups with immutable storage or offline copies. Test restore procedures under realistic conditions.

  • Patch and inventory BMS software aggressively. Maintain an authoritative inventory of Metasys, Facility Explorer and related components. Apply vendor advisories and patches promptly and validate vendor-supplied mitigations. Require vendors to document secure configuration and update cadence.

  • Assume data theft. Enforce least privilege for file shares and document repositories. Encrypt sensitive design and configuration data at rest. Monitor for unusual exfiltration patterns and integrate network egress monitoring into your SOC use cases.

  • Contractual and operational pressure on suppliers. Require incident notification clauses, regular security attestations, third party penetration test results and SOC reporting. Ensure vendors support out of band communications and recovery playbooks for affected facilities. Treat vendor security posture as part of your operational risk register.

  • Exercise and plan for degraded operations. BMS outages can cause safety, comfort and life safety impacts. Test manual procedures, failover controls and emergency response plans. Know which systems must run in degraded mode and who at the facility will own those actions when IT systems are down.

The Johnson Controls incident is a wake up call, not a one off. Building systems are becoming more integrated into enterprise IT and cloud ecosystems. That converged architecture improves efficiency, but it also amplifies the attack surface. If you manage facilities or specify BMS equipment you must prioritize segmentation, vendor accountability, hypervisor and backup protection, and realistic recovery planning. Do not wait until your building becomes a high value target in someone else’s extortion playbook.