According to Dark Reading, security researcher Gjoko Krstic discovered over 800 vulnerabilities, including many zero-day flaws, in building automation systems operating across 30 countries and 220 cities worldwide. The research, dubbed “Project Brainfog,” uncovered an 18-year-old codebase originally written by American Auto-Matrix in 2008, later acquired by Cylon Controls, and eventually absorbed by ABB in 2020. The vulnerabilities affect real-world infrastructure including hospitals, airports, stadiums, and government buildings, with exposed systems including London’s iconic “Walkie Talkie” building. Despite vendor remediation efforts reducing exposed systems from 1,000 to 200, Krstic warns many remain online with only 80% of issues fixed. This discovery highlights critical infrastructure risks that demand immediate attention.
Table of Contents
The Silent Infrastructure Time Bomb
The discovery of an 18-year-old codebase operating in critical infrastructure represents a systemic failure in technology lifecycle management. What makes this particularly alarming is that these building automation systems control environmental systems, security access, and life safety equipment – functions that directly impact human safety. The fact that these systems required internet connectivity for updates while being designed for air-gapped operation creates an inherent contradiction that many organizations fail to recognize. This isn’t just about theoretical vulnerabilities; we’re talking about systems where a single vulnerability could allow remote manipulation of fire suppression systems or HVAC controls, potentially causing physical damage or creating unsafe conditions in occupied buildings.
How Corporate Mergers Amplify Cyber Risk
The acquisition chain from American Auto-Matrix to Cylon Controls to ABB demonstrates a critical gap in technology due diligence during mergers and acquisitions. When large companies acquire smaller firms, they often focus on intellectual property and market share while treating cybersecurity as a secondary concern. The reality is that every acquisition brings not just assets but also technical debt and security liabilities. This case shows how vulnerabilities can travel across decades and corporate boundaries, becoming someone else’s problem without proper accountability. The lack of comprehensive code audits during these transitions means that security flaws become institutionalized rather than resolved.
The Economics of Vulnerability Discovery
Finding 800+ vulnerabilities, including numerous zero-day flaws, represents an unprecedented scale of discovery in critical infrastructure systems. What’s particularly concerning is how easily these systems were identified through simple online reconnaissance. The fact that building names were exposed without authentication suggests fundamental design flaws in how these systems communicate. For security researchers and potential attackers alike, this creates a target-rich environment where the barrier to entry is remarkably low. The vendor response – issuing silent patches without proper CVE assignments – further complicates the situation by making it difficult for organizations to understand their actual risk exposure.
Where Security Standards Fall Short
While frameworks like IEC 62443 and the EU’s Cyber Resilience Act provide guidance, this case reveals significant gaps in enforcement and compliance verification. The inconsistent vulnerability scoring – where minor bugs received maximum severity ratings while critical remote code execution flaws were downgraded – demonstrates how subjective risk assessment can undermine security priorities. The upcoming presentation at Black Hat Europe 2025 will likely catalyze much-needed discussion about mandatory security reviews for legacy systems in critical infrastructure. The reality is that voluntary standards alone cannot address the economic incentives that prioritize functionality over security.
What Building Owners Need to Know
The exposure of iconic structures like London’s “Walkie Talkie” building should serve as a wake-up call for facility managers worldwide. Many organizations operate under the false assumption that building automation systems are inherently secure or operate in isolated networks. The truth is that modern buildings increasingly rely on interconnected systems that create unexpected attack surfaces. Organizations must maintain accurate inventories of all connected systems, understand their update cycles, and verify that vendors follow transparent security practices. The days of treating building controls as mere operational technology rather than critical cybersecurity assets must end.
The Path Forward for Smart Infrastructure
This discovery represents a pivotal moment for smart city development globally. As municipalities rush to implement connected infrastructure, they must balance innovation with security fundamentals. The solution isn’t to abandon automation but to implement robust security-by-design principles, regular third-party audits, and transparent vulnerability management processes. The fact that 20% of exposed systems remain unaddressed suggests we’re dealing with a long-tail problem that will require sustained attention. Building owners, technology vendors, and regulatory bodies must collaborate to establish clearer accountability and more rigorous security standards for the infrastructure that literally supports our daily lives.
