BMS Ransomware Just Hit a Major US School District. Here’s the Playbook.

Last week, a school district in the southeastern United States had its building management system encrypted by ransomware. Heating systems went into uncontrolled cycles, classrooms hit 88°F by mid-morning, and the facilities team couldn’t override because the WebCTRL workstation that controls them was on a separate domain that the IT team had no visibility into. The district paid the ransom inside 36 hours. We are not naming the district because the public disclosure rules are still working their way through the state attorney general’s office.

This isn’t the first BMS ransomware case in 2026 and it won’t be the last. The attack surface is enormous and largely undefended.

Why BMS systems are uniquely vulnerable

The typical commercial building runs controls software written between 2008 and 2018. The operating system underneath is often Windows Server 2016 or Windows 10 LTSC. The controllers themselves — the actual hardware that opens dampers and runs pumps — speak BACnet, Modbus, or proprietary serial protocols designed before "internet-connected" was the default assumption. Patching is rare because changes risk a building service interruption that nobody wants to authorize. Network segmentation often exists in name only: the BMS workstation gets a "controls VLAN" that’s actually trunked to the same switch as the corporate network because nobody wanted to run new fiber.

The attack vector last week was, predictably, an unpatched WebCTRL Server vulnerability disclosed in late 2025 with a CVE that the vendor had patched but the customer had not deployed. The customer had not deployed it because the controls integrator who manages the BMS hadn’t been given a maintenance window in eleven months. The IT MSP serving the district had no purview over BMS. The OT integrator had no purview over IT security. The gap was the perimeter.

What the playbook actually looks like

Most "BMS security" discussion stops at "do segmentation right." That’s necessary but insufficient. The full playbook for a mid-market organization with 1–20 commercial properties:

1. Inventory every BMS asset — controllers, workstations, gateways, routers in the controls VLAN, USB drives, modems used for vendor remote access. Most clients we onboard discover 30–60% more assets than their last inventory captured.
2. Patch the workstations and gateways on a defined schedule. Quarterly is the floor; monthly is the right answer for any building with critical operations. Schedule with the OT integrator and the building owner during a soak window when occupancy is low.
3. Replace any out-of-support OS underneath the BMS. Windows 7 and Server 2008 are still common; both have been EOL for years. Replacement requires the vendor to certify the new OS, which is a six-month conversation in most cases. Start it now.
4. Segment the BMS network properly. Separate VLAN, separate firewall, no trunking, explicit allow rules for every cross-VLAN flow, monitored by an OT-aware intrusion detection system (Tenable OT, Claroty xDome, Nozomi).
5. Eliminate flat vendor remote access. Vendor support sessions go through a jump host with session recording, MFA, and a time-limited approval workflow. Never give a vendor a permanent VPN to your controls network.
6. Backup the BMS configuration weekly. Not the workstation image — the actual sequence-of-operations files, the trend logs, the schedule overrides. If ransomware encrypts the workstation, you need to be able to restore controls from a clean machine in hours, not days.
7. Run an OT-aware tabletop annually. The IT incident response runbook does not cover "the boilers are running away because we lost control." Fix that before you need it.

What we’re shipping at Intelligent IT

AiTBMS and AiTCSG are our vendor-agnostic BMS analytics and control products. They sit on top of WebCTRL, Niagara, Trane, Distech, and Siemens Desigo — the dominant controllers in the US commercial market. The products read trend data continuously, watch for fault patterns and security anomalies (sudden setpoint changes from unauthorized sources, simultaneous heating-cooling, cross-VLAN scan attempts), and route alerts into the same SOC pipeline that handles your IT side. The writeback control path requires human approval per change, with full audit trail to your facilities team.

Critically, the products are multi-tenant — the MSP can serve a portfolio of buildings without giving each property owner’s data visibility into the others. That matters because real-estate firms with multiple properties were a major target for the ransomware crew that hit the school district last week.

What you should ask your current MSP and OT integrator this week

• Show me the inventory of every device on our BMS network, including the firmware version and last-patch date.
• What’s the segmentation between our BMS network and our corporate network, and what intrusion detection covers it?
• How do BMS vendor support sessions reach our equipment, and what controls govern that access?
• If WebCTRL was encrypted at noon today, what’s our recovery time and what would it cost?
• Who owns BMS security — the MSP, the OT integrator, or the building owner? If the answer is "we’re working on it," that’s the conversation.

The bottom line

BMS ransomware is operational. The school district last week paid the ransom. Several real-estate firms paid theirs in March and April but didn’t disclose. Whatever the SEC’s 2026 cyber-disclosure rules end up doing, the buildings will keep getting attacked, and the firms that are ready will recover in hours while the ones that aren’t will explain themselves to insurance carriers and parents. The right time to build the playbook was last quarter. The next-best time is this week.