The Al Wakra Problem and the Legacy Protocol

Step 1: Test the Al Wakra BMS

The segmentation works for the Doha buildings. Their BMS containers support authentication endpoints and respond correctly to access control. The Al Wakra building is different.

Test the bms-alwakra container. Try to reach its management interface from the building systems zone.

curl http://bms-alwakra:8080/control -X POST

The Doha BMS requires an authorization token and rejects unauthorized requests. The Al Wakra BMS accepts the command without any authentication. It has no /auth endpoint. The legacy protocol predates the network security requirements.

Segmentation isolates this container from the tenant zone -- that part works. But within the building systems zone, any container that can reach the Al Wakra BMS can send commands without authentication. The segmentation prevents external access, but it does not solve the internal vulnerability.

This is the architectural reality: some systems cannot be brought into full compliance. The Al Wakra BMS would need a hardware replacement to support modern authentication. That is a capital expenditure decision, not a configuration change.

Step 2: Research compensating controls

When the primary control (authentication) cannot be applied, a compensating control reduces the residual risk. Research the options:

• Dedicated monitoring with aggressive alerting -- monitor all traffic to the Al Wakra BMS and alert on anything unexpected. Lower thresholds than standard monitoring. The idea: if you cannot prevent unauthorized access, detect it immediately.
• Network-level authentication proxy -- place a proxy in front of the BMS that handles authentication before forwarding requests. The BMS does not need to support authentication if something upstream enforces it.
• Physical isolation -- move the Al Wakra BMS to its own dedicated network segment with no connectivity to any other zone except through a controlled gateway.
• Risk acceptance with documentation -- document the risk, the reason it cannot be mitigated through standard controls, and accept the residual risk with board awareness.

Each approach has different cost, complexity, and risk profiles. There is no single correct answer.

Step 3: Implement the compensating control

Choose an approach and implement it. Direct AI to configure the compensating control.

If you choose dedicated monitoring: configure specific Alloy collection rules for the Al Wakra BMS container, create a dedicated Grafana dashboard panel with lower alert thresholds, and write Sigma rules that fire on any control commands to the Al Wakra BMS that do not originate from the management zone.

The compensating control should make the residual risk manageable. It does not eliminate the risk -- only replacing the legacy system does that. But it reduces the window between an unauthorized access and your detection of it.

Step 4: Document the exception

Write an exception record for the Al Wakra BMS. This document serves three purposes: it explains why the standard segmentation control cannot be applied, it describes the compensating control and its rationale, and it recommends the long-term solution (system replacement) with an estimated cost.

The exception record should include:

• System identification -- which building, which system, what protocol
• Compliance status -- non-compliant with the segmentation standard and why
• Compensating control -- what was implemented, how it reduces the risk
• Residual risk -- what remains despite the compensating control
• Recommended upgrade -- replace the legacy BMS with a modern system
• Estimated cost -- for Fatima to include in the board presentation
• Review date -- when this exception should be reassessed

This documentation is not a formality. If the Al Wakra BMS is compromised and no one documented the known risk, the organization has no defense in the insurance claim. If the risk was documented, accepted with compensating controls, and scheduled for resolution, the organization demonstrated due diligence.

Step 5: Ask Fatima about upgrade plans

Contact Fatima about the Al Wakra building's technology status. Ask whether there are plans to upgrade the building systems and what the budget constraints are.

Fatima confirms the Al Wakra complex uses older technology. She says the board would need to approve a system replacement and asks you to include the cost in the remediation plan so she can present options. She wants to know whether the building is safe in the meantime.

This is where the physical consequences of BMS compromise become concrete. If someone gets from the tenant Wi-Fi to the Al Wakra building systems, they are not just reading data. In August in Qatar, manipulating HVAC affects the families living in those buildings. Disabling fire suppression puts lives at risk. The compensating control is not an abstract security measure -- it is the difference between detecting a threat to physical safety and not knowing it happened.