In the world of smart buildings, the building automation system (BAS) has evolved from a simple control mechanism to the central nervous system of a facility, orchestrating critical functions like HVAC, lighting, security, and access control.

As this connectivity and intelligence grow, so too do the vulnerabilities they introduce. This new reality places a critical responsibility on specifiers, who must now think beyond mere functionality and efficiency to ensure the security and resilience of these systems against a rising tide of cyber threats.

A recent report shows that while the global average cost of a data breach is on the decline at $4.44 million, the United States is bucking this trend, with the average cost surging by 9% to an all-time high of $10.22 million.i This significant financial risk, driven by steeper regulatory penalties and higher detection costs, underscores the need for proactive security measures.

The Evolving Role of the Specifier

The traditional focus of a specifier is centered on performance metrics, energy savings, and capital costs. Today, that focus must expand to include a robust cybersecurity framework. This can be a key way to safeguard a client's business continuity, protecting their investments, and ensuring the safety of occupants. A specifier's professional reputation is increasingly tied to their ability to deliver secure and reliable building solutions. By incorporating industry best practices and staying ahead of cybersecurity trends, specifiers can demonstrate their commitment to excellence and build critical trust with their clients.

Understanding OT vs. IT: The New Frontier of Building Security

A critical first step in specifying a secure building is understanding the difference between Information Technology (IT) and Operational Technology (OT). IT refers to the traditional systems that manage data for business operations, like computers and servers. OT, on the other hand, is the hardware and software that directly monitors and controls physical processes and devices, such as HVAC, lighting, and access control systems. These systems are the building’s operational nervous system.

The convergence of IT and OT in modern smart buildings has created a new, complex attack surface. A breach in an OT environment, for example, can have a tangible impact, disrupting business operations and even causing physical damage. Many industry reports indicate that security system complexity and compromised IoT and OT environments are both factors that increase the average cost of a data breach. As a specifier, you have a vital role in ensuring these two worlds are connected securely yet remain segmented to mitigate risk.

Actionable Insights for Specifying a Secure Foundation

Securing a building automation system must begin at the design phase, not as an afterthought. Specifiers should integrate cybersecurity considerations from the outset, collaborating with cybersecurity experts and stakeholders to define security requirements and objectives. Here are specific, actionable steps to integrate into your specifications:

  • Specify a Secure System Architecture: Mandate that systems have robust security features built into their core design. Look for solutions that require strong authentication, such as multi-factor authentication, for all system access. A critical component is network segmentation, which isolates the BAS (OT) network from other building networks (IT) to limit the impact of any potential breach. Consider ensuring that sensitive data is encrypted, both when it is in transit and when it is at rest. Finally, specify the inclusion of intrusion detection and prevention systems to monitor network traffic for suspicious activity.
  • Streamlining Communication and Integration: Beyond security, a well-designed network architecture must also enable seamless communication and robust integration without compromising the customer's IT network.

    A specialized router acts as a secure gateway, isolating building automation devices from the broader network. The main value is simplicity and can provide enhanced security, as the router requires only a single IP address for all isolated devices, which reduces IT complexity and can help minimize potential attack surfaces. This type of router should seamlessly route BACnet across all common network types, including BACnet/IP, BACnet/Ethernet, BACnet Secure Connect (SC), ARCNET, and MS/TP, ensuring compatibility with existing and future infrastructure. It should also serve as a BACnet Broadcast Management Device (BBMD) and support foreign device registration to manage network traffic and streamline the discovery of third-party devices. This approach can make it easier to specify protocols that are both open and secure.
  • Demand Secure Development Practices from Manufacturers: The security of a system is only as strong as its origin. Insist that manufacturers adhere to secure coding practices and conduct regular vulnerability assessments throughout their product's development lifecycle.
  • Insist on Open, Yet Secure, Protocols: Open protocols allow for powerful integration capabilities across various environmental, energy, security, and safety systems into a single, unified platform. However, specifying open protocols is not enough. You must also ensure that secure communication protocols are implemented to protect data integrity and confidentiality. Striking the right balance between openness and security plays an important role in building a system that can stand the test of time.
  • Prioritize Long-Term System Viability: The life cycle of a building is long, and its automation system should be designed to last. Specify systems that are built with long-term customer value in mind, including backward compatibility across versions. This ensures that building owners and operators can upgrade at their own pace without the burden of costly system overhauls every few years. This approach protects prior investments, minimizes operational disruptions, and reduces the need for extensive retraining, making modernization both practical and cost-effective.

Empowering Operators and Ensuring Ongoing Resilience

A secure and resilient system is not just about the technology—it's also about the people who operate it. Specifiers must ensure that the tools provided empower operators rather than overwhelm them.

  • Demand Intuitive, Visual Interfaces: A system's interface should make complex building systems easy to understand and manage. Look for platforms with high-definition, factory-generated graphics and point-and-click navigation. An intuitive interface can support operators in responding quickly and confidently, potentially improving response times and contributing to operational efficiency.
  • Mandate Comprehensive Training and Documentation: Specifiers must require comprehensive documentation and training to be provided for building operators. This training should cover cybersecurity best practices and the specific security features of the system.
  • Specify a Proactive Security Stance: Security is not a one-time event; it's an ongoing process. Specify systems that allow for automatic security updates and patching to address new vulnerabilities promptly. Furthermore, require independent, third-party security audits and penetration testing to validate the effectiveness of the security controls and identify any remaining vulnerabilities.

By incorporating these actionable insights into your specifications, you can lead the industry in creating automation systems that are not only efficient but also secure, resilient, and ready for the challenges of tomorrow. Your expertise in this important area can support the protection of your clients' assets, their people, and their reputation - ultimately contributing to a safer and more resilient built environment.

References

[i]Cost of a Data Breach Report 2025 The AI Oversight Gap think report. (2025). https://www.ibm.com/downloads/documents/us-en/131cf87b20b31c91