ControlTalk Now: Building Automation Controls and Cybersecurity in Buildings with Osman Saleem

Join us for Episode 423 of Controltalk Now, where we dive into the world of smart buildings and building automation controls  with our special guest, Osman Saleem. An expert in OT & IoT Cybersecurity, Smart Building Technology, and Smart Cities, Osman shares his insights on the cutting-edge intersection of building automation controls and cybersecurity.

In this exciting episode, we explore IoT and OT cybersecurity, delving into the current landscape and challenges in the industry. Osman sheds light on building automation controls best practices around cybersecurity, providing invaluable tips and guidance on how to make buildings and building automation control systems safer from cyberattacks.

Introduction to Cyber Security and Building Automation Controls

Definition of Cyber Security

In the digital age, protecting sensitive information and systems from unauthorized access, damage, or disruption is paramount. Cyber security refers to practices, measures, and technologies designed to safeguard computer systems, networks, and data from potential threats posed by malicious actors or unauthorized activities.

It encompasses various disciplines such as network security, endpoint protection, data encryption, access control mechanisms, incident response planning, and user awareness training. The ultimate goal is to ensure confidentiality, integrity, and availability of information resources in an ever-evolving landscape of cyber threats.

Definition of Building Automation Controls

Building automation controls refer to the technology infrastructure that enables centralized monitoring and control over various systems within a building. These systems include HVAC (Heating, Ventilation, and Air Conditioning), lighting controls, access control systems (ACS), fire alarm systems (FAS), elevators, and escalators management systems (EMS), among others. Building automation controls integrate these disparate systems into a cohesive framework that allows facility managers to optimize operational efficiency while enhancing occupant comfort and safety.

The core components of building automation controls consist of sensors that collect data on environmental conditions within the building environment (temperature, humidity levels) and actuators that respond based on input received from the sensors (adjusting HVAC settings or turning lights on/off). Additionally, controllers provide centralized management for all connected devices, while Supervisory Control and Data Acquisition (SCADA) systems enable real-time monitoring and remote controlling capabilities.

Importance of Cyber Security in Building Automation Controls

With buildings becoming increasingly intelligent through advanced automation technologies and interconnectedness driven by Internet of Things (IoT) devices within these control networks pose significant cybersecurity risks if left unprotected. A successful cyber attack on building automation controls can have severe consequences ranging from compromising the comfort and safety of occupants to causing physical damage, financial loss, and even endangering lives.

Building systems are now vulnerable to many cyber threats, such as unauthorized access, data breaches, ransomware attacks, rogue command injection, or system malfunctions caused by malicious activities. Therefore, implementing cyber solid security measures is imperative to mitigate these risks and ensure the reliable operation of critical building infrastructure.

By prioritizing cyber security within building automation controls, organizations can protect valuable assets and sensitive data while maintaining a safe and functional environment for occupants. In the following sections of this article, we will delve deeper into the threat landscape faced by building automation controls and explore vulnerabilities within legacy systems.

Furthermore, we will discuss best practices that organizations can adopt to secure their building automation controls from potential cyber-attacks. Understanding the risks and taking proactive measures to enhance security posture makes it possible to harness the benefits of interconnected technologies while safeguarding against emerging threats in this ever-evolving digital landscape.

Overview of Cyber Security in Building Automation Controls

Understanding the Threat Landscape

The world of building automation systems (BAS) is not exempt from the ever-evolving threat landscape of cyber security. As technology advances, so do the tactics used by malicious actors seeking to exploit these systems’ vulnerabilities.

Common cyber threats targeting building automation systems include but are not limited to:

  • Malware: malicious software designed to infiltrate and compromise components, often spread through phishing emails or infected devices.
  • Distributed Denial-of-Service (DDoS) Attacks: overwhelming a bas network with a flood of requests, rendering it unable to function properly.
  •  Insider Threats: employees or authorized personnel intentionally or unintentionally compromising system security by misusing privileges or falling victim to social engineering attacks.
  • Eavesdropping and Unauthorized Access: unscrupulous individuals intercepting communication between bas components, gaining unauthorized access to sensitive data or control over critical functions.

Some potential consequences include:

Destruction or Damage: an attacker gaining control over critical systems may manipulate machinery, leading to physical destruction or damage within the building.

1. Safety Hazards: a compromised building automation system may fail to respond appropriately during emergencies, putting occupants’ lives at risk due to malfunctioning fire suppression systems, compromised access control, or inadequate ventilation.
2. Data Breaches: attackers can access sensitive data, such as personally identifiable information or confidential business plans, leading to financial losses and reputational damage.
3. Economic Impacts: a cyber attack on building automation controls can disrupt normal operations, resulting in significant downtime and financial losses due to decreased productivity and increased maintenance costs.

Key Components of Building Automation Controls

One must understand the key components involved to fully comprehend cyber security’s role in building automation controls. These components form an intricate network that ensures the smooth functioning of automated processes within a building. The main elements include:

Sensors and Actuators

Sensors serve as the eyes and ears of a building automation system. They collect data from various sources like temperature, motion detectors, occupancy, and light sensors. Actuators, on the other hand, are responsible for executing commands based on the received sensor data.

They control devices such as motors, valves, relays, dampers, and lights. Together these components provide real-time feedback for decision-making processes within a BAS.

Controllers and Supervisory Control and Data Acquisition (SCADA) Systems

Controllers are the brain behind building automation systems by processing sensor data from various sources. They monitor conditions within a building’s environment and make decisions to optimize energy consumption or regulate equipment performance based on predefined algorithms or user-defined rules. SCADA systems play a vital role in large-scale BAS implementations by providing centralized monitoring and control capabilities over distributed controllers.

Communication Protocols and Networks

Building automation controls rely heavily on communication protocols to enable seamless interaction between different components within the system. Standard protocols used in these systems include BACnet, Modbus, LonWorks, and KNX. These protocols define the standards for transmitting data, ensuring interoperability between devices from different manufacturers.

The underlying network infrastructure provides the backbone for securely transmitting data between various components. By understanding how these components interact and function in building automation controls, we can better appreciate the critical nature of implementing robust cyber security measures to protect against potential threats.

Inherent Risks in Legacy Systems

Legacy systems, referring to older technology and infrastructure still in use, pose significant vulnerabilities in building automation controls. One of the primary risks associated with legacy systems is the prevalence of outdated software and firmware.

These systems often run on outdated operating systems or proprietary software that are no longer actively supported by vendors. As a result, security patches and updates are seldom available, leaving these systems exposed to known vulnerabilities.

Furthermore, a lack of encryption mechanisms in legacy systems opens doors for unauthorized access and data breaches. Malicious actors can easily intercept and exploit sensitive information transmitted between components within building automation controls without encryption.

For example, commands sent from controllers to actuators could be intercepted and modified, leading to unauthorized control over critical building functions such as HVAC or access control. Weak authentication methods also contribute to the vulnerability of legacy systems.

Furthermore, a lack of encryption mechanisms in legacy systems opens doors for unauthorized access and data breaches. Malicious actors can easily intercept and exploit sensitive information transmitted between components within building automation controls without encryption.

For example, commands sent from controllers to actuators could be intercepted and modified, leading to unauthorized control over critical building functions such as HVAC or access control. Weak authentication methods also contribute to the vulnerability of legacy systems.

Human Factors

While technological vulnerabilities are a significant concern in building automation controls’ cyber security, human factors cannot be overlooked. One of the most prominent human-related vulnerabilities is insider threats.

Employees with access to building automation controls may intentionally or unintentionally misuse their privileges for personal gain or expose sensitive information. Lack of awareness and training among employees also poses a substantial risk to the security of building automation controls.

Often employees may not fully understand the potential consequences of their actions or lack knowledge regarding best practices for maintaining cyber security measures. This lack of awareness makes them susceptible to social engineering attacks such as phishing emails or phone calls that trick them into revealing sensitive information or unknowingly executing malicious code.

Addressing these human factors is crucial in fortifying the security of building automation controls. Implementing comprehensive training programs that educate employees about potential cyber threats, the importance of following security protocols, and how to detect and report suspicious activities can significantly reduce the risk posed by human factors.

Recognizing and mitigating vulnerabilities stemming from legacy systems and human factors is imperative to enhance the cyber security resilience of building automation controls. Upgrading outdated software/firmware, implementing encryption mechanisms, and enforcing robust authentication methods are essential to protect against legacy system risks.

Simultaneously, raising employee awareness and providing thorough training can foster a culture of cyber security consciousness within organizations, reducing the likelihood of insider threats or accidental breaches. By addressing these vulnerabilities comprehensively, we can safeguard building automation controls from potential cyber-attacks and ensure a secure environment for occupants.

Best Practices for Securing Building Automation Controls from Cyber Attacks

Implementing Defense-in-Depth Strategies

Defense-in-depth is a crucial approach to fortifying building automation controls against cyber attacks. By implementing multiple layers of security, organizations can significantly reduce the risk of a successful intrusion. Network segmentation is an essential aspect of defense-in-depth, as it involves dividing the building automation system into separate zones or subnetworks.

This isolation prevents unauthorized access to critical systems by containing potential breaches within specific segments. Furthermore, employing Intrusion Detection and Prevention Systems (IDS/IPS) adds an extra layer of security by monitoring network traffic and identifying suspicious activities in real time.

IDS/IPS can automatically trigger responses to mitigate threats, such as blocking malicious IP addresses or disconnecting compromised devices. Defense-in-depth strategies include firewalls, antivirus software, and regular patch management.

Firewalls act as a barrier between internal and external networks, controlling incoming and outgoing traffic based on predefined rules. It filters out potentially harmful data packets and helps prevent unauthorized access to critical systems.

Additionally, robust antivirus software is vital in detecting and eradicating malware from the building automation controls environment. Regular patch management ensures that all software and firmware are up-to-date with the latest security patches provided by vendors, effectively closing known vulnerabilities.

Secure Remote Access Management

In today’s interconnected world, remote access management is indispensable for efficiently operating and maintaining building automation control systems. However, it also introduces potential entry points for cyber attackers if not properly secured.

Implementing two-factor authentication for remote access is an effective measure to enhance security. This authentication process requires users to provide two separate forms of identification before gaining access to the system—for example, combining a password with a biometric scan or a unique code from a physical token device.

Virtual Private Networks (VPNs) are highly recommended to secure remote connections further. VPNs create a private, encrypted tunnel over a public network, allowing authorized individuals to securely access the building automation controls system.

By encrypting data during transit, VPNs protect sensitive information from interception or manipulation by cyber attackers. Additionally, they provide an extra layer of identity verification by requiring users to authenticate themselves through VPN credentials.

Regular Risk Assessments and Audits

Regular risk assessments and audits are crucial for maintaining optimal security in building automation controls systems. Penetration testing, or ethical hacking, is vital in identifying vulnerabilities before malicious actors can exploit them.

Qualified professionals simulate real-world attack scenarios to identify weaknesses in the system and propose remediation measures accordingly. Organizations can implement appropriate security measures to prevent cyber attacks by proactively uncovering potential risks and vulnerabilities.

Furthermore, compliance with industry standards is essential to ensure comprehensive protection against cyber threats. Adhering to guidelines such as those outlined in NIST SP800-82 provides organizations with a baseline for establishing effective security practices for building automation control systems.

Compliance improves the system’s overall resilience and enhances trust among stakeholders by demonstrating a commitment to cybersecurity best practices. By implementing these best practices – defense-in-depth strategies, secure remote access management, regular risk assessments, and audits – organizations can significantly enhance their ability to protect building automation controls systems from potential cyber-attacks.

Safeguarding critical infrastructure becomes paramount when considering the potential consequences of a successful intrusion. Taking proactive steps now will ensure the stability and reliability of these systems while maintaining public safety and operational efficiency in the face of evolving cyber threats.


Controltrends can recommend the following as competent resources for risk assessments, audits and cybersecurity consulting:

Osman Saleem

Fred Gordy

Rob Murchison


As discussed in my interview with Osman Saleem, the Importance of Cyber Security in Building Automation Controls
Cyber security in building automation controls is paramount due to these systems’ increasing connectivity and complexity. As buildings become “smarter” with advanced automation technologies, they become more vulnerable to cyber-attacks.

The potential consequences of a successful cyber attack on building automation controls are far-reaching, including disruption of critical services, compromise of sensitive data, and even endangering people’s safety. Therefore, organizations must prioritize implementing robust cybersecurity measures to safeguard their building infrastructure.

Addressing Vulnerabilities and Implementing Best Practices
Recognizing the vulnerabilities in building automation controls is the first step toward securing these systems. Legacy systems with outdated software and firmware pose significant risks as they may lack the necessary security features or updates. Weak authentication methods and insufficient employee training can also open doors for attackers.

However, effective strategies can be adopted to mitigate these risks. Implementing a defense-in-depth strategy is crucial in securing building automation controls.

This involves layering multiple security measures such as network segmentation, intrusion detection systems (IDS/IPS), firewalls, antivirus software, and regular patch management. Organizations can significantly enhance their overall security posture by combining these measures at different levels within the system architecture.

Secure remote access management is another vital aspect that needs attention. Enforcing two-factor authentication for remote access ensures that only authorized personnel can connect to critical systems remotely.

Virtual Private Networks (VPNs) offer secure connections by encrypting communication channels between remote users and the building automation controls network. Regular risk assessments and audits are indispensable for maintaining a robust cyber security posture over time.

Conducting penetration testing helps identify vulnerabilities before they are exploited by malicious actors, enabling proactive remediation efforts. Compliance with industry standards such as NIST SP800-82 provides a framework for organizations to assess and improve their cyber security practices.

The Way Forward

Building owners, facility managers, and IT professionals must continually adapt their approach to cyber security in building automation controls in a rapidly evolving digital landscape. Organizations can effectively combat cyber threats by staying informed about emerging threats, investing in robust security measures, and promoting a culture of employee awareness and training. With vigilant efforts and the implementation of best practices, building systems can operate securely and efficiently, contributing to safer environments for occupants.

While the challenges posed by cyber security in building automation controls are significant, the potential rewards are equally great. By embracing advanced security technologies and adopting proactive strategies, organizations have the power to protect critical infrastructures from malicious attacks.

Building owners can have peace of mind knowing that their facilities are safeguarded against unauthorized access or disruption. As technology advances rapidly, so must our dedication to securing our built environments.

*new customers only, certain restrictions may apply.


One Response

Leave a Reply

Your email address will not be published. Required fields are marked *

Stay In The Know. Join The Control Trends Newsletter.