Intelligent building systems: security and facility professionals’ understanding of system threats, vulnerabilities and mitigation practice

  • David J. BrooksEmail author
  • Michael Coole
  • Paul Haskell-Dowland
Original Article


Intelligent Buildings or Building Automation and Control Systems (BACS) are becoming common in buildings, driven by the commercial need for functionality, sharing of information, reduced costs and sustainable buildings. The facility manager often has BACS responsibility; however, their focus is generally not on BACS security. Nevertheless, if a BACS-manifested threat is realised, the impact to a building can be significant, through denial, loss or manipulation of the building and its services, resulting in loss of information or occupancy. Therefore, this study garnered a descriptive understanding of security and facility professionals’ knowledge of BACS, including vulnerabilities and mitigation practices. Results indicate that the majority of security and facility professionals hold a general awareness of BACS security issues, although they lacked a robust understanding to meet necessary protection. For instance, understanding of 23 BACS vulnerabilities were found to be equally critical with limited variance. Mitigation strategies were no better, with respondents indicating poor threat diagnosis. In contrast, cybersecurity and technical security professionals such as integrators or security engineering design professionals displayed a robust understanding of BACS vulnerabilities and resulting mitigation strategies. Findings support the need for greater awareness for both security management and facility professionals of BACS vulnerabilities and mitigation strategies.


Intelligent Smart Cybersecurity Risk Threat Mitigation Professional Convergence 



This article was made possible by research funding and membership participation from the ASIS Foundation, the Security Industry Association (SIA), and the Building Owners and Managers Association (BOMA). The research Report: Brooks, D. J., Coole, M., Haskell-Dowland, P., Griffith, M., & Lockhart, N. (2018b). Building automation & control systems: An investigation into vulnerabilities, current practice & security management best practice.


  1. Assante, M.J., and Lee, R.L. 2015. The industrial control system cyber kill chain. Singapore: SANS Institute.
  2. Brooks, D.J. 2013. Security threats and risks of intelligent building systems: Protecting facilities from current and emerging vulnerabilities. In. Securing critical infrastructures and critical control systems: Approaches for threat protection, ed. Christopher Laing, Atta Badii and Paul Vickers (pp. 1–16). IGI Global. ISBN 978-14-66626-59-1.Google Scholar
  3. Brooks, D.J., M. Coole, and P. Haskell-Dowland. 2018a. Intelligent building management systems: Guidance for protecting organizations. Alexandria, VA: ASIS Foundation.Google Scholar
  4. Brooks, D.J., M. Coole, P. Haskell-Dowland, M. Griffith, and N. Lockhart. 2018b. Building automation & control systems: An investigation into vulnerabilities, current practice & security management best practice. Alexandria, VA: ASIS Foundation.Google Scholar
  5. CIBSE. 2000. Building control systems: CIBSE guide H. Oxford: Butterworth-Heinemann.Google Scholar
  6. Frost and Sullivan. 2008. Bright green buildings: Convergence of green and intelligent buildings.
  7. Granzer, W., F. Praus, and W. Kastner. 2009. Security in building automation systems. IEEE Transactions on Industrial Electronics 57 (11): 3622–3630.Google Scholar
  8. High Performance HVAC. 2017. Building automation systems.
  9. ISO. 2004. ISO 16484-2 Building automation and control systems (BACS): Part 2 hardware. Geneva: International Organization for Standardization.Google Scholar
  10. ISO. 2007. ISO/IEC 14908-1 Open data communication in building automation, controls and building management—control network protocol: Part 1 protocol stack. Geneva: International Organization for Standardization.Google Scholar
  11. King, R.O.N. 2016. Cyber security for intelligent buildings. Engineering and technology reference, 1–6, ISSN 2056-4007. 10.1049/etr.2015.0115.Google Scholar
  12. Marketsandmarkets. 2017. Building automation system market by communication technology (wired, and wireless), offering (facilities management systems, security & access control systems, and fire protection systems), application, and regionglobal forecast to 2022 (SE2966).
  13. Parasuraman, R., and V. Riley. 1997. Humans and automation: Use, misuse, disuse, abuse. Human Factors: The Journal of the Human Factors and Ergonomics Society 39 (2): 230–253. Scholar
  14. Sall, I. 2017. Does IoT mean the death of the BMS?
  15. Schneider Electric. 2015. Guide to open protocols in building automation. Andover, MA: Schneider Electric.
  16. Shang, W., Q. Ding, A. Marianantoni, J. Burke, and L. Zhang. 2014. Securing building management systems using named data networking. IEEE Network 28 (3): 50–56. Scholar
  17. Sharples, S., V. Callaghan, and G. Clarke. 1999. A multi-agent architecture for intelligent building sensing and control. Sensor Review 19 (2): 135–140. Scholar
  18. Simpson, J.A., and E.S.C. Weiner (eds.). 1989. The oxford english dictionary, 2nd ed. Oxford: Oxford University Press.Google Scholar
  19. Sinopoli, J. 2012. Security issues with integrated smart buildings.
  20. Technavio. 2016. Global integrated building management systems market 2017-2021.
  21. TMR Analysis. 2017. Commercial building automation market 2016-2024.
  22. Wyman, R. 2017. Consider the consequences: A powerful approach for reducing ICS cyber risk. Cyber Security: A Peer Reviewed Journal 1 (1): 1–17.Google Scholar

Copyright information

© Springer Nature Limited 2019

Authors and Affiliations

  • David J. Brooks
    • 1
    Email author
  • Michael Coole
    • 1
  • Paul Haskell-Dowland
    • 1
  1. 1.Edith Cowan UniversityJoondalupAustralia

Personalised recommendations