Artificial intelligence (AI) policy: ASHRAE prohibits the entry of content from any ASHRAE publication or related ASHRAE intellectual property (IP) into any AI tool, including but not limited to ChatGPT. Additionally, creating derivative works of ASHRAE IP using AI is also prohibited without express written permission from ASHRAE.

logoShaping Tomorrow's Built Environment Today

Cybersecurity for Building Automation Systems

Share This

©2023 This excerpt taken from the article of the same name which appeared in ASHRAE Journal, vol. 65, no. 5, May 2023.

About the Authors
Ron Bernstein is CEO of RBCG Consulting in Encinitas, Calif. He is a voting member of ASHRAE Technical Committee 1.4, Control Theory and Application, and of SGPC, Specifying Building Automation Systems.

Securing building automation systems is a critical aspect of any commercial building design. Building owners, network and system designers, contractors and suppliers all must account for both physical and logical aspects of security. This article provides an overview and identifies the physical and logical considerations for designing a robust security specification.


One initial question that is often asked: Who is responsible for the cybersecurity of the building automation system (BAS)? The answer is somewhat complex as the BAS design and implementation crosses multiple domains and has responsibilities across varying project entities.

Ultimately, the facility owner is the responsible party for many of the elements of BAS cyber/physical security. The owner must be part of the discussion to ensure a full site risk assessment and security plan are part of the project. The owner is typically made up of a team of professionals with different responsibilities. Depending on the size and scope of the project/owner, that team can include:

  • Facility management;
  • IT manager;
  • Human resources;
  • Legal counsel;
  • Security/risk officer; and
  • Executive management.

This team sets the facility high-level owner project requirements (OPRs), which is then used by others to create specifications, standards, playbooks and design frameworks. If the owner has multiple buildings in their portfolio, these OPRs typically are consistent from project to project. In many cases, these roles are performed by third-party consultants, contractors or advisors.

Read the Full Article

ASHRAE Members have free access to the full-text PDF of this article as well as the complete ASHRAE Journal archives back to 1997 in the Free Member Access Area.

Non-members can purchase features from the ASHRAE Bookstore. Or, Join ASHRAE!

Return to Featured Article Excerpts

Return to ASHRAE Journal Featured Article Excerpts