Cybersecurity Protection for Smart Buildings

Building Automation

What is Cybersecurity?

Cybersecurity is the practice of protecting people, systems, and data from cyberattacks by using a mix of technologies, processes, and policies. It guarantees the confidentiality, integrity, and availability of information.

In building automation systems (BAS), cybersecurity focuses on protecting operational technology (OT), such as HVAC, lighting, and other building control systems. These systems are increasingly connected to IT networks, making them vulnerable to:

Brute-force attacks
Denial-of-service
Protocol exploitation

Why is Cybersecurity Important for Building Automation and Smart Homes?

Historically, building systems were designed under the assumption that threats were purely physical—requiring an intruder to be physically present to cause harm. However, with the advent of smart buildings, remote access, and IoT-connected devices, this assumption is no longer valid.

Today, cybersecurity is essential to protect:

Controllers and sensors (e.g. HVAC, lighting, access control)
User data and credentials
Operational continuity and occupant safety

Importantly, the primary target of a cyberattack is often not the building control system itself. Instead, attackers may exploit vulnerabilities in IoT devices or automation systems as entry points to access the broader IT network or to disrupt operations through denial-of-service (DoS) attacks.

Common Cybersecurity Risks in Building Automation and Smart Homes

Brute-Force Attacks:

Repeated password guessing

Denial of Service (DoS):

Overloading systems to cause failure

System Misuse:

Triggering alarms or unauthorized actions

Sabotage:

Altering settings to disrupt operations

Espionage:

Monitoring user behavior or data

Unauthorized intrusion:

Gaining unauthorized access, e.g., unlocking doors

Data Theft:

Stealing passwords or usage data

Key Drivers for Cybersecurity in Building Controls

Growth of Smart Buildings
As buildings become smarter and more connected, their potential attack surface increases. Systems like HVAC, lighting, access control, and energy management are now IP-enabled, making them vulnerable to cyber threats if not properly secured.
Customer Trust and Market Expectations
Security plays a crucial role for planners, installers, and end users. A breach can harm the reputation and erode trust.
Operational Continuity and Safety
Cyberattacks on building systems can cause service disruptions, damage equipment, or even harm people. Maintaining system availability and integrity is vital for occupant safety and business continuity.
IT/OT Convergence
The merging of Operational Technology (OT) with IT networks introduces new risks. Building control systems must now comply with enterprise cybersecurity policies, including network segmentation, access control, and monitoring.

Legacy System Vulnerabilities
Many existing building systems use protocols without encryption or authentication. Upgrading to secure protocols and implementing proper network segmentation are critical to reducing these risks.
Remote Access and Maintenance
Remote diagnostics and updates are useful but can also pose risks. Secure remote access methods, such as VPNs and multi-factor authentication, are essential to prevent unauthorized access.
Cyber-Physical Threats
Building systems are increasingly targeted not just for data theft but as entry points into broader IT networks or for sabotage (e.g., disabling alarms, unlocking doors). This makes them high-value targets for attackers.
Regulatory Compliance
With regulations like the EU Cyber Resilience Act (CRA), NIS2, and GDPR, cybersecurity has become a legal requirement for building automation systems. These frameworks require secure design, vulnerability management, and incident response capabilities.

Tips for Planning Secure Building Automation

Building Automation and Control Systems (BACS) are essential for improving building efficiency by automating technical functions such as heating, ventilation, lighting, and security. As these systems increasingly integrate IT and industrial automation technologies, cybersecurity has become a critical concern due to evolving risks, changing laws, and heightened awareness.

Cybersecurity in Planning, Tendering, and Operation

Effective cybersecurity begins in the planning and tendering phases, even though tenants and end users may be unknown during construction. Proper documentation, network segmentation, and system design that keep functionality local help mitigate complexity and improve security. Monitoring strategies must be established to detect faults and breaches promptly. Role and authorization management systems should be implemented early to control user access and permissions, avoiding shared accounts and unauthorized entry.

IT and OT Network Considerations

BACS cybersecurity involves coordination between IT (Information Technology) and OT (Operational Technology) stakeholders, who often have differing priorities. IT networks focus on confidentiality, integrity, and availability of data, while OT networks prioritize availability, safety, and integrity of physical processes. Aligning these priorities and clearly assigning responsibilities is essential for effective cybersecurity management.

Assessment and Responsibilities
Clear assignment of responsibility and accountability among stakeholders, including system integrators and contractors, ensures effective risk management and decision-making throughout the system lifecycle.

Network Segmentation and Management

A robust OT security strategy must define architecture, network segmentation, patch and asset management, emergency management, and risk assessment. Network segmentation isolates BACS components into secure zones, controlling communication between segments via firewalls and access control lists. Micro-segmentation is recommended for isolating less secure devices or legacy systems.

Conclusion

A fault-resilient BACS with strong segmentation, distributed control, and local functionality not only ensures operational reliability but also provides robust defense against cybersecurity threats. Systems like ABB’s i-bus KNX exemplify this approach by minimizing vulnerabilities and enhancing overall security.

Tips for Making KNX Systems more Cybersecurity Resilient

The first line of defense against cybersecurity threats is a well-designed and fault-resilient building control system. If the system is well-segmented, there are no central points of failure, and the control functionality is distributed and kept as local as possible. This approach minimizes vulnerability and enhances the overall security of the automation solutions, such as those offered by ABB’s KNX systems. Ensuring robust segmentation and local control can significantly reduce the risks associated with cyber attacks.

To achieve this, the design of the systems needs to also focus on fault and cyber resilience needs. Already at the planning stage, the two implementations of KNX Secure should be considered and evaluated for how to best meet the network setup and security requirements:

KNX IP Secure: Protects communication over IP networks
KNX Data Secure: Secures telegrams on twisted pair (TP) networks

Here are a few points to consider before starting the KNX Secure project:

Device Compatibility
Mixed systems (secure and plain devices) are possible but require careful planning to avoid security gaps. An overview of which devices support KNX Secure should be obtained as early as possible in the planning process.

ETS Requirements
ABB recommends using ETS 6.x or higher to configure KNX Secure devices.

Ensure the project file is protected with a password and backed up securely

Firmware and Software Updates
Keep all devices and ETS software up to date to patch vulnerabilities and support the latest security features.

With KNX Secure, the engineering workflows need to adapt. We have prepared some content and a guide to support you during planning and commissioning:

KNX Cybersecurity Hardening Guide:

KNX Cybersecurity Hardening Checklist:

KNX Secure Technical Details:

Working with KNX Secure:

KNX Secure

KNX Secure enhances the KNX standard by adding mechanisms to protect data from unauthorized access and ensure the integrity of transmitted information. It is a manufacturer-independent standard that employs end-to-end encryption (ISO 18033-3, e.g., AES 128 CCM) to secure KNX communication.

The KNX Secure technology provides protection for various use cases:

Access to the KNX system via the IP network (KNX IP Secure)
Configuration of devices in the installation (KNX Data Secure, KNX IP Secure Device Management)
Real-time communication between applications (KNX Data Secure)
KNX communication over IP networks (KNX IP Secure Routing)
Network segmentation is essential for enhancing the resilience of the KNX system against cybersecurity threats and technical faults. With the introduction of the Secure Proxy, KNX Router, and Couplers, customers can keep existing KNX Plain devices and selectively upgrade parts of their system with KNX Secure components. This avoids the need for a complete system overhaul and lowers initial costs.

Key Features

End-to-End Encryption:

Only authorized devices can access or modify data

Authentication:

Verifies device identities to prevent spoofing

Tamper Protection:

Detects and blocks altered or replayed messages

Backward Compatibility:

Coexists with non-secure KNX devices in the same installation

KNX IP Secure

KNX IP Secure enables the secure transmission of KNX telegrams through KNX IP routers or interfaces, making it ideal for existing systems where full conversion to KNX Data Secure is not feasible.

Key Benefits and Features:

Enhanced Security: Encrypts communication over IP, protecting against eavesdropping and tampering while ensuring data integrity and authenticity through advanced cryptographic methods
Futureproof: Complies with international security standards e.g., ISO 18033−3, to meet rising cybersecurity demands in smart buildings and critical infrastructure
Seamless Integration: Fully compatible with existing KNX installations, allowing integration into new and retrofit projects without major changes. Works alongside standard KNX and KNX Data Secure TP communication
Secure Remote Access: Facilitates secure remote configuration and monitoring of KNX systems via IP networks, including the internet
Protection Against Common Threats: Defends against man-in-the-middle attacks, replay attacks, and unauthorized access

KNX Data Secure

KNX Data Secure employs encryption technology to prevent unauthorized interception or manipulation of data, safeguarding user privacy and reducing security risks. Configuration occurs during the commissioning of KNX Secure devices via ETS.

KNX Secure devices transmit authenticated and encrypted data using an extended KNX telegram format (Extended Frames), which does not affect device response speed. Both KNX Plain and Secure devices can coexist in the same installation, supporting both communication types, though secure and non-secure communication cannot share the same communication object. The ETS project specifies which group addresses use secure or plain communication.

Key Benefits and Features:

End-to-End Encryption: Data is encrypted from sender to receiver, ensuring intercepted messages remain unreadable and unaltered
Authentication: Devices verify each other’s identities, preventing unauthorized access to the network
Integrity Protection: Ensures data integrity during transmission using cryptographic checksums (Message Authentication Codes)
Extended Frames: A modified telegram format carries encrypted payloads while remaining backward-compatible with existing KNX infrastructure

Implementation Steps:

A building control system designed to be resilient against localized failures inherently possesses resilience against cybersecurity threats. This is because many cybersecurity threats aim to exploit system vulnerabilities, potentially leading to errors and faults. The primary distinction is that while localized failures stem from physical issues within the system or environment, cybersecurity threats originate from remote attackers attempting to compromise the system. Therefore, implementing robust security measures can enhance the overall reliability of the building control system against both types of challenges.

Designing KNX Systems to be Fault Resilient

Segmentation: Structure the system into smaller subsystems, KNX lines, to contain faults. This approach ensures that any issues remain localized and do not affect the entire system.
Avoiding Central Points of Failure: Distribute control functions across various components rather than relying on a central hub. This reduces the risk associated with a single point of failure. This is and has always been a strength of KNX.
Local Control Functions: Implement local control mechanisms within each subsystem. This enhances operational reliability, as each segment can function independently if another part fails.

Secure IP Communication with KNXnet/IP Secure

To protect against remote hacking attempts, it’s crucial to secure the IP interface of your building control system. Implementing KNX IP Secure can enhance security by encrypting communication, ensuring that data transferred between devices is protected from unauthorized access.

Cybersecurity Regulations

Cybersecurity regulations are increasingly being implemented worldwide, often in alignment with standards from organi-zations like NIST and EU bodies. While efforts are underway to harmonize these standards, regional differences persist. This section focuses on the European regulatory framework, highlighting key regulations that impact the building control industry and emphasizing the importance of consulting local ABB experts for specific guidance.

Cyber Resilience Act (CRA)

The Cyber Resilience Act aims to enhance the cybersecurity of all digital products sold in the EU, including smart devices, software, and building control systems. It establishes mandatory cybersecurity requirements for manufacturers throughout a product's lifecycle, from design to end-of-life. The Act came into force on December 10, 2024, with main obligations effective from December 11, 2027.

Key Provisions:

Cybersecurity Rules: Establishes rules for products with digital elements to ensure their cybersecurity
Design and Production Requirements: Outlines essential requirements for the design, development, and production of digital products
Vulnerability Handling: Mandates processes for managing vulnerabilities during a product's expected usage
Market Surveillance: Includes monitoring and enforcement of compliance with cybersecurity requirements

Customer Benefits:

Enhanced protection from cyber threats, as all connected products must meet cybersecurity standards
Timely security patches and updates throughout a product's lifecycle, reducing vulnerability risks
Products bearing the CE marking must conform to the CRA, allowing customers to assume products are secure unless stated otherwise

More information on the CRA: digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act

General Data Protection Regulation (GDPR)

the GDPR is a comprehensive data privacy law enacted by the European Union. It is one of the strictest privacy and security laws globally.

The GDPR applies to all organizations that process personal data of individuals in the EU. Personal data includes any information that can identify a person, such as names, email addresses, IP addresses, and behavioral data. Organizations must have a valid reason to collect or process data, and customers must provide consent. Organizations must clearly communi-cate how they use personal data and document their compliance efforts.

In KNX systems, personal data is typically not stored, except in visualizations and gateways, which may contain data like email addresses. If these components are supplied under a commercial contract that specifies what personal data is stored and how it is used, GDPR requirements can be met.

More information on the GDPR: digital-strategy.ec.europa.eu/en/policies/digital-privacy

NIS2 Directive: Securing Network and Information Systems

The NIS2 Directive mandates that EU member states establish cybersecurity risk management requirements at the national level for critical sectors, including digital infrastructure, energy, transport, and healthcare.

NIS2 policy aims to increase the cyber resilience of critical infrastructures and key companies across the EU. It requires certain companies and organizations to take comprehensive measures to protect their networks and IT systems.

NIS 2 establishes clear accountability for cybersecurity compliance and reporting at the senior management level. The Act mandates robust governance, transparency, and comprehensive documentation to demonstrate ongoing adherence.

Organizations must adopt an all-hazards approach to safeguard networks, information systems, and their physical environments from potential incidents. A comprehensive network and information systems security policy should be implemented, encompassing all relevant systems, assets, and procedures.

More information on NIS2: digital-strategy.ec.europa.eu/en/policies/nis2-directive

ABBs Commitment to Cyber Security

At ABB, we are deeply committed to enhancing cybersecurity across all our products and solutions. We recognize the growing importance of protecting digital infrastructures from cyber threats and are dedicated to supporting our custom-ers in navigating these challenges. By providing secure, high-quality products that meet cybersecurity standards, we aim to prevent potential risks and safeguard your systems.

ABBs vulnerability process

How customers can view or report Common Vulnerabilities and Exposures (CVEs) to ABB