Externalization and Ownership of Cybersecurity for

(Smart) Buildings

Vitor Jesusa*, Jason Xianghua Gaoa, b, Victor Changa*

Aston Business School, Birmingham, United Kingdom

a

Cybersecurity, Information System and AI Research Group, School of Computing,

b

Engineering and Digital Technologies, Teesside University, Middlesbrough, United Kingdom

Email: v.jesus@aston.ac.uk; X.Gao@tees.ac.uk/ gaoxianghua218@gmail.com;
victorchang.research@gmail.com/ v.chang1@aston.ac.uk;
*
: Corresponding Author

Abstract. Building Automation Systems and Smart Buildings are increasingly

more common due to energy efficiency or occupant comfort requirements.
Whereas Buildings were early adopters of networked automation, we see that
cybersecurity, across its components, has been lagging, which is made more
challenging with the fast convergence with conventional IT technologies such
as the Cloud. The different problem is that the rich set of products and services
offered in the IT market seems to not be available for Buildings. This paper
revisits cybersecurity for Buildings from the perspective of stakeholders in
order to identify the ownership processes. After holding interviews, we identify
the key stakeholders involved in Building Management and lay out the key
relationships. From there, we use Responsible-Accountable-Consulted-
Informed (RACI) matrices to map out ownership and roles for Cybersecurity.
Our key conclusion is that we find ownership unclear, a problem that may be
hindering the maturity of the sector.

Keywords: Cybersecurity, Managed Security Services, Smart Buildings, IoT,

Facilities Management

1 Introduction

We spend more than two-thirds of our lives indoors and the lion’s share of that is
inside office buildings, if we are to discount pandemic times. Yet, we often fail to
notice how even the humblest of all buildings built in the last 40 years is a complex
system with interesting technology. Ambient temperature, door access control, air
quality sensors, lifts, security, etc., are now common – often mandated – across the
built environment. In older builds, these systems tend not to be integrated, although
some level of intelligence and central control always exist. These are commonly
known as Building Management Systems (BMS) or, somewhat interchangeably,
building Automation Systems (BAS).
 2

They are not new. BACNet, a common BMS networking protocol, was designed in
the 1990s and had widespread deployment. New builds are increasingly smart, with
embedded technologies such as Artificial Intelligence or the Internet-of-Things. A
modern building for just a few hundred occupants will already have a central room
where most of the building can be monitored and controlled from a single point that
could even be remote or on the Cloud.

Modern buildings rely even more on technology, raising the concept of "Smart
Building". Even though the upfront cost of construction is higher, Smart Buildings
quickly recover the investment given their energy efficiency, cost-effective
maintenance, convenient occupancy, and safety. We now see touch-screen walls,
smart parking systems, zonal climate control, localized tone lighting, robots, etc.
Smart buildings are also much better integrated (and, crucially, connected) with their
surroundings and the Cloud. Especially with BIM (Building Information
Management), with increasingly demanding mandates in the UK and EU, Smart
Buildings also enable a new paradigm in technology called Digital Twins [1.], where
physical objects or processes have a fully digital representation.

Such a bright indoor future has, nevertheless, a looming shadow: cybersecurity. The
vast gains in convenience, efficiency and safety bring technical complexity; with
complexity, cybersecurity risks rise in spectrum and severity. It is not difficult to
imagine the impact of malicious activities, which can lead up to a loss of human life.
A notable early example was compromising the water systems of a large Google
building in Australia in 20131 (fortunately, by security researchers); a more recent
example, in Germany, 2021, showed how malicious actors were able to highjack and
disable most sensors inside a building 2, a phenomenon sometimes called siegeware.
This is nothing more than ransomware for buildings or the wider industrial
automation systems.

Even though the Built Environment is not commonly categorized under Critical
National Infrastructure (CNI), it directly supports CNI. To note that disrupting a
datacenter can impact national computing infrastructure, or the unavailability of a
hospital building can directly lead to loss of life. It can further lead to non-
compliance, including liabilities up to safety negligence. These risks are further
aggravated by the fact that breaches may be difficult to detect quickly. Data
Protection, often not associated with spaces, is also a rising consideration.

More dramatically, due to richer connectivity, the building infrastructure can also be
the entry point or foothold for a wider attack on the core IT. In 2013, Target in the US
was the victim of a large cyberattack 3 where personal data and credit card numbers
were stolen. It is a particular incident as the attack vector was a breach by a third-

1
https://www.wired.com/2013/05/googles-control-system-hacked/
2
https://www.darkreading.com/attacks-breaches/lights-out-cyberattacks-shut-down-building-
automation-systems
3
https://www.zdnet.com/article/anatomy-of-the-target-data-breach-missed-opportunities-and-lessons-
learned/
 3

party supplier/maintainer of HVAC systems. It is unclear how this led to a breach in

the payments system, but it is possible that the two networks were connected, and
criminals were able to hop between the two subsystems.

Despite wide recognition of the problem, current approaches mostly focus on siloed
technical or subsystem aspects of security and not on the complex business dynamics
that, we argue, can play an equally important role. To this end, this paper discusses
Cybersecurity for BMSes from a stakeholders angle. We report on an exercise of
identifying stakeholders and then ownership mapping. In Section 2, we review the
concept of BMS and discuss related work, so to draw attention to the fact that a
significant problem is how the market is organized. In Section 3, we develop a
stakeholder analysis and, in particular, run a RACI (“responsible, accountable,
consulted, and informed”) matrix mapping roles to stakeholders and cybersecurity
domains. Section 4 concludes our paper.

2 Building Management Systems

BMSes consists of the set of technologies that allow a Building to become more
efficient. Broadly speaking, it is a combination of several subsystems, such as Energy
Management [2.]. BMSes are complex, distributed [3.] and integrated/connected with
the surroundings (e.g., the smart city). BMSes comprise a mix of Industrial Control
Systems (ICS), the Internet-of-Things (IoT) as connected sensors and actuators are
widely used, and more conventional IT technologies, which include the Cloud. This
mix of different technologies and paradigms justifies a unique approach to
cybersecurity. Despite the openness and integration with conventional IT
technologies, notably the Internet, devices typically communicate and integrate with
the wider architecture using specific protocols such as BACNet, KNX, or Modbus
[4.].

2.1 BMS subsystems

Fig 1 shows a high-level and generic representation of a typical BMS. It follows a

typical ICS architecture where plant devices such as fire sensors or door scanners
belong to the lower layers. As we go up, we have communications and progressively
abstract systems up to remote/cloud access and Enterprise applications that are, most
often, proprietary depending on the vendor of the systems. We can also see typical
services such as Historians (to store historical data), Middleware servers to translate
different low-level protocols into a single format that a single application can process,
and the wider Industrial Control, which is typically a set of Programmable Logic
Controllers (PLC).

On the plant side, we have multiple systems. Heating, Ventilation and Air-
Conditioning (HVAC) and occupant wellbeing (e.g., monitoring CO2 levels) provide
comfort for the human occupiers. We also have lighting control, fire systems and
vertical transportation such as lifts and escalators.
 4

All these systems are localized within the premises but physically distributed with
sensors and actuators across it, along with communication networks normally wired.

Fig 1. The high-level, generic architecture of a BMS.

2.2 Challenges and Related Work

BMSes can be complex systems and are thus highly vulnerable to a wide range of
cyberattacks, some generic (such as compromising common IT functions such as web
servers) and some specific situations, such as taking advantage of the poor security
design of old automation protocols. This section (1) reviews proposals for BMS
cybersecurity, (2) the security of BMS systems building blocks such as
communication protocols, (3) the challenges arising from the fast convergence of IT
and OT, (4) the lack of suitable standards, and (5) how the cybersecurity market is
structured, particularly when compared to the conventional IT market.

2.2.1 Insecure Systems and Protocols

As mentioned, BMSes fall under the wider family of Industrial Control Systems (ICS,
or Industrial IoT, IIoT) or Operational Technologies (OT), combined with IoT and
conventional IT, including the Cloud. OT is particularly infamous for being insecure,
and incidents can scale up to CNI, such as the power grid. Similarly to the wider OT,
buildings use specific technologies that, regardless of convergence with the Internet,
will still be specialized; further, old/new technologies will have to co-exist. An
immediate example is penetration testing (“pentesting"), which will be different from
a web server for e-commerce.
 5

The challenges are three-fold. First, we see modern and well-managed devices co-
existing with old, long-life devices and technologies [5.], which are difficult and
expensive to upgrade, often requiring replacing in bulk for interoperability reasons.
Second, as BMSes fully leverage IoT in some form, we see embedded technologies,
often resource-constrained (e.g., unable to support strong cryptography) and
physically accessible in spaces with poor physical monitoring, such as basements or
car parks. Finally, we see a lack or inconsistency of mature security standards in the
component/protocol and system development. One simple example is how easy it is to
launch a Denial-of-Service attack on BACNet [7.], given the way it was originally
designed. Due to the difficulty of upgrading, we see its insecure versions still
widespread. The problem is not strictly technical, as solutions exist. For example,
protocol-specific firewalls and intrusion detection systems have been proposed [8.]
[9.], and even honeypots [10.], but that would imply a modification of the whole
system and installation. This problem leads us back to operational and market forces.

2.2.2 Immature convergence OT/IT

To make matters worse, we have been witnessing a convergence of Operational

Technologies (OT), to which BMSes belong, with IT [11.], a rather natural one as it is
no longer justifiable the exclusive use of proprietary or sector-specific technologies:
the Internet is now the de-fact glue technology for communications and interfaces. A
sign of rushed convergence is the return of long-gone vulnerabilities such as insecure
(embedded) web servers used to configure a device or sensor. We are also seeing
hyper-connectivity and cloudification that BMSes are taking advantage of. While it
should be promoted, given it greatly facilitates and promotes innovation, systems that
were imagined to operate on air-gapped systems are now connected to the Internet.
Finally, we see an increase in supply-chain-based attacks: large companies are being
compromised via exploiting small suppliers who tend to be less resourced and with
which the building manager has established a trusted relationship, often escaping due
process.

2.2.3 Inadequate Business Models

Cybersecurity is now an established enterprise need for assurance reasons,

compliance, or a competitive advantage. Worldwide, the sector show increasing levels
of funding and mature specialization with unparalleled levels of innovation. However,
this is mostly valid for Enterprise cybersecurity. The sector of Smart Buildings still
sees the limitations IT saw in the early 2000s. Part of the problem is that the
ecosystem is siloed.

On the one hand, we have the problem of ownership of the cybersecurity function, to
be discussed later. On the other hand, the market structure is not seeing the level of
externalization we see in Enterprise cybersecurity. Externalization greatly benefited
cybersecurity over the last decade by commoditizing and dramatically reducing the
costs of many components of a modern cybersecurity program. One successful
 6

example is Managed Security Services. Running small internal Security Operations

Center (SOC) costs an order of magnitude higher when compared to outsourcing
while dramatically increasing quality due to specialization. Whereas there are similar
propositions for Buildings, we see they often come in silos: the building integrator
also offers security monitoring with a maintenance contract.

An elated problem is the lack of cybersecurity tools and products specifically for
buildings, which are different from common IT/Cloud infrastructure. For example,
there are many alternatives to automate device inventories for common IT. However,
for buildings, such tools barely exist beyond open source, are difficult to maintain, or
are localized initiatives [12.]. The problem is partly due to specialized technologies
(e.g., protocols such as BACNet, KNX, or Modbus); another barrier is that BMS
technologies are not commonly designed to be monitored for security events.

2.2.4 Lack of Specific Standards

Cybersecurity in Buildings further shows lacking industry frameworks. Even though

initiatives exist, for the most part, one must stitch together different standards and
guidance that are not especially fit for Buildings. Standards such as NIST CSF (or
based on SP800-160 [6.]), ISO/IEC 27001, IEC/ISA 62443 [13.] (for the wider ICS
case), among others, provide valuable guidance, but there is a sharp need for a
specific assurance framework that meets the current/upcoming ecosystem. Two
noteworthy mentions. One is BSI PAS 1192 [14.], but it concerns more the security of
Building Information Systems (BIM) and less the infrastructure and management of
buildings. The second is the work of the Internet-of-Things Security Foundation,
Smart Built Environment Working Group415. A standard for Buildings security
should ideally be certifiable, so the industry as a whole has the means to define and
measure maturity levels. One of the authors, Vitor Jesus, is a contributor to this group,
with a comprehensive framework in preparation [15].

3 Stakeholder Analysis

We now identify the key parties involved in operating a building from the specific
angle of Cybersecurity. Considering there are multiple stakeholders and the lack of
structure in cybersecurity for BMSes, we are interested in identifying ownership of
processes. To this aim, we use RACI matrices, common in Project Management
methodologies, and identify who

 should be Responsible for performing the task, usually one or more parties
 Accountable, which is the single party that will delegate the task to
Responsible parties and ultimately accountable for the quality of the
outcome
 Consulted, who provides input into the task, often a subject matter expert

4
https://www.iotsecurityfoundation.org/
 7

 and Informed, the parties that they should receive updates on the progress of
the task.

In the first mapping, we offer an overall cybersecurity analysis by laying out the
ownership hypothesis. In the second mapping, we break down the cybersecurity
program into common tasks inspired by NIST's Cybersecurity Framework (CSF) [16.]
and run a similar analysis.

3.1 Stakeholders

The Built Environment is rooted in mature, centuries-old business practices that bring
a degree of rigidity and are structured around roles that can be unwelcoming of
change if not in the core business. Cybersecurity needs, thus, to follow existing roles,
culture, and structures. For each building, one can have an interplay of hands-off
ownership roles, local/central governments, Facilities Management (FM, who
effectively runs the building), specialized maintenance contractors and integrators, the
original constructor and dependent sub-contractors, and tenants/occupiers (permanent
or visitors), who may share responsibilities with the FM. Consequently, the ownership
and roles of cybersecurity for Smart Buildings are unclear, making it a daunting
supply-chain security problem. In fact, the biggest pain of cybersecurity for buildings
may lie in the coordination complexity of all parties.

The identification of stakeholders consisted in holding unstructured interviews with

experts in activities surrounding the Built Environment:

 Construction businesses (two)

 Facility Managers (two)
 Academics in Built Environment (one in Construction Management and
another in Facilities Management)
 Vendors of systems and devices for BMS (two)

The stakeholders are as follows. We start with the Owner, who is the proprietor of the
building and, likely, lets out to either a management agency or directly to occupiers. It
often has no role in day-to-day operations and is commonly a financial or real-estate
institution. Facilities Management (FM) companies effectively run and maintain the
building and premises. A derivation of this role is that FM may, themselves, not be
hands-on and further delegate tasks to a FM subcontractor (e.g., gardening). The
Occupiers, or Tenants, are the parties who use the Building. There are two types
identified. One is the tenant letting the whole building with a view to subletting (e.g.,
offices); the other is the actual occupiers of the building, such as businesses renting
office space or residential dwellings. The Builder, and subcontractors, developed the
physical building and beyond contractual maintenance, it ceases to be a party after the
building is handed out to the Owner. The BMS Manager is a further role whose
specificity relies on having the necessary technical skills to operate the BMS, either as
a whole or per subsystem (e.g., HVAC or CCTV). Integrators are those parties who
work with Device/System Vendors in order to build a larger BMS subsystem. For
 8

example, the CCTV subsystem and the door access control may be supplied by
different vendors but integrated into a single monitoring system. The final
stakeholder, which is an umbrella and catch-all function, is the wider Supply Chain,
ranging from catering teams to the Internet Service Provider. Fig 2 shows how these
parties relate to each other.

Fig 2. Relationships between stakeholders

Whereas Building Owners may be the ultimate stakeholders and thus could set out
policies and compliance strategies, likely in the form of contractual clauses, FMs
seem to be in a privileged position to run a security program and take on an
operational role. It is, however, unclear to what point FM will openly take on this
modern vocation [17.] which suggests a new role in the Built Environment industry
taking up Cybersecurity. This is connected to the need for externalization, as
discussed in the remainder of this paper.

3.2 RACI Matrix: Cybersecurity Roles

Considering the stakeholders we identified, Table 1 shows the result of an exercise of

mapping stakeholders to RACI roles of Cybersecurity, taking into account common
expectations and considering the current way Building management is structured. The
commonly expected case. The Building Owner is not expected to be responsible for
any cybersecurity tasks beyond setting a mandate and delegation. It is, however,
expected to be ultimately accountable for the results. For example, if the building
hosts a hospital and thus needs to be compliant with certain regulations (e.g., power
supply), should it fail, the liability must fall to the Owner. It may be consulted when
major decisions about cybersecurity are taken and certainly informed of its progress
and maturity. The FM was considered to be the fittest party to take ownership of
cybersecurity – hence a “maybe” or at least “partially” responsible –and could be
accountable by a delegation of the Owner and certainly consulted and informed.
Subcontractors of FM can be responsible for certain tasks and, should it be fully
delegated to a specialized party, could be accountable. Since it is a subcontractor, it is
 9

not expected the need to be consulted (unless it is an expert party) or informed. The
Builder is not expected to have any role in cybersecurity except in the construction
phase and a consulting role.

Table 1. Ownership RACI matrix.

Responsible Accountable Consulted Informed

Building Owner no yes maybe yes
Facilities Manager maybe/partially maybe/partially yes yes
Subcontractor of FM partially maybe no no
Builder & Subcontractors no no yes no
BMS Manager yes yes yes no
Occupier no no yes yes
Integrator partially partially yes no
Device/System Vendor partially partially yes no
Wider Supply Chain no no yes no

Given the technical element of cybersecurity, the BMS Manager is expected to be

key, particularly in Cybersecurity Operations. Furthermore, it can be the most
qualified party to interface with Integrators and Device Vendors who must always be
consulted – for example, if a device is found to have a vulnerability that needs to be
patched. Finally, the wider Supply Chain is likely to take a generic role in
consultation, but this depends on the specific area.

3.3 RACI Matrix: Cybersecurity Domains

We now perform a similar exercise but for cybersecurity domains. As mentioned,

there is no established cybersecurity framework for Buildings; however, the existing
approaches do not significantly depart from the conventional programs. For the sake
of this exercise, we take the NIST CSF framework [18.] to identify the following key
areas in a Cybersecurity program for Buildings.

The first, GRC (“Governance, Risk, Compliance”), concerns the overall strategy and
project management. It includes senior-level policies, alignment with regulations
(e.g., Data Protection) and certifications (e.g., ISO/IEC 27001), and high-level
management of Risk. Risk Management concerns the continuous identification,
mitigation and verification of risks. Secure systems encompass the security of the
technical elements, from networking to Industrial Controls of, for example, lifts and
escalators. People and Training involve policies and procedures, along with training
and awareness. Asset Management keeps track of all assets, from physical objects to
data sets and software, which includes updates and disposal. Access Control goes
beyond doors and access to spaces to include access to systems. Third-Party
Management manages the coordination and verification of third parties, including
measures to protect against supply-chain attacks [19.]. Monitoring and Detection
 10

consist of continuously observing the infrastructure and people's activity to identify

malicious activity. Should an attack with significant impact, Incident Response (IR)
and Continuity cover the actions needed to maintain an activity or restore normal
operations. Should there be criminal activity, Law Enforcement will be involved with
Digital Forensics. Finally, Communications concern public and stakeholder
engagements, such as if a breach happens.

Table 2 shows the result of our exercise. We start by noting that we took the RACI
methodology with great liberty. For example, there should be only one entity
accountable per area. The table should be read, instead, as potential roles and
ownership.

Table 2. RACI matrix for cybersecurity domains.

Subcontrac

Subcontrac

Integrators
Builders &
tors of FM

Occupier
Manager

Manager
Facilities
Building

Device/
System
Owner

BMS
GRC A R I I C I C C
Risk Management A R I C C I C C
Secure Systems I A A A R I C C
People and Training I A A A A I C C
Asset Management A R C C I I C C
Access Control I R C C I I C C
Third-Party Management R R I R C I R C
Monitoring & Detection I R C C R I C C
IR and Continuity A R C C R I C C
Digital Forensics A R C C R C C C
Communications A R C C C C C C

Once more, of all parties involved, it is clear that, in the absence of something else,
FM is in the best position to take over most tasks in a Responsible role and some as
the Accountable party, such as Secure Systems, by delegating those tasks to a
combination of technical experts, the BMS Manager and Vendors or Integrators. In
this sense, FM naturally takes a coordination role even if it remains to establish
whether FM is open to taking on this vocation.

Most stakeholders take, quite naturally, an "Informed" role. For example, the
Occupier has reasonable expectations of operating in a secure space and thus should
only be kept informed of any issues. At best, there would be a direct engagement with
Digital Forensics and Law Enforcement and Communications if involving the
Building as a whole.
 11

Cybersecurity Operations, in the sense of Monitoring & Detection and IR &

Continuity, could be a task for the BMS Manager, if one is reminded that these tasks
involve day-to-day activities, highly specialized people and tools, and continuous
execution of procedures. This is the realm of Security Information and Event
Management (SIEM), a service/tool long established in IT but that, to the best of our
knowledge, does not exist for BMSes. At best, Vendors offer similar services but
usually as a bundle with the installation of their own equipment and part of a
maintenance contract. The notion of outsourcing Security Monitoring (as in Managed
Security Services) seems to be completely absent from BMS.

Nevertheless, the exercise leaves clear that Cybersecurity in Buildings has no clear
ownership, being difficult to make anyone Accountable beyond the Owner of the
Building who, via contractual means, may waive liability. For example, if the Owner
is a Financial institution, it is intuitive to accept that Cybersecurity is an operational
aspect of running the building and, therefore, has no responsibility.

4 Conclusions and Outlook

We have reviewed the current state of cybersecurity for Buildings and ran exercises
on identifying ownership of cybersecurity. The clear outcome is that there is no
obvious stakeholder for this role, except, perhaps, the Facilities Manager, likely with
a specialized third party. Our findings now need to be validated and expanded. The
interviews we conducted merely identified stakeholders. Breaking down
Cybersecurity in a form aligned with the built environment's processes and standards
is now essential. This paper opens a number of research directions, mostly broad,
given that Cybersecurity for the Built Environment is still in its infancy, both in
Research and Industry. From a technical perspective, integrated security architectures
need to be developed that take into account two key aspects: (1) the different
subsystems that a BMS consists of, and (2) the constant evolution and merging
between paradigms such as legacy BMSes, Internet-based technologies, IoT, and the
Cloud. From a practice perspective, existing frameworks need to be adapted, and
perhaps expanded, and aligned with the professional practices in the Built
Environment. For example, if FM is to take up the role of operational cybersecurity, a
framework needs to understand the underlying business models. Furthermore, and
quite challenging, a comprehensive framework needs to understand the different
phases and the dynamics of the lifecycle of a building, from design to demolition.

References
1. M. Dietz and G. Pernul, "Unleashing the Digital Twin's Potential for ICS Security," in
IEEE Security & Privacy, vol. 18, no. 4, pp. 20-27, July-Aug. 2020, doi:
10.1109/MSEC.2019.2961650.

2. M. Manic, D. Wijayasekara, K. Amarasinghe and J. J. Rodriguez-Andina, "Building

Energy Management Systems: The Age of Intelligent and Adaptive Buildings," in IEEE
 12

Industrial Electronics Magazine, vol. 10, no. 1, pp. 25-39, March 2016, doi:
10.1109/MIE.2015.2513749.

3. Stluka, P., Parthasarathy, G., Gabel, S., Samad, T. (2018). “Architectures and Algorithms
for Building Automation—An Industry View”. In: Wen, J., Mishra, S. (eds) Intelligent
Building Control Systems. Advances in Industrial Control. Springer, Cham.
https://doi.org/10.1007/978-3-319-68462-8_2

4. Pedro Domingues, Paulo Carreira, Renato Vieira, Wolfgang Kastner, “Building

automation systems: Concepts and technology review”, Computer Standards & Interfaces,
Volume 45, 2016, Pages 1-12, ISSN 0920-5489, https://doi.org/10.1016/j.csi.2015.11.005

5. W. Granzer, F. Praus and W. Kastner, "Security in Building Automation Systems," in

IEEE Transactions on Industrial Electronics, vol. 57, no. 11, pp. 3622-3630, Nov. 2010,
doi: 10.1109/TIE.2009.2036033.

6. NIST, SP 800-160 Vol. 1, “Systems Security Engineering: Considerations for a

Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems”, March
2018

7. Peacock, M., Johnstone, M.N., Valli, C. (2018). An Exploration of Some Security Issues
Within the BACnet Protocol. In: Mori, P., Furnell, S., Camp, O. (eds) Information Systems
Security and Privacy. ICISSP 2017. Communications in Computer and Information
Science, vol 867. Springer, Cham. https://doi.org/10.1007/978-3-319-93354-2_12

8. V. Lešić, F. Vrbanc, N. Perić, A. Banjac, H. Novak and L. Jelić, "Distributed Optimal

Heating Control of a Residential Building Resilient to Cybersecurity Issues," 2021 IEEE
19th International Conference on Industrial Informatics (INDIN), 2021, pp. 1-6, doi:
10.1109/INDIN45523.2021.9557449.

9. A. Antonini, A. Barenghi, G. Pelosi and S. Zonouz, "Security challenges in building

automation and SCADA," 2014 International Carnahan Conference on Security
Technology (ICCST), 2014, pp. 1-6, doi: 10.1109/CCST.2014.6986996.

10. J. Bauer, J. Goltz, T. Mundt and S. Wiedenmann, "Honeypots for Threat Intelligence in
Building Automation Systems," 2019 Computing, Communications and IoT Applications
(ComComAp), 2019, pp. 242-246, doi: 10.1109/ComComAp46287.2019.9018776.

11. R. Paes, D. C. Mazur, B. K. Venne and J. Ostrzenski, "A Guide to Securing Industrial
Control Networks: Integrating IT and OT Systems," in IEEE Industry Applications
Magazine, vol. 26, no. 2, pp. 47-53, March-April 2020, doi: 10.1109/MIAS.2019.2943630.

12. G. Stamatescu, I. Stamatescu, N. Arghira and I. Făgărășan, "Cybersecurity Perspectives for

Smart Building Automation Systems," 2020 12th International Conference on Electronics,
Computers and Artificial Intelligence (ECAI), 2020, pp. 1-5, doi:
10.1109/ECAI50035.2020.9223152.

13. IEC/ISA 62443, “Industrial communication networks – Network and system security, Part
1-1: Terminology, concepts and models”, 2009

14. BSI, PAS 1192-5:2015. “Specification for security-minded building information

modelling, digital built environments and smart asset management”, 2015
 13

15. Internet of Things Security Foundation, “Can You Trust Your Smart Building?”,
Whitepaper, June 2019

16. NIST, “Cybersecurity Framework”, v1.1, 2018

17. Marco Marocco, Ilaria Garofolo, “Integrating disruptive technologies with facilities
management: A literature review and future research directions, Automation in
Construction”, Volume 131, 2021, 103917, ISSN 0926-5805,
https://doi.org/10.1016/j.autcon.2021.103917.

18. NIST, SP 800-82 Rev. 2, “Guide to Industrial Control Systems (ICS) Security”. May 2015

19. N. Kshetri, "Economics of Supply Chain Cyberattacks," in IT Professional, vol. 24, no. 3,
pp. 96-100, 1 May-June 2022, doi: 10.1109/MITP.2022.3172877.