Externalization and Ownership of Cybersecurity for

(Smart) Buildings

Vitor Jesusa*, Jason Xianghua Gaoa, b, Victor Changa*

a
Aston Business School, Birmingham, United Kingdom
b
Cybersecurity, Information System and AI Research Group, School of Computing,
Engineering and Digital Technologies, Teesside University, Middlesbrough, United Kingdom
Email: v.jesus@aston.ac.uk; X.Gao@tees.ac.uk/ gaoxianghua218@gmail.com;
victorchang.research@gmail.com/ v.chang1@aston.ac.uk;
*
: Corresponding Author

Abstract. Building Automation Systems and Smart Buildings are increasingly

more common due to energy efficiency or occupant comfort requirements.
Whereas Buildings were early adopters of networked automation, we see that
cybersecurity, across its components, has been lagging, which is made more
challenging with the fast convergence with conventional IT technologies such as
the Cloud. The different problem is that the rich set of products and services
offered in the IT market seems to not be available for Buildings. This paper
revisits cybersecurity for Buildings from the perspective of stakeholders in order
to identify the ownership processes. After holding interviews, we identify the key
stakeholders involved in Building Management and lay out the key relationships.
From there, we use Responsible-Accountable-Consulted-Informed (RACI)
matrices to map out ownership and roles for Cybersecurity. Our key conclusion
is that we find ownership unclear, a problem that may be hindering the maturity
of the sector.

Keywords: Cybersecurity, Managed Security Services, Smart Buildings, IoT,

Facilities Management

1 Introduction

We spend more than two-thirds of our lives indoors and the lion’s share of that is inside
office buildings, if we are to discount pandemic times. Yet, we often fail to notice how
even the humblest of all buildings built in the last 40 years is a complex system with
interesting technology. Ambient temperature, door access control, air quality sensors,
lifts, security, etc., are now common – often mandated – across the built environment.
In older builds, these systems tend not to be integrated, although some level of
intelligence and central control always exist. These are commonly known as Building
Management Systems (BMS) or, somewhat interchangeably, building Automation
Systems (BAS).
 2

They are not new. BACNet, a common BMS networking protocol, was designed in the
1990s and had widespread deployment. New builds are increasingly smart, with
embedded technologies such as Artificial Intelligence or the Internet-of-Things. A
modern building for just a few hundred occupants will already have a central room
where most of the building can be monitored and controlled from a single point that
could even be remote or on the Cloud.
Modern buildings rely even more on technology, raising the concept of "Smart
Building". Even though the upfront cost of construction is higher, Smart Buildings
quickly recover the investment given their energy efficiency, cost-effective
maintenance, convenient occupancy, and safety. We now see touch-screen walls, smart
parking systems, zonal climate control, localized tone lighting, robots, etc. Smart
buildings are also much better integrated (and, crucially, connected) with their
surroundings and the Cloud. Especially with BIM (Building Information Management),
with increasingly demanding mandates in the UK and EU, Smart Buildings also enable
a new paradigm in technology called Digital Twins [1], where physical objects or
processes have a fully digital representation.

Such a bright indoor future has, nevertheless, a looming shadow: cybersecurity. The
vast gains in convenience, efficiency and safety bring technical complexity; with
complexity, cybersecurity risks rise in spectrum and severity. It is not difficult to
imagine the impact of malicious activities, which can lead up to a loss of human life. A
notable early example was compromising the water systems of a large Google building
in Australia in 20131 (fortunately, by security researchers); a more recent example, in
Germany, 2021, showed how malicious actors were able to highjack and disable most
sensors inside a building2, a phenomenon sometimes called siegeware. This is nothing
more than ransomware for buildings or the wider industrial automation systems.
Even though the Built Environment is not commonly categorized under Critical
National Infrastructure (CNI), it directly supports CNI. To note that disrupting a
datacenter can impact national computing infrastructure, or the unavailability of a
hospital building can directly lead to loss of life. It can further lead to non-compliance,
including liabilities up to safety negligence. These risks are further aggravated by the
fact that breaches may be difficult to detect quickly. Data Protection, often not
associated with spaces, is also a rising consideration.
More dramatically, due to richer connectivity, the building infrastructure can also be
the entry point or foothold for a wider attack on the core IT. In 2013, Target in the US
was the victim of a large cyberattack3 where personal data and credit card numbers
were stolen. It is a particular incident as the attack vector was a breach by a third-party
supplier/maintainer of HVAC systems. It is unclear how this led to a breach in the

1
https://www.wired.com/2013/05/googles-control-system-hacked/
2
https://www.darkreading.com/attacks-breaches/lights-out-cyberattacks-shut-down-building-
automation-systems
3
https://www.zdnet.com/article/anatomy-of-the-target-data-breach-missed-opportunities-and-lessons-
learned/
 3

payments system, but it is possible that the two networks were connected, and criminals
were able to hop between the two subsystems.
Despite wide recognition of the problem, current approaches mostly focus on siloed
technical or subsystem aspects of security and not on the complex business dynamics
that, we argue, can play an equally important role. To this end, this paper discusses
Cybersecurity for BMSes from a stakeholders angle. We report on an exercise of
identifying stakeholders and then ownership mapping. In Section 2, we review the
concept of BMS and discuss related work, so to draw attention to the fact that a
significant problem is how the market is organized. In Section 3, we develop a
stakeholder analysis and, in particular, run a RACI (“responsible, accountable,
consulted, and informed”) matrix mapping roles to stakeholders and cybersecurity
domains. Section 4 concludes our paper.

2 Building Management Systems

BMSes consists of the set of technologies that allow a Building to become more
efficient. Broadly speaking, it is a combination of several subsystems, such as Energy
Management [2]. BMSes are complex, distributed [3] and integrated/connected with
the surroundings (e.g., the smart city). BMSes comprise a mix of Industrial Control
Systems (ICS), the Internet-of-Things (IoT) as connected sensors and actuators are
widely used, and more conventional IT technologies, which include the Cloud. This
mix of different technologies and paradigms justifies a unique approach to
cybersecurity. Despite the openness and integration with conventional IT technologies,
notably the Internet, devices typically communicate and integrate with the wider
architecture using specific protocols such as BACNet, KNX, or Modbus [4].

2.1 BMS subsystems

Fig 1 shows a high-level and generic representation of a typical BMS. It follows a
typical ICS architecture where plant devices such as fire sensors or door scanners
belong to the lower layers. As we go up, we have communications and progressively
abstract systems up to remote/cloud access and Enterprise applications that are, most
often, proprietary depending on the vendor of the systems. We can also see typical
services such as Historians (to store historical data), Middleware servers to translate
different low-level protocols into a single format that a single application can process,
and the wider Industrial Control, which is typically a set of Programmable Logic
Controllers (PLC).
On the plant side, we have multiple systems. Heating, Ventilation and Air-Conditioning
(HVAC) and occupant wellbeing (e.g., monitoring CO2 levels) provide comfort for the
human occupiers. We also have lighting control, fire systems and vertical transportation
such as lifts and escalators.
 4

All these systems are localized within the premises but physically distributed with
sensors and actuators across it, along with communication networks normally wired.

Fig 1. The high-level, generic architecture of a BMS.

2.2 Challenges and Related Work

BMSes can be complex systems and are thus highly vulnerable to a wide range of
cyberattacks, some generic (such as compromising common IT functions such as web
servers) and some specific situations, such as taking advantage of the poor security
design of old automation protocols. This section (1) reviews proposals for BMS
cybersecurity, (2) the security of BMS systems building blocks such as communication
protocols, (3) the challenges arising from the fast convergence of IT and OT, (4) the
lack of suitable standards, and (5) how the cybersecurity market is structured,
particularly when compared to the conventional IT market.

2.2.1 Insecure Systems and Protocols

As mentioned, BMSes fall under the wider family of Industrial Control Systems (ICS,
or Industrial IoT, IIoT) or Operational Technologies (OT), combined with IoT and
conventional IT, including the Cloud. OT is particularly infamous for being insecure,
and incidents can scale up to CNI, such as the power grid. Similarly to the wider OT,
buildings use specific technologies that, regardless of convergence with the Internet,
will still be specialized; further, old/new technologies will have to co-exist. An
immediate example is penetration testing (“pentesting"), which will be different from
a web server for e-commerce.
 5

The challenges are three-fold. First, we see modern and well-managed devices co-
existing with old, long-life devices and technologies [5], which are difficult and
expensive to upgrade, often requiring replacing in bulk for interoperability reasons.
Second, as BMSes fully leverage IoT in some form, we see embedded technologies,
often resource-constrained (e.g., unable to support strong cryptography) and physically
accessible in spaces with poor physical monitoring, such as basements or car parks.
Finally, we see a lack or inconsistency of mature security standards in the
component/protocol and system development. One simple example is how easy it is to
launch a Denial-of-Service attack on BACNet [7], given the way it was originally
designed. Due to the difficulty of upgrading, we see its insecure versions still
widespread. The problem is not strictly technical, as solutions exist. For example,
protocol-specific firewalls and intrusion detection systems have been proposed [8][9],
and even honeypots [10], but that would imply a modification of the whole system and
installation. This problem leads us back to operational and market forces.

2.2.2 Immature convergence OT/IT

To make matters worse, we have been witnessing a convergence of Operational
Technologies (OT), to which BMSes belong, with IT [11], a rather natural one as it is
no longer justifiable the exclusive use of proprietary or sector-specific technologies:
the Internet is now the de-fact glue technology for communications and interfaces. A
sign of rushed convergence is the return of long-gone vulnerabilities such as insecure
(embedded) web servers used to configure a device or sensor. We are also seeing hyper-
connectivity and cloudification that BMSes are taking advantage of. While it should be
promoted, given it greatly facilitates and promotes innovation, systems that were
imagined to operate on air-gapped systems are now connected to the Internet. Finally,
we see an increase in supply-chain-based attacks: large companies are being
compromised via exploiting small suppliers who tend to be less resourced and with
which the building manager has established a trusted relationship, often escaping due
process.

2.2.3 Inadequate Business Models

Cybersecurity is now an established enterprise need for assurance reasons, compliance,
or a competitive advantage. Worldwide, the sector show increasing levels of funding
and mature specialization with unparalleled levels of innovation. However, this is
mostly valid for Enterprise cybersecurity. The sector of Smart Buildings still sees the
limitations IT saw in the early 2000s. Part of the problem is that the ecosystem is siloed.
On the one hand, we have the problem of ownership of the cybersecurity function, to
be discussed later. On the other hand, the market structure is not seeing the level of
externalization we see in Enterprise cybersecurity. Externalization greatly benefited
cybersecurity over the last decade by commoditizing and dramatically reducing the
costs of many components of a modern cybersecurity program. One successful example
is Managed Security Services. Running small internal Security Operations Center
 6

(SOC) costs an order of magnitude higher when compared to outsourcing while

dramatically increasing quality due to specialization. Whereas there are similar
propositions for Buildings, we see they often come in silos: the building integrator also
offers security monitoring with a maintenance contract.
An elated problem is the lack of cybersecurity tools and products specifically for
buildings, which are different from common IT/Cloud infrastructure. For example,
there are many alternatives to automate device inventories for common IT. However,
for buildings, such tools barely exist beyond open source, are difficult to maintain, or
are localized initiatives [12]. The problem is partly due to specialized technologies (e.g.,
protocols such as BACNet, KNX, or Modbus); another barrier is that BMS technologies
are not commonly designed to be monitored for security events.

2.2.4 Lack of Specific Standards

Cybersecurity in Buildings further shows lacking industry frameworks. Even though
initiatives exist, for the most part, one must stitch together different standards and
guidance that are not especially fit for Buildings. Standards such as NIST CSF (or based
on SP800-160 [6]), ISO/IEC 27001, IEC/ISA 62443 [13] (for the wider ICS case),
among others, provide valuable guidance, but there is a sharp need for a specific
assurance framework that meets the current/upcoming ecosystem. Two noteworthy
mentions. One is BSI PAS 1192 [14], but it concerns more the security of Building
Information Systems (BIM) and less the infrastructure and management of buildings.
The second is the work of the Internet-of-Things Security Foundation, Smart Built
Environment Working Group415 A standard for Buildings security should ideally be
certifiable, so the industry as a whole has the means to define and measure maturity
levels. One of the authors, Vitor Jesus, is a contributor to this group, with a
comprehensive framework in preparation [15].

3 Stakeholder Analysis

We now identify the key parties involved in operating a building from the specific angle
of Cybersecurity. Considering there are multiple stakeholders and the lack of structure
in cybersecurity for BMSes, we are interested in identifying ownership of processes.
To this aim, we use RACI matrices, common in Project Management methodologies,
and identify who

• should be Responsible for performing the task, usually one or more parties
• Accountable, which is the single party that will delegate the task to
Responsible parties and ultimately accountable for the quality of the outcome
• Consulted, who provides input into the task, often a subject matter expert

4
https://www.iotsecurityfoundation.org/
 7

• and Informed, the parties that they should receive updates on the progress of
the task.
In the first mapping, we offer an overall cybersecurity analysis by laying out the
ownership hypothesis. In the second mapping, we break down the cybersecurity
program into common tasks inspired by NIST's Cybersecurity Framework (CSF) [16]
and run a similar analysis.

3.1 Stakeholders
The Built Environment is rooted in mature, centuries-old business practices that bring
a degree of rigidity and are structured around roles that can be unwelcoming of change
if not in the core business. Cybersecurity needs, thus, to follow existing roles, culture,
and structures. For each building, one can have an interplay of hands-off ownership
roles, local/central governments, Facilities Management (FM, who effectively runs the
building), specialized maintenance contractors and integrators, the original constructor
and dependent sub-contractors, and tenants/occupiers (permanent or visitors), who may
share responsibilities with the FM. Consequently, the ownership and roles of
cybersecurity for Smart Buildings are unclear, making it a daunting supply-chain
security problem. In fact, the biggest pain of cybersecurity for buildings may lie in the
coordination complexity of all parties.
The identification of stakeholders consisted in holding unstructured interviews with
experts in activities surrounding the Built Environment:
• Construction businesses (two)
• Facility Managers (two)
• Academics in Built Environment (one in Construction Management and
another in Facilities Management)
• Vendors of systems and devices for BMS (two)
The stakeholders are as follows. We start with the Owner, who is the proprietor of the
building and, likely, lets out to either a management agency or directly to occupiers. It
often has no role in day-to-day operations and is commonly a financial or real-estate
institution. Facilities Management (FM) companies effectively run and maintain the
building and premises. A derivation of this role is that FM may, themselves, not be
hands-on and further delegate tasks to a FM subcontractor (e.g., gardening). The
Occupiers, or Tenants, are the parties who use the Building. There are two types
identified. One is the tenant letting the whole building with a view to subletting (e.g.,
offices); the other is the actual occupiers of the building, such as businesses renting
office space or residential dwellings. The Builder, and subcontractors, developed the
physical building and beyond contractual maintenance, it ceases to be a party after the
building is handed out to the Owner. The BMS Manager is a further role whose
specificity relies on having the necessary technical skills to operate the BMS, either as
a whole or per subsystem (e.g., HVAC or CCTV). Integrators are those parties who
work with Device/System Vendors in order to build a larger BMS subsystem. For
 8

example, the CCTV subsystem and the door access control may be supplied by different
vendors but integrated into a single monitoring system. The final stakeholder, which is
an umbrella and catch-all function, is the wider Supply Chain, ranging from catering
teams to the Internet Service Provider. Fig 2 shows how these parties relate to each
other.

Fig 2. Relationships between stakeholders

Whereas Building Owners may be the ultimate stakeholders and thus could set out
policies and compliance strategies, likely in the form of contractual clauses, FMs seem
to be in a privileged position to run a security program and take on an operational role.
It is, however, unclear to what point FM will openly take on this modern vocation [17]
which suggests a new role in the Built Environment industry taking up Cybersecurity.
This is connected to the need for externalization, as discussed in the remainder of this
paper.

3.2 RACI Matrix: Cybersecurity Roles

Considering the stakeholders we identified, Table 1 shows the result of an exercise of
mapping stakeholders to RACI roles of Cybersecurity, taking into account common
expectations and considering the current way Building management is structured. The
commonly expected case. The Building Owner is not expected to be responsible for
any cybersecurity tasks beyond setting a mandate and delegation. It is, however,
expected to be ultimately accountable for the results. For example, if the building hosts
a hospital and thus needs to be compliant with certain regulations (e.g., power supply),
should it fail, the liability must fall to the Owner. It may be consulted when major
decisions about cybersecurity are taken and certainly informed of its progress and
maturity. The FM was considered to be the fittest party to take ownership of
cybersecurity – hence a “maybe” or at least “partially” responsible –and could be
accountable by a delegation of the Owner and certainly consulted and informed.
Subcontractors of FM can be responsible for certain tasks and, should it be fully
delegated to a specialized party, could be accountable. Since it is a subcontractor, it is
 9

not expected the need to be consulted (unless it is an expert party) or informed. The
Builder is not expected to have any role in cybersecurity except in the construction
phase and a consulting role.

Table 1. Ownership RACI matrix.

Responsible Accountable Consulted Informed

Building Owner no yes maybe yes
Facilities Manager maybe/partially maybe/partially yes yes
Subcontractor of FM partially maybe no no
Builder & Subcontractors no no yes no
BMS Manager yes yes yes no
Occupier no no yes yes
Integrator partially partially yes no
Device/System Vendor partially partially yes no
Wider Supply Chain no no yes no

Given the technical element of cybersecurity, the BMS Manager is expected to be key,
particularly in Cybersecurity Operations. Furthermore, it can be the most qualified
party to interface with Integrators and Device Vendors who must always be consulted
– for example, if a device is found to have a vulnerability that needs to be patched.
Finally, the wider Supply Chain is likely to take a generic role in consultation, but this
depends on the specific area.

3.3 RACI Matrix: Cybersecurity Domains

We now perform a similar exercise but for cybersecurity domains. As mentioned, there
is no established cybersecurity framework for Buildings; however, the existing
approaches do not significantly depart from the conventional programs. For the sake of
this exercise, we take the NIST CSF framework [18] to identify the following key areas
in a Cybersecurity program for Buildings.
The first, GRC (“Governance, Risk, Compliance”), concerns the overall strategy and
project management. It includes senior-level policies, alignment with regulations (e.g.,
Data Protection) and certifications (e.g., ISO/IEC 27001), and high-level management
of Risk. Risk Management concerns the continuous identification, mitigation and
verification of risks. Secure systems encompass the security of the technical elements,
from networking to Industrial Controls of, for example, lifts and escalators. People and
Training involve policies and procedures, along with training and awareness. Asset
Management keeps track of all assets, from physical objects to data sets and software,
which includes updates and disposal. Access Control goes beyond doors and access to
spaces to include access to systems. Third-Party Management manages the
coordination and verification of third parties, including measures to protect against
supply-chain attacks [19]. Monitoring and Detection consist of continuously observing
 10

the infrastructure and people's activity to identify malicious activity. Should an attack
with significant impact, Incident Response (IR) and Continuity cover the actions needed
to maintain an activity or restore normal operations. Should there be criminal activity,
Law Enforcement will be involved with Digital Forensics. Finally, Communications
concern public and stakeholder engagements, such as if a breach happens.
Table 2 shows the result of our exercise. We start by noting that we took the RACI
methodology with great liberty. For example, there should be only one entity
accountable per area. The table should be read, instead, as potential roles and
ownership.

Table 2. RACI matrix for cybersecurity domains.

Subcontrac

Subcontrac

Device/Syst
Integrators
Builders &
tors of FM

Occupier
Manager

Manager
Facilities
Building

Vendors
Owner

BMS
tors

em
GRC A R I I C I C C
Risk Management A R I C C I C C
Secure Systems I A A A R I C C
People and Training I A A A A I C C
Asset Management A R C C I I C C
Access Control I R C C I I C C
Third-Party Management R R I R C I R C
Monitoring & Detection I R C C R I C C
IR and Continuity A R C C R I C C
Digital Forensics A R C C R C C C
Communications A R C C C C C C

Once more, of all parties involved, it is clear that, in the absence of something else, FM
is in the best position to take over most tasks in a Responsible role and some as the
Accountable party, such as Secure Systems, by delegating those tasks to a combination
of technical experts, the BMS Manager and Vendors or Integrators. In this sense, FM
naturally takes a coordination role even if it remains to establish whether FM is open
to taking on this vocation.
Most stakeholders take, quite naturally, an "Informed" role. For example, the Occupier
has reasonable expectations of operating in a secure space and thus should only be kept
informed of any issues. At best, there would be a direct engagement with Digital
Forensics and Law Enforcement and Communications if involving the Building as a
whole.
 11

Cybersecurity Operations, in the sense of Monitoring & Detection and IR & Continuity,
could be a task for the BMS Manager, if one is reminded that these tasks involve day-
to-day activities, highly specialized people and tools, and continuous execution of
procedures. This is the realm of Security Information and Event Management (SIEM),
a service/tool long established in IT but that, to the best of our knowledge, does not
exist for BMSes. At best, Vendors offer similar services but usually as a bundle with
the installation of their own equipment and part of a maintenance contract. The notion
of outsourcing Security Monitoring (as in Managed Security Services) seems to be
completely absent from BMS.
Nevertheless, the exercise leaves clear that Cybersecurity in Buildings has no clear
ownership, being difficult to make anyone Accountable beyond the Owner of the
Building who, via contractual means, may waive liability. For example, if the Owner is
a Financial institution, it is intuitive to accept that Cybersecurity is an operational aspect
of running the building and, therefore, has no responsibility.

4 Conclusions and Outlook

We have reviewed the current state of cybersecurity for Buildings and ran exercises on
identifying ownership of cybersecurity. The clear outcome is that there is no obvious
stakeholder for this role, except, perhaps, the Facilities Manager, likely with a
specialized third party. Our findings now need to be validated and expanded. The
interviews we conducted merely identified stakeholders. Breaking down Cybersecurity
in a form aligned with the built environment's processes and standards is now essential.
This paper opens a number of research directions, mostly broad, given that
Cybersecurity for the Built Environment is still in its infancy, both in Research and
Industry. From a technical perspective, integrated security architectures need to be
developed that take into account two key aspects: (1) the different subsystems that a
BMS consists of, and (2) the constant evolution and merging between paradigms such
as legacy BMSes, Internet-based technologies, IoT, and the Cloud. From a practice
perspective, existing frameworks need to be adapted, and perhaps expanded, and
aligned with the professional practices in the Built Environment. For example, if FM is
to take up the role of operational cybersecurity, a framework needs to understand the
underlying business models. Furthermore, and quite challenging, a comprehensive
framework needs to understand the different phases and the dynamics of the lifecycle
of a building, from design to demolition.

References
1. M. Dietz and G. Pernul, "Unleashing the Digital Twin's Potential for ICS Security," in IEEE
Security & Privacy, vol. 18, no. 4, pp. 20-27, July-Aug. 2020, doi:
10.1109/MSEC.2019.2961650.

2. M. Manic, D. Wijayasekara, K. Amarasinghe and J. J. Rodriguez-Andina, "Building Energy

Management Systems: The Age of Intelligent and Adaptive Buildings," in IEEE Industrial
 12

Electronics Magazine, vol. 10, no. 1, pp. 25-39, March 2016, doi:
10.1109/MIE.2015.2513749.

3. Stluka, P., Parthasarathy, G., Gabel, S., Samad, T. (2018). “Architectures and Algorithms
for Building Automation—An Industry View”. In: Wen, J., Mishra, S. (eds) Intelligent
Building Control Systems. Advances in Industrial Control. Springer, Cham.
https://doi.org/10.1007/978-3-319-68462-8_2

4. Pedro Domingues, Paulo Carreira, Renato Vieira, Wolfgang Kastner, “Building automation
systems: Concepts and technology review”, Computer Standards & Interfaces, Volume 45,
2016, Pages 1-12, ISSN 0920-5489, https://doi.org/10.1016/j.csi.2015.11.005

5. W. Granzer, F. Praus and W. Kastner, "Security in Building Automation Systems," in IEEE

Transactions on Industrial Electronics, vol. 57, no. 11, pp. 3622-3630, Nov. 2010, doi:
10.1109/TIE.2009.2036033.

6. NIST, SP 800-160 Vol. 1, “Systems Security Engineering: Considerations for a

Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems”, March
2018

7. Peacock, M., Johnstone, M.N., Valli, C. (2018). An Exploration of Some Security Issues
Within the BACnet Protocol. In: Mori, P., Furnell, S., Camp, O. (eds) Information Systems
Security and Privacy. ICISSP 2017. Communications in Computer and Information Science,
vol 867. Springer, Cham. https://doi.org/10.1007/978-3-319-93354-2_12

8. V. Lešić, F. Vrbanc, N. Perić, A. Banjac, H. Novak and L. Jelić, "Distributed Optimal

Heating Control of a Residential Building Resilient to Cybersecurity Issues," 2021 IEEE
19th International Conference on Industrial Informatics (INDIN), 2021, pp. 1-6, doi:
10.1109/INDIN45523.2021.9557449.

9. A. Antonini, A. Barenghi, G. Pelosi and S. Zonouz, "Security challenges in building

automation and SCADA," 2014 International Carnahan Conference on Security Technology
(ICCST), 2014, pp. 1-6, doi: 10.1109/CCST.2014.6986996.

10. J. Bauer, J. Goltz, T. Mundt and S. Wiedenmann, "Honeypots for Threat Intelligence in
Building Automation Systems," 2019 Computing, Communications and IoT Applications
(ComComAp), 2019, pp. 242-246, doi: 10.1109/ComComAp46287.2019.9018776.

11. R. Paes, D. C. Mazur, B. K. Venne and J. Ostrzenski, "A Guide to Securing Industrial
Control Networks: Integrating IT and OT Systems," in IEEE Industry Applications
Magazine, vol. 26, no. 2, pp. 47-53, March-April 2020, doi: 10.1109/MIAS.2019.2943630.

12. G. Stamatescu, I. Stamatescu, N. Arghira and I. Făgărășan, "Cybersecurity Perspectives for

Smart Building Automation Systems," 2020 12th International Conference on Electronics,
Computers and Artificial Intelligence (ECAI), 2020, pp. 1-5, doi:
10.1109/ECAI50035.2020.9223152.

13. IEC/ISA 62443, “Industrial communication networks – Network and system security, Part
1-1: Terminology, concepts and models”, 2009

14. BSI, PAS 1192-5:2015. “Specification for security-minded building information modelling,
digital built environments and smart asset management”, 2015
 13

15. Internet of Things Security Foundation, “Can You Trust Your Smart Building?”,
Whitepaper, June 2019

16. NIST, “Cybersecurity Framework”, v1.1, 2018

17. Marco Marocco, Ilaria Garofolo, “Integrating disruptive technologies with facilities
management: A literature review and future research directions, Automation in
Construction”, Volume 131, 2021, 103917, ISSN 0926-5805,
https://doi.org/10.1016/j.autcon.2021.103917.

18. NIST, SP 800-82 Rev. 2, “Guide to Industrial Control Systems (ICS) Security”. May 2015

19. N. Kshetri, "Economics of Supply Chain Cyberattacks," in IT Professional, vol. 24, no. 3,
pp. 96-100, 1 May-June 2022, doi: 10.1109/MITP.2022.3172877.