Buildings used to be just bricks and mortar, but not any more. Modern facilities run on layers of interconnected hardware, such as HVAC controllers, lighting nodes, energy meters, access control panels, and cloud gateways that tie it all together. That connectivity is exactly what makes smart buildings valuable. It is also what makes them a target.
For OEMs developing BAC products, this means a security incident in the field is no longer an IT problem. It can look like lost uptime for customers, a safety risk to occupants, a hit to brand trust, and a long, expensive tail of patching and support. Regulators have noticed, and so have buyers. Procurement teams, specifiers, and systems integrators now treat security posture as a selection criterion rather than a nice-to-have.
So security has become a differentiator. The OEMs that can demonstrate secure design, a clean software bill of materials, and a credible update strategy will win specifications that less prepared competitors lose. The good news is that this is a solvable engineering and supply chain problem, provided it is addressed early.
In a building automation system, a cyber breach can move from the network into the physical world. Risks include loss of safety and life-safety functions, operational disruption to heating, cooling, and access control, theft of occupancy and usage data, breach of privacy and compliance obligations, and lasting reputational damage.
The consequences are financial, regulatory, and physical all at the same time.
Most weaknesses are predictable, which means they are preventable. The recurring cybersecurity problems across BAC products and networks are:
Standards give OEMs a defensible baseline, and an increasing number are becoming mandatory rather than voluntary. The frameworks worth knowing are:
The core standard for industrial and operational technology security, ISA/IEC 62443, specifically parts 4-1 and 4-2, is most relevant to product makers, covering the secure development lifecycle and the technical security requirements for components.
The information security management standard that governs how an organisation protects data, intellectual property, and processes, ISO 27001 is a strong signal of supply chain maturity.
Both UL 2900 and ETSI EN 303 645 set testable security requirements for connected and consumer IoT products.
The National Institute of Standards and Technology provides a practical, widely referenced baseline, including the NIST Cybersecurity Framework and NISTIR 8259 for IoT device manufacturers.
Originally driven by NTIA work in the United States, SBOM is now embedded in regulations, making component transparency a baseline expectation.
This is the one to plan around now. The EU Cyber Resilience Act applies to nearly every product with digital elements sold in the EU, including products made outside the EU.
Vulnerability and severe incident reporting obligations begin in September 2026, and full requirements, including secure-by-design, conformity assessment, CE marking, and SBOMs, apply from December 2027.
The PSTI regime is a useful regional example of the direction of travel. In force since April 2024, it sets minimum security requirements, including a ban on universal default passwords, for consumer connectable products sold in the UK.
The common thread across all these and other standards is that, whatever the region, the expectation is now for secure-by-design, transparent components and a credible plan to manage vulnerabilities throughout the product's life.
Security that is added late is expensive and brittle. Designed in from the start, it becomes a strong product differentiator.
On the architecture side, the building blocks are well established: a hardware root of trust or secure element to anchor device identity, secure and verified boot, signed firmware and code signing, encrypted storage and communications, least-privilege and zero-trust principles applied to every interface, secure over-the-air updates so devices can be patched throughout their support period, and secure logging and telemetry so incidents can be detected and investigated.
The process side matters just as much. Threat modelling at the design stage surfaces risks while they are still cheap to fix. Secure coding standards, an accurate SBOM paired with VEX advisories, a managed vulnerability process backed by a PSIRT, coordinated disclosure, and independent penetration testing all turn good intentions into evidence. That evidence is what compliance documentation and the buyers who read it will demand.
Secure products are not designed in isolation. They are sourced, built, provisioned, and supported, and each of those stages is a place where security is either protected or lost. This is where the right electronics manufacturing services partner can instil confidence and ease the pressure points OEMs feel:
Our global, multi-site footprint across Malaysia and Europe also gives OEMs a choice of where products are built, supporting near-shoring, co-shoring, and off-shoring strategies without compromising on control.
Some practical steps your team can act on now:
Building automation cybersecurity has moved from a technical detail to a commercial decision. It affects which specifications you win, how you meet the CRA and similar rules, and what your products cost to support over their lifetime.
The OEMs that treat it as a design principle, rather than a late patch, will build products that buyers trust and regulators accept. Doing that well requires secure design, transparent components, and a manufacturing partner that can demonstrate the chain of custody from sourcing to shipment.
Ready to build security in from the first design review? Download our guide to smart BAC partnerships, or speak with our engineering team now.
ISA/IEC 62443 is the leading standard for securing industrial and operational technology, and BAC products sit squarely within its scope. For OEMs, the two most relevant parts are 4-1, which defines a secure product development lifecycle, and 4-2, which sets technical security requirements for the components themselves. Aligning to 62443 gives you a structured, internationally recognised way to design, document, and demonstrate security. It also makes conversations with integrators and asset owners far easier, because many of them already use the same framework to evaluate the products they specify and install.
BACnet/SC, or BACnet Secure Connect, is a secure data link layer for BACnet that adds encrypted, authenticated, TLS-based communication. Traditional BACnet/IP was designed for openness and has no native security, which leaves traffic readable and devices easy to spoof on a shared network. BACnet/SC also works more cleanly across modern IT networks and firewalls, which removes some of the awkward workarounds integrators rely on today. Migrating protects building data and control traffic, and signals to specifiers that your product is built for current network security expectations rather than legacy assumptions.
A software bill of materials should list every software component in the product, including firmware, operating system elements, and third-party and open-source libraries, with names, versions, suppliers, and dependency relationships. It needs to be machine-readable, in a common format such as SPDX or CycloneDX, and kept current as the software changes. Paired with VEX advisories, which state whether a known vulnerability actually affects your product, an SBOM lets you respond quickly when new issues emerge. Under the EU Cyber Resilience Act, this transparency is becoming a baseline expectation rather than an optional extra.
A strong EMS partner protects security across stages that OEMs do not always control directly, such as component sourcing, production, and provisioning. That means traceable, authenticated component sourcing, secure key injection and device identity on the line, and production handled within an audited information security framework. The partner should also provide documentation, traceability, and change-control records that conformity assessments and customers increasingly demand, thereby shortening OEMs’ path to compliance.