Skip to content

Building Automation and Control Systems (BACS)

Guidance on how to take a Security-Minded approach to Building Automation and Control Systems (BACS)

Last Updated 25 January 2024

To provide a safe and environment, whether for the comfort of individuals using the space or for the processing and storage of materials or data, most buildings have one or more Building Automation and Control Systems (BACS), also referred to as Building Management Systems (BMS). These systems may fulfil a range of functions including for example:

  • Environmental control – heating/cooling, ventilation, air-conditioning (HVAC), and lighting.
  • Energy management and monitoring – metering/sub-metering, control of local energy generation and storage, control of uninterruptible power supplies (UPS).
  • Monitoring of building services – occupancy, failures (floods, lift breakdowns, etc).
  • Computer-Aided Facilities Management (CAFM) – helpdesks, asset management, and room bookings.

Historically such systems were standalone with minimal integration and few, if any, connections outside of the building. With the increased digitalisation of sensors, communications, processing, and information storage these systems are increasingly interconnected and integrated as building owners and occupies seek to deliver ‘smart’ buildings. Whilst this digitalisation has brought operational efficiencies and economic benefits, it also exposes a greater attack surface for those contemplating hostile or malicious acts.

The security of BACS is not a purely technical matter and requires a holistic approach addressing the following security aspects:

  • Physical – protection of the systems, their communications and networking infrastructure, and their sensors and/or actuators from damage, whether deliberate, inadvertent, or accidental.
  • People – the control of individuals’ access to the systems, including both the personnel involved in operating the BACS and those that support and maintain it.
  • Process security – consideration of the processes it supports and the need for appropriate security and resilience in the design and implementation of the BACS.
  • Technical – essentially the cyber security of the BACS, both as standalone systems and the integration of systems providing different functionality, whether on- or off-site.
  • Information – what operational and organisational information does the BACS collect, process and store, who has access to it and from where. Aggregated information can provide a pattern-of-use which may be of value to hostile actors.

The Security and potential vulnerability of BACS should be considered as part of any security risk assessment and management of a building.

Further advice on the security of building information is available from the Security-Minded approach to Information Management page.

Did you find this page useful? Yes No