Building automation, NIS2 and the Cyber Resilience Act are changing the responsibilities of architects, designers and operators

Cybersecurity is increasingly becoming a central component of modern building design. Networked doors, windows, access control systems, building automation and technical infrastructure are creating new interfaces between architecture, IT and operational safety. Particularly in the context of critical infrastructure (KRITIS), this gives rise to requirements that go far beyond traditional security or building services planning.

Against this backdrop, Olaf Thies and Frank Schubert discussed the growing importance of cybersecurity in planning, building automation and operations during the GEZE expert discussion ‘Building envelope under control: KRITIS and cybersecurity’. Lennard Kreißl, who had also been announced as a participant, had to withdraw at short notice due to illness.

Olaf Thies, GEZE’s architecture consultant and an architect himself, is responsible at GEZE for the BIM sector, as well as the interface between architecture, building automation and digital planning. Frank Schubert is a cybersecurity and automation expert at Beckhoff Automation and focuses in particular on secure communication standards such as OPC UA and BACnet Secure Connect, as well as the implications of NIS2 and the Cyber Resilience Act for building automation and industrial control systems.

The discussion forms part of GEZE’s strategic approach to increasingly viewing the building envelope, automation, access management and digital networking as integral components of resilient security architectures. The focus was particularly on the implications of NIS2, the Cyber Resilience Act, BACnet Secure Connect and OPC UA for architecture, technical building systems and operator responsibility.

The discussion covered not only the technical dimension of cybersecurity, but above all the question of how early security requirements must be integrated into the planning process. A key conclusion of the discussion was that cybersecurity is no longer a downstream IT task, but begins in the early stages of building planning – in some cases even before the traditional HOAI framework.

Building connectivity as a central task

Cybersecurity is no longer purely an IT issue. With the increasing connectivity of buildings, systems and technical installations, it is becoming a central planning task. Particularly in the context of critical infrastructure, it is clear that anyone planning a building today is not only deciding on spatial programmes, façades, routing or technical equipment, but also on the subsequent digital attack surface of the building’s operations.

At the heart of this lies a new logic of responsibility. Buildings are increasingly shaped by technical systems: access control, building automation, fire alarm systems, video surveillance, air conditioning and ventilation systems, energy management and maintenance access points have long been part of networked infrastructures. This creates interfaces that must be assessed not only in terms of functionality but also in terms of security.

KRITIS starts earlier than many think

The term ‘critical infrastructure’ is often understood too narrowly. Whilst energy supply, water, healthcare, transport, food and telecommunications are among the classic KRITIS sectors, in practice the scope is much broader. Buildings with high footfall, security-critical operational processes or sensitive data can also trigger heightened requirements.

These include, for example, data centres, research facilities, production sites, public buildings, hospitals, logistics centres or event venues. It is not just the building envelope that is decisive, but its subsequent use. This is precisely where a key task arises for architects and specialist planners: security-related requirements must be clarified at a very early stage of the project.

Cybersecurity cannot be added retrospectively like a single component. It must be prepared for organisationally, technically and structurally.

Responsibility: The architect as coordinator

A key problem in practice is unclear responsibility. The user points to the client, the client to the architect, the architect to the electrical engineer, and the electrical engineer to the operator or the IT department. It is precisely this chain of responsibility that often leads to cybersecurity being addressed too late or not at all in a systematic manner.

Yet overall coordination in the planning process often initially lies with the architect. They do not have to resolve all the technical details themselves, but they must ensure that the right stakeholders are involved in good time. These include, in particular, building services engineers, electrical engineers, integration planners, IT managers, operators, facility management and, where necessary, external security consultants.

Particularly in the case of networked buildings, it is not enough to consider trades in isolation. The key risks arise at interfaces: between building automation and IT, between maintenance access and operator responsibility, between access control and alarm systems, and between fire safety functions and physical security.

NIS2 and the Cyber Resilience Act: Two Levels of Regulation

The NIS2 Directive is particularly relevant for operators. It addresses security requirements for companies and organisations of particular importance to the economy and society. These include, amongst other things, risk analysis, organisational security measures, reporting obligations, backup concepts and incident management.

The Cyber Resilience Act, on the other hand, primarily affects manufacturers of digital products. From the end of 2027, products containing digital elements will only be permitted to be placed on the market if they meet defined cybersecurity requirements. These include, for example, updatability, vulnerability management and security documentation.

For planning purposes, this means that buildings designed today will be operated within a regulatory environment that has already become more stringent or will become even more so. Anyone planning now must already take future requirements into account.

Building automation as a target

Building automation is a particularly critical area. It controls and monitors a building’s central functions – from heating, cooling and ventilation to alarms, energy supply and access systems.

In the past, open communication was a major step forward. Today, it can become a risk if systems are accessible via the internet without protection or if maintenance access points lack adequate security. Open interfaces, default passwords, a lack of encryption or poorly documented remote access can enable attackers to penetrate further systems via the building automation system.

Data centres in particular clearly illustrate the problem. The core IT systems are often highly secure. However, if the building services – such as cooling or alarms – are tampered with, operations can still be severely disrupted. Building automation can thus become a springboard for attacks on IT infrastructures.

Physical planning remains crucial

Cybersecurity does not begin with the network. It also has a structural dimension. Technical rooms, cable routes, switch cabinets, server rooms and maintenance access points must be planned in such a way as to make unauthorised access difficult.

This includes secure technical rooms, controlled access zones, protected cable routing, traceable route planning and clearly defined maintenance points. A simple hex key for security-critical switch cabinets is no longer appropriate in critical environments.

The question of where external service providers are granted access must also be clarified at an early stage. Remote maintenance can be useful and economically necessary, but must not lead to permanently open security vulnerabilities. VPN connections, certificates, encrypted protocols and role-based access rights thus become planning requirements.

OPC UA and BACnet Secure Connect

Standards such as OPC UA and BACnet Secure Connect are becoming increasingly important for secure communication in building and automation systems.

OPC UA originates from industrial automation and enables standardised data exchange between systems. When configured correctly, it can support secure communication. BACnet Secure Connect applies similar requirements more strongly to building automation and also works with certificates and encrypted connections.

However, it is important to note that a secure standard alone does not guarantee a secure system. Configuration, responsibility, certificate management, documentation and operation are crucial. Even a fundamentally secure protocol can be operated insecurely if certificates are missing, access is incorrectly configured or responsibilities remain unclear.

Integration planning as a key role

The integration planner plays a vital role. They think across disciplines and link technical building equipment, IT, automation and operational perspectives. Particularly in complex buildings, this role should not be brought in too late.

Practice shows that if the integration planner is only brought in during the later design phases, many structural and technical decisions have already been made. In such cases, security requirements can often only be retrofitted at great expense or incompletely.

It makes sense to involve them early on, as early as the requirements planning and preliminary design stages. This is where usage, operational structure, security levels, maintenance concepts and verification requirements must be defined.

Verifiability: What is written down remains

Another key point is documentation. Cybersecurity must be verifiable. This includes clear responsibilities, coordinated security concepts, documented interfaces, handover protocols, certificates, backup concepts and operating instructions.

Gaps frequently arise, particularly during the transition from construction to operation. The operator receives a building whose technical logic has not been sufficiently explained or documented. A traditional handover of keys is no longer sufficient for secure operation. What is required is structured handover management that also encompasses digital systems, access rights, maintenance processes and emergency procedures.

Communication is security architecture

The most important insight is this: cybersecurity in a building is not achieved through a single product. It is achieved through early communication, clear responsibilities, realistic requirements and thorough documentation.

Architects and planners do not have to solve cybersecurity on their own. But they must recognise that networked building technology is part of the security architecture. Anyone who only considers KRITIS, NIS2, the Cyber Resilience Act and building automation at the end of the planning phase is acting too late.

Modern buildings are no longer static structures. They are technical, digital and organisational systems. This is precisely why security planning must begin earlier today – ideally even before the first traditional project phase.

To Part 2 of the technical article: https://euro-security.de/en/part-2-of-the-technical-article-on-the-geze-expert-discussion-smart-building-automation-as-a-key-component-of-resilient-kritis-strategies/