Connected building automation systems increasingly serve as targets for cyber-physical attacks, accelerating a sector-wide focus on security-by-design, threat intelligence integration, and standardized defense measures. According to a recent Kaspersky ICS CERT report, building automation systems ranked among the most attacked operational technology (OT) sectors in Q1 2025, with malicious objects blocked on 25% of industrial control system (ICS) computers worldwide. The biometrics sector led with 28.1%[1]. The scale of these threats is prompting regulatory and industry groups to respond.
Background
Cyber-physical system incidents have demonstrated significant operational impacts. The Swiss National Cyber Security Centre (NCSC) highlighted a July 2024 sabotage that disrupted heating for approximately 600 residential buildings in Ukraine through malware delivered over the Modbus protocol[2]. A Claroty report found that 75% of organizations operate building management systems (BMS) with known exploited vulnerabilities (KEVs), and 50% use systems with unsecured internet connections frequently targeted by ransomware groups[3]. These incidents underscore the need for cybersecurity integration at the earliest stages of building system design.
Details
During the Swissbau 2026 trade fair, January 20-23 in Basel, the NCSC and the Swiss Society of Engineers and Architects (SIA) held sessions on implementing secure-by-design principles in software development, structured emergency response, and clarifying supplier obligations in construction and real estate[4]. Industrial trends reflect this shift: Rockwell Automation's 2026 "State of Smart Manufacturing" report cited secure-by-design hardware as a priority, with 31% of manufacturers aiming to reduce OT risk through embedded security controls such as controller-level access rules, signed firmware, and onboard telemetry, reinforced by disciplined lifecycle management and procurement protocols[5].
Standardization efforts are advancing. The IEC 62443 series provides key guidelines for cybersecurity in industrial automation and control systems (IACS). The forthcoming European Cyber Resilience Act (CRA) will require risk-based secure-by-design approaches by mid-December 2027, with harmonized standards expected by late 2026 to guide implementation[6].
Outlook
Facility managers, systems integrators, and building owners are increasingly expected to specify security measures in procurement-such as secure-boot and signed firmware-and to integrate threat intelligence into operations. With CRA enforcement nearing, the industry is moving from reactive defense to proactive, embedded cybersecurity. Secure-by-design is poised to become fundamental to safe, interoperable, and resilient building automation systems.



