As buildings move toward the cloud and the gap between IT and OT keeps shrinking, consulting engineers are now playing a major role in shaping a building’s cybersecurity posture—whether they realize it or not. This article takes a practical look at how engineers can move beyond traditional BAS design and start specifying systems that are open, interoperable, and secure by default. When cybersecurity is considered early in the design process, buildings become smarter, more connected, and a whole lot more resilient.
Let’s be honest, the role of the consulting engineer has changed when it comes to specifying BAS. They are now responsible for design and specification of Building Technology due to the multiple disciplines and technologies that are integrated into the BAS platform.
For years, BAS design was about comfort, sequencing, energy performance, and getting the controls package right. But today those same control systems sit right in the middle of IT networks, cloud platforms, APIs, remote access tools, and enterprise data environments. Every controller and gateway is no longer “just a device”—it’s a potential entry point for cyber threats.
In my work at Cochrane Supply and with the RECC, I spend a lot of time talking with building owners, engineers, integrators, and high-level IT and cybersecurity leaders. Those conversations have really shifted the way I think about system design.
And here’s my big takeaway: Every BAS design decision you make is also a cybersecurity decision.
You’re not just designing how a building runs—you’re defining how it stays protected from cyber threats.
Open Systems Are Great… Until They’re Wide Open
The industry is rapidly moving toward open, interoperable BAS platforms—BACnet/IP, MQTT, REST APIs, cloud overlays—you name it. This gives owners flexibility and future-proofing, but it also widens the attack surface if security isn’t specified upfront.
When engineers specify “open,” they also need to specify:
• Who owns the data
• How that data is encrypted
• How devices authenticate
• How networks are segmented
• What remote access looks like
• How cloud environments are secured
At Cochrane, I help firms create updated Systems Integration Drawings, and these have become one of the most important tools in the whole design process. These drawings don’t just show boxes and lines—they show edge devices, switches, VLANs, firewalls, remote access appliances, cloud hosting environments, and supervisory platforms. It’s the roadmap that connects the OT world to the IT world. Honestly, it’s the foundation of what I call Cyber Harmony.
Writing Cyber Into the Specification
Division 23 and Division 25 are now two of the most important cybersecurity documents in any building project. Once something is written into the spec, everyone has to follow it. When it’s missing? Good luck enforcing it!
A few simple lines in the spec can make a huge difference:
• Require encryption for all BAS communications
• Require MFA for remote access
• Define who owns credentials
• Assign role-based access
• Require session logging
• Specify Zero Trust expectations
• Clarify cloud hosting requirements
Across the RECC community, more owners are creating Owner’s Project Requirements (OPRs) that specifically call out cybersecurity expectations. This trend is only growing. It also feeds into the rise of Cyber Commissioning—verifying cybersecurity controls in the OT environment before the system ever goes live.
Zero Trust: The New Standard for Remote Access
Remote access has always been a weak spot in BAS. The old “just give them a VPN” approach doesn’t cut it anymore.
Zero Trust simply means: Don’t trust anything until you verify everything—every time.
A solution like NEEVE makes this practical for OT environments by validating identity, encrypting connections, and logging every session. It’s one of the easiest ways engineers can strengthen a project’s cybersecurity posture.
Cloud-Ready Doesn’t Mean Cloud-Exposed
Cloud BAS platforms are mainstream now, but cloud needs to be implemented securely.
Engineers can set the tone by defining:
• Where the data is hosted
• Who controls credentials
• How data is encrypted
• What integrations look like
• How logs are retained
• Who has access to what
KODE Labs is a great example of a secure cloud overlay that brings everything together without compromising control or security.
Collaboration Creates Cyber Harmony
Cybersecurity works best when everyone is aligned. Consulting engineers have a unique role in bringing together owners, IT teams, integrators, cybersecurity professionals, and commissioning agents early in the process.
This is Cyber Harmony—everyone rowing in the same direction to create safe, connected, high-performing buildings.
Where Engineers Should Start
If you’re looking to strengthen your specs:
• Review Division 23 for cybersecurity language
• Add strong integration and cloud requirements in Division 25
• Update old Systems Architecture drawings to Systems Integration drawings
• Establish Zero Trust expectations
• Define remote access standards
• Clarify data ownership
If you’re not sure where to begin, that’s why I’m here.
At Cochrane Supply, I offer:
- AIA-Accredited Lunch & Learn: “How to Specify Integration”
- We break down exactly how to write open, secure, interoperable BAS specs.
- Half-Day Specification Workshops
- We rewrite your Division 23 and build a Division 25 spec that addresses cybersecurity, cloud integration, and secure data flow.
We rewrite your Division 23 and build a Division 25 spec that addresses cybersecurity, cloud integration, and secure data flow.
The future of BAS design isn’t just about smart buildings—it’s about secure smart buildings.
Systems that work are good, but systems that have a strong cyber security posture are better and when you get both, we successfully bridge design and cyber defense.
This is how we create buildings owners can trust.
This is how we achieve Cyber Harmony.
