Identify cost, scope of a BAS

Finding the budget to implement a building automation system often proves challenging. Learn to compare scope against the cybersecurity requirements

By Jaco Cronje December 10, 2020

A building automation system is loosely defined as a system that leverages the different services in a building in such a way that reduces the need for manual intervention to deliver on the intended outcomes. This can mean enabling occupant productivity through improved building comfort, extending equipment life span through optimal operating conditions or reducing the building’s environmental footprint.

The ecosystem that executes the control mechanisms to deliver on the automation is referred to as the BAS. It is interchangeably used with the term building management system. More recently, energy management system is a term that has increased in popularity as an enhancement to the traditional BAS to highlight the use of analytics and insights based on energy data.

The BAS alone is not software; it consists of a family of assets, all held together by the glue of integration. From the field sensor collecting data to the actuator controlling the building occupant’s perceived experience, from the communication protocols through to the data carrier medium, from the data collection software through to the storage, analysis and visualization — all of these assets together enable the BAS ecosystem.

A smart building is one in which a BAS has been implemented to improve occupant experiences — whether it be seamless transition between spaces, security or comfort — and reduce the building’s carbon footprint. Furthermore, in a smart building, the BAS has not only focused on the traditional heating, ventilation and air conditioning system, but has considered all the facility-related control systems within the building to deliver operational insights and business intelligence. A smart building is generally defined as a building that delivers services that make occupants productive at the lowest cost and environmental impact over the building’s life cycle.

A smart building’s journey is a movement in the direction toward maturity of building automation where building control systems intercommunicate as required, to proactively adjust and respond to changing conditions.

Building automation is dependent on:

  • Understanding the occupant’s goal.
  • Providing a mechanism to facilitate communication, e.g., a converged network.
  • Providing data engineering, e.g., tagging, frequency, direction, storage.
  • Devices with nonproprietary communication capabilities.
  • A processing engine with the ability to ingest data, analyze the data and act intelligently.
  • Transitioning the overall solution from engineering to operations.
  • Considering the full life cycle of the assets in the building as well as the BAS itself.

Evolution of BAS challenges

While the principal challenges facing the industry that consists of building owners, designers, device manufacturers, architects and software designers have remained consistent, they have evolved.

While challenges outlined in Table 1 may appear to test the project management triad of time, quality and cost, they offer a different insight into the drivers of BASs. Identifying the risk areas for an implementation provides a designer with the necessary focus areas for risk mitigation, successful delivery and meaningful use.

The scope of building automation is frequently a conversation driven by the plant manager or the building operations and maintenance team. This narrow focus inevitably runs the insightful recommendation and excitement of improving the building into a dead end and leaves a demotivated plant manager or facilities manager.

Instead, there is an approach to consider that signals to the market that the building is a next-generation asset hardened against pandemic disruption, aware of its carbon footprint and highly engaging for tenants and visitors, with smart technology being a main attraction and market differentiator. This steers the conversation in a completely different direction.

Managing or completely mitigating pain points that occupants, property owners or sustainability targets will experience enables the engineer to focus on tactical solutions. It also provides a mechanism for financial investment to be better understood.

Following a strategic imperatives framework results in the execution of the described approach. One is able to map the mission and the goals of the BAS by first defining a vision statement that encompasses the desired result for the building. This allows the creation of strategic imperatives — the tangible actions required to execute on the goals. The strategic imperatives framework is defined in the following steps:

  1. Identify the stakeholders. These include building operations, sustainability leaders, information technology, executive leadership and client engagement (e.g., patient care in the health care sector or plant operations in the manufacturing sector).
  2. Define the vision statement with dialogue between all stakeholders through targeted discovery questions. The responses determine the desired outcome. At this point in the process, alignment with corporate strategy becomes pivotal.
  3. Discover pain points as the critical mechanism for transferring from strategy to tactical implementation. Pain points are defined through the process of creating user personas including wants, needs and frustrations for each user group occupying a building. User journeys map the building touchpoints and identify where users may experience pain points and are used to evaluate tactical solutions.
  4. Set the mission statement to capture the essence of the complete engagement and define the ultimate outcome of the BAS.
  5. Create goals as a means of identifying the overarching concepts of the project. This overlays meaningful thematic information required to define strategic imperatives.
  6. Develop strategic imperatives that drive the various engineering engagements, which together create the BAS ecosystem.

Following this approach will enable setting the scope parameters of the BAS — from the number of connected systems to the level of intelligence, from the geographic extent in a real estate property portfolio to the integration of third-party data sets for contextualization leading to improved decision making.


Passwords, malware, blocked ports, firewalls, trojan horses, spoofing, phishing and man-in-the-middle attacks — cybercrime is real and has no limits. Ensuring the operational resilience of a building is as much a cybersecurity conversation as is having attic stock and preventive equipment maintenance schedules. With the BAS connected to the internet and, in turn, connecting all the various facility-related control systems in the building, cybersecurity lands on the facility manager’s doorstep. The building elevator, the data center lights, the boardroom camera and the afterhours access-controlled door now have routes to the internet.

While physical security, such as gates, walls and bollards, restricts physical access or movement of objects, electronic security uses technology, such as electronic access control or surveillance cameras, to enhance the implementation of physical security. Cybersecurity manages virtual access to electronic devices through passwords, network access rules or internet use policies, to mention only a few.

BAS cybersecurity is quickly discarded as a focus area of the enterprise IT team with budgets being made available instead for anti-virus software, firewalls and spam email blockers, to name a few. Unbeknownst to them, the property manager, health and safety manager, risk manager and entire board of executives are held accountable, with both direct and indirect risks and responsibilities falling in their court.

The focus on cybersecurity is driven by the impact a breach has on the building and the tenant. Cybersecurity first impacts the occupants in the building, the mechanical and electrical systems of the building, productivity as a result of an outage and finally the reputation of the organization.

Cyber-resilience looks at the measures taken by relevant design and operating authorities to improve the building’s virtual or network protection to remain operational in the wake of online or cyberattacks. The FBI’s Internet Crime Complaint Center reported 467,361 recorded complaints (a complaint consists of multiple crimes) of cybercrime attempts in the U.S. in 2019. Building systems are increasingly becoming targets of traditional cybercrime techniques. The IC3 notes the top three crimes being phishing (which includes vishing, smishing and pharming), nonpayment/nondelivery and extortion.

Cybersecurity seeks ways to strengthen digital barriers to protect critical data from theft and attacks, maintain the integrity of the building facility systems and retain building control with authorized parties. This is essentially achieved through locking down software, hardware and connectivity to address often overlooked vulnerabilities.

Understanding why a BAS is at risk helps define the mitigation plan. Those very reasons also create additional vulnerabilities. A few examples include:

  • To share data, systems need to be connected. These connections provide routes for cyber-criminals to navigate the building systems.
  • Delivering on user experiences requires knowledge by the BAS of the individuals. This implies a connection by the access control system with the corporate human resources database or people directory and this connection provides a path into the enterprise network.
  • Building automation removes decision-making from an operator and places it into the hands of a computer system. If the decision-making of the system can be altered or the input factors changed, the unsupervised output can have an adverse effect.

Original equipment manufacturers include cybersecurity in their hardware and software designs and software building automation and management systems implement certain measures, however, not nearly enough. The complexity of cybercrimes evolves daily and staying abreast is a big task for OEMs.

Cybersecurity must be addressed at the start of the BAS journey. The U.S. government prescribes a minimum 2.5% of total construction costs for all Department of Defense projects to be allocated to cybersecurity. If you consider BAS-only spending, then this figure increases to 20% to 25% of the BAS budget being allocated to cybersecurity.

Some basic measures can be taken to improve the resilience of a project’s BAS:

  • Change all factory-shipped default usernames and passwords.
  • Do not leave the username and password to the BAS under the keyboard.
  • Manage internet connectivity through a firewall and do not permit private vendors to install their own network connections for remote support.
  • Develop a continuity of operations plan, assign responsibilities and check this quarterly.
  • Implement backup procedures and test the backups.
  • Disable network connectivity capabilities on devices that do not require these.
  • Include cybersecurity in the design of the network, the control room, the BAS and include mapping of standard operating procedures.
  • Complete a cybersecurity audit report with potential penetration testing.

BAS costs

When BAS spend is considered a grudge spend, the ability of the BAS has not been aligned with the goals of the building occupant’s comfort and safety to corporate strategic initiatives. The strategic imperatives framework was outlined previously, and provides the platform for ensuring alignment between corporate strategy and BAS functionality.

More often than not, the primary focus of the BAS team, from client sponsor to BAS engineer to system integrator, lies in delivering the BAS in compliance with good project management methodologies. This approach of merely focusing on the on-time and in-budget achievement of a practical completion certificate lies at the heart of the reputation that “smart buildings are expensive” and why BAS is the last item at the annual budget soiree.

Business intelligence and new experiences are the values that building automation brings to real estate, which were otherwise not possible before. Examples of insights delivered by the BAS resulting in financial value to the building operator include:

  • At a banana ripening warehouse, the frequency on the main chiller system’s variable speed drive had been drifting more and more over time at temperatures over 95°F with a humidity of 70%. While the output had not been affected, it was a telltale sign that equipment failure was imminent. Due to the integration with a third-party weather service, the facility engineer was able to expedite maintenance one week ahead of a warm front with predictions of 95° to 100°F and 90% humidity, in doing so, preventing the total loss of stock in the facility.
  • In a now-unoccupied large retail space in a shopping center, the BAS provided complete control of temperature, air movement, lighting color and intensity, audiovisual control and occupancy sensing to create virtual reality NFL fan experiences. This brought the game to the fans in pandemic-resilient social distancing compliant environments, and created new business opportunities.
  • An unused ward of a hospital was converted into a COVID-19 isolation facility through automating controls in the BAS, which were fed from sensors in the facility, sharing of data sets and monitoring all threshold values of critical care systems, protecting life and introducing new revenue streams.

Budgeting the BAS requires several considerations, including:

  • The capital outlay to implement the system allows for integration with more systems to provide more context to facility management and building operations.
  • The work required to level-set the existing facility control systems to enable integration because most of the facility systems would traditionally be designed and implemented without consideration for integration, thus needing interventions.
  • The engineering required to holistically capture the requirements needed to be undertaken during the onset of the engagement as defined in the strategic imperatives framework.
  • Thoughtfully designing the solutions.
  • The ongoing optimization and cybersecurity compliance necessary to ensure the BAS delivers what the OEM and engineering designer intended for it.
  • Organizational change and roles to support and leverage BAS capabilities once deployed requires different skillsets.

Equipped with the knowledge of how scope and security drives spend on BAS implementation, the design engineers should engage with one another to create outcomes in a collective manner. Engineers can manage and meet the expectations from investors, can protect the environment for future generations and can create safe environments for people.

Author Bio: Jaco Cronje is a technology solution architect at WSP USA.