Next Article in Journal
Compact All-Fiber SERS Probe Sensor Based on the MMF-NCF Structure with Self-Assembled Gold Nanoparticles
Previous Article in Journal
Temporal Video Segmentation Approach for Peruvian Sign Language
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Review

Composite Vulnerabilities and Hybrid Threats for Smart Sensors and Field Busses in Building Automation: A Review

by
Michael Gerhalter
and
Keshav Dahal
*
Artificial Intelligence, Virtual Communication and Network (AVCN) Research Institute, University of the West of Scotland (UWS), High St, Paisley PA1 2BE, UK
*
Author to whom correspondence should be addressed.
Sensors 2025, 25(17), 5218; https://doi.org/10.3390/s25175218
Submission received: 5 July 2025 / Revised: 18 August 2025 / Accepted: 19 August 2025 / Published: 22 August 2025

Abstract

In the IT sector, the relevance of looking at security from many different angles and the inclusion of different areas is already known and understood. This approach is much less pronounced in the area of cyber physical systems and not present at all in the area of building automation. Increasing interconnectivity, undefined responsibilities, connections between secured and unsecured areas, and a lack of understanding of security among decision-makers pose a particular threat. This systematic review demonstrates a paucity of literature addressing real-world scenarios, asymmetric/hybrid threats, or composite vulnerabilities. In particular, the attack surface is significantly increased by the deployment of smart sensors and actuators in unprotected areas. Furthermore, a range of additional hybrid threats are cited, with practical examples being provided that have hitherto gone unnoticed in the extant literature. It will be shown whether solutions are available in neighboring areas and whether these can be transferred to building automation to increase the security of the entire system. Consequently, subsequent studies can be developed to create more accurate behavioral models, enabling more rapid and effective analysis of potential attacks to building automation.

1. Introduction

Almost all modern buildings have building automation systems (BASs) [1]. Literature clearly indicates that building automation can be classified as a cyber physical system (CPS) [2,3]. In this context, building automation combines several broader areas like Smart Buildings (SBs) [4], Intelligent Buildings (IBs) [5], smart cities [6], enhanced living environments [7], Information and Communication Technology (ICT), Industrial Control Systems (ICSs), smart grid [8], Internet of Things (IoT) [9] and others. This shows the necessity of combining many different and independent systems into one integrated system.
Khan et al. [10] recognize the interaction and interconnectivity between the different systems in the CPS environment through the use of ICT. With regard to BASs, for example, Aghemo et al. [11] introduced the topic of the energy-saving potential in heating, cooling, and lighting through ICT-based automation systems. Also, the EU‘s Energy Performance of Buildings Directive (EPBD) [12] recognizes the strong backlog demand regarding the intelligence capability of a building and its underlying controls. In the context of smart devices and sensors, the requirement to connect different BASs is also supported by Kastner et al. [13]. They specifically refer to the increasing requirement for close cooperation between the different trades involved in building automation engineering. Continuing towards broader integration, Hammadi et al. [14] are clear that indoor guidance and assisting via smartphone will become a significant trend in modern buildings. They also explicitly point to the interaction of smartphones and building automation as the key to implementing such a concept. In the context of linking electrical power systems and BASs, Kiliccote et al. [15] make clear that smart grids are also on the agenda for smart buildings. ASHRAE [16] has also started work on corresponding standards for the connection between building automation and smart grid systems. In the broader context of the CPS, Zhukabayeva et al. [17] highlight the integration of networked sensors into cloud applications, while also underscoring the significant number of accompanying security concerns.
The examples given of the diverse interconnection of different systems go hand in hand with a broad and complex attack surface [2,17,18], which is reminiscent of the challenges of modern warfare, and thus brings into play issues such as asymmetric or hybrid threats or composite vulnerabilities. Hybrid threats refer to a wide range of hostile actions that combine multiple, often unconventional methods to achieve strategic objectives, usually by exploiting multiple vulnerabilities in one or more targets [19]. Composite vulnerabilities are those vulnerabilities that can occur through the totality or combination of connected systems [20]. The question arises as to whether such threats are also conceivable in the field of building automation.
The following contributions are made by this paper:
  • A comprehensive review of field bus systems, protocols and standards used for data transport from sensors in building automation.
  • An overview of practical examples of threats to building security that have not yet been covered in the literature, especially with regard to sensor technology in usually unprotected areas.
  • A thorough analysis of whether literature from the field of warfare or composite vulnerabilities has been previously applied to the field of CPSs and specifically to BASs.
  • An overview of the methods that can be employed to counteract the mentioned composite vulnerabilities and hybrid threats for the benefit of researchers and practitioners in the field.
The previous part explained the background and motivation for this systematic review paper. The Section 2 describes the necessary context and the Section 3 shows some practical examples. Section 4 describes the methodology and defines the scope, focus, and limitations. The Section 5 summarizes and synthesizes the results in categories and describes them in detail, particularly with regard to their potential applicability in building automation. The Section 6 summarizes the most important results and concludes the key findings, by highlighting aspects of security in building automation that have not yet been considered in the literature.

2. Building Automation and Its Communication Mechanisms

2.1. The Multi-Layered Communication in Building Automation

Building automation systems are divided into layered communication, which is supported by several authors and widely used in the literature [21,22]. To better illustrate these layers with a picture, Figure 1 shows the typical four layers of a BAS and their underlying communication mechanisms. Figure 1 also demonstrates the various types, distribution, and number of devices utilized in building automation. The majority of these devices can be found at the field layer, with their distribution spanning the entirety of the building. For example, an outside air temperature sensor sits usually on the outside wall, occupancy sensors are located in rooms or corridors, and sensors for Air Handling Units (AHUs) are located at the AHU itself. Furthermore, a plethora of additional devices, including temperature and humidity sensors, valve actuators, fire alarms, access readers, cameras, and numerous others, have been developed for integration into these systems. The automation layer is constituted by the Direct Digital Controllers (DDCs), which are utilized for the purpose of automating the processes. These devices are typically installed in control cabinets, though they are also sometimes distributed throughout the building. The management layer, situated above this, is employed for the purpose of visualizing processes and automating higher-level processes. The workstations and servers used there are usually located in an office or a dedicated server room [21]. The enterprise layer is utilized for the processing of voluminous data sets and the establishment of connections with higher-level systems, including the organization’s IT infrastructure. Data exchange in horizontal communication is primarily used for process control and is characterized by smaller data volumes. Data exchange in vertical communication is primarily intended for the access by the management level and is typically characterized by higher data volumes, e.g., for historical data collection [13]. The threats posed by these connections are explained later in Section 5.4.3. and Figure 9.

2.2. Cross-Level and Cross-Trade Vulnerabilities

Sinopoli [23], Younus et al. [24], and Butzin et al. [25] note that building automation is a sum of many different trades such as access control, CCTV (Closed-Circuit Television), HVAC (Heating Ventilation and Air Conditioning), intrusion detection systems, fire alarm systems, etc., whose underlying BASs are interconnected in many ways via a variety of gateways or fieldbus systems. Macaulay [26] notes that, in the context of IoT, threats and vulnerabilities especially occur due to the interconnectivity of many different devices, and the emerging of gateways and cloud solutions even increases the attack surface of such systems [27]. Pointing to IoT and large BASs, Brooks et al. [28] note that the emerging interconnectivity of BASs and enterprise systems poses a new and still far too little considered threat to organizational security, while their reference to the security of the organization is that the connection between the technical and organizational LAN (Local Area Network) also increases the risk of attacks. In the majority of cases, the supply and implementation of these disparate systems is undertaken by different manufacturers. These manufacturers frequently engage in competition with one another, exhibiting a limited inclination to collaborate, and demonstrating a preference for the provision and implementation of proprietary solutions, as opposed to those that are security oriented. This observation is also noted by Shwartz et al. [29] in relation to the IoT. This paper examines literature pertaining to vulnerabilities at the various BAS layers and the different trades. It specifically analyzes literature that already deals with this topic in related areas, with a view to highlighting the associated composite and hybrid vulnerabilities.

3. Practical Examples of Hybrid and Composite Vulnerabilities

The subsequent practical illustrations are designed to fulfill the following objectives:
  • Help to understand the concept and criticality of composite vulnerabilities and hybrid threats to building automation.
  • Provision of illustrative examples that have not been previously addressed in the extant literature.
  • Documentation of real-world scenarios in order to improve data management and strengthen real-time capabilities of fault detection, as these have been given very little consideration in the literature to date [30].
The examples cited are solutions that have also been implemented in practice. During the implementation phase, the risks cited were discussed, and it was determined that there is a paucity of literature examining composite vulnerabilities and hybrid threats in building automation.

3.1. Example 1, Composite Vulnerabilities

A visitor to a building is sent a QR code to their mobile phone after a meeting has been booked via a Microsoft Outlook calendar appointment object. They also receive a floor plan to make it easier to find their way to the relevant meeting room. The visitor then enters the building by presenting the QR code to the access card reader at the entrance door. This event data is stored in the Access Control System (ACS) and recorded by the Video Management System (VMS). If it is an employee, the data is also sent to the human resources payroll system to recognize the employee’s presence and set their daily attendance account to ‘active’. In addition, the visitor’s path to the office is automatically lit when it is dark and the office space is heated or cooled to the desired temperature. The blinds are also opened or closed depending on the weather conditions. Furthermore, the presence detectors recognize whether people are still in the room and the media control system activates the appropriate lighting scenarios for a presentation. In other words, an ACS is connected to the Time and Attendance (T&A) system, to the payroll system, to the lighting system, to the HVAC, to the VMS, to the media control panel, to the electrical power supply system, and in some way to the mobile phone of an external person. Figure 2 illustrates this scenario.
Figure 2 also shows a strong fusion between IT and OT (Operational Technology) and a correspondingly strong networking between the various automation systems, which is also currently the focus of the literature [17,31]. In addition to the broad attack surface [2], such scenarios offer the potential for attacks on one system to affect multiple, other connected systems and support the spread of malware.

3.2. Example 2, Composite Vulnerabilities

In an airport there is a car rental for electric cars. The power supply of the loading stations does not provide enough power capacity to load all vehicles in parallel. To ensure that the rented vehicle is fully charged at the time of handover, a charging schedule is created. This schedule defines the time and corresponding State of Charge (SOC) of the battery. This data is transferred to an SQL (Structured Query Language) database, which is then connected to a controller via an ODBC (Open Database Connectivity) connection. The connected controller is then also used to disconnect other large loads when larger amounts of power are needed for rapid charging. Thus, the controller is connected to many AHUs (via FOXnet protocol), an electric heater for defrosting a ramp (via ModBus), to the refrigeration compressor network of the entire refrigeration supply (via BACnet), and to the other vehicle loading stations (via Modbus). This common and widespread use of unsecured connections supports potential cyberattacks and represents a large, poorly secured attack surface. For example, an attack could be carried out via the BACnet weather station, which is often poorly secured outdoors, or via BACnet room control units. Furthermore, an attack on a single system can have significant consequences for other systems. For example, an attack on the controller, which is located in the control cabinet of the ventilation system and is therefore more easily accessible, can also result in the de-icing of the access ramp being disabled, which also poses a significant risk of accidents.

3.3. Example 3, Composite Vulnerabilities

Following Nge et al. [8], who had already identified the direct connection between the smart grid, the energy management system, and the HVAC system as a potential threat, such scenarios are also being implemented in practice. For example, energy meters are connected directly to the controller via unsecured protocols (M-Bus, Modbus, BACnet, etc.), which are then often directly connected to enterprise dashboards or cloud solutions. On the one hand, this makes cyberattacks on unsecured protocols easier, and on the other hand, the connections to cloud solutions and enterprise networks make it much easier to spread malware.

3.4. Example 4, Hybrid Threats

In buildings, there are usually one or two large air handling units supplying the whole building with fresh air (such as classrooms, event rooms, offices, patient rooms, exhibition rooms, etc.). These air handling units are often equipped with an outside air intake at floor level, which represents a major vulnerability. This allows potentially harmful or lethal gases to be placed near the intake of the ventilation system, causing significant damage and even life-threatening situations without much effort. While this example does not refer to sensors in unprotected areas or unsecured data transmission, it clearly demonstrates the vulnerability of ventilation systems to hybrid attacks. The deployment of sensors within the intake tract, capable of detecting noxious gases, has the potential to serve as a partial countermeasure against such attacks. However, there is a high risk that the harmful gases will be detected too late or not at all, as the sensors cannot respond to all dangerous gases. Consequently, the most rational approach would be to install the intake ducts in inaccessible areas, though this frequently results in elevated installation costs.

4. Methodology

The overall aim was to find literature that can help to improve the security of buildings with building automation systems. Methods from other areas were analyzed and then projected onto the security of buildings in general. The security of buildings in this work is to be considered holistically, in order to be able to evaluate as many vulnerabilities as possible.

4.1. Design of the Literature Review

Firstly, the current state of the art in building automation was determined with the aim of demonstrating the implementation or non-implementation of various security mechanisms. This analysis then served as the basis for the applicability of the further topics of investigation. Figure 3 shows the areas reviewed in literature and their categorization into real-world scenarios, adoption of standardized vulnerability databases, fieldbus systems, protocols and standards, composite vulnerabilities, hybrid and asymmetric threats and weaknesses, and intrusion detection systems. The authors created the categorization in an iterative process based on the literature examined, which ultimately resulted in these categories. Different and contradictory approaches are demonstrated in the following sections, as well as their compatibility with the analyzed domains.

4.2. Review Method and Selection Process

The search areas were intentionally chosen broadly to cover most possible areas which can contain any information about composite, interrelated, interlinked, hybrid, and asymmetric vulnerabilities or weaknesses. The articles were first selected on the basis of the title; if inclusion of the title was selected, further selection was made on the basis of the abstract. The articles were analyzed independently and primarily by the author of this review. In instances of uncertainty, the second author was approached for consultation. No automation tools were used in the review process. Figure 4 shows the methodological process and the desired result of each sub-step.

4.3. Inclusion and Exclusion Criteria

In order to keep the search scope as broad as possible, the following types of literature were analyzed: books, conference papers, government documents, journal articles, legal rules or regulations, reports, standards, electronic articles, online databases, newspaper articles, press releases, and webpages. No inclusion or exclusion criteria were defined for authors, the cite score, or geographical affiliation. Because of the longevity of BASs [32], no time restriction was set for the initial searches in order to obtain an overview of the relevant areas. However, if more recent literature on the same topic was available, the more recent literature was favored.

4.3.1. Further Inclusion Criteria

  • Literature addressing composite, interrelated, or interlinked vulnerabilities in the context of CPS, ICT, ICS, and BAS.
  • Literature addressing hybrid or asymmetric threats or vulnerabilities in the context of CPS, ICT, ICS, and BAS.
  • Literature related to hybrid or asymmetric warfare in connection with CPS, ICT, ICS, and BAS.

4.3.2. Further Exclusion Criteria

  • Literature regarding safety, natural hazards, or events such as floods, storms, earthquakes, avalanches, and similar.
  • Literature related to terrorist attacks was excluded.
    Unless it explicitly fell under the above-mentioned categories and was relevant in the context of the article being analyzed.
  • Literature in the context of data privacy or GDPR (General Data Protection Regulation).
  • Non-indexed government documents, journal articles, legal rules or regulations, reports, standards and preprints to assure accessibility and academic rigor.
  • Only reports written in English or German were analyzed. Reports in all other languages were excluded.

4.4. Search Procedure

The platform used in the initial searches was Google Scholar, as it also performs a search in established research platforms and offers broader coverage across different disciplines [33]. For further, more detailed research on the specific topics, a separate search was then carried out via the following sources: eBook Collection (EBSCOhost), Science Direct, IEEE Xplore, Scopus, and Web of Science. A total of 131 search strings were applied, which were then used in the various search queries on the respective topics. The initial search terms were taken from relevant literature on the subject of security in building automation, smart buildings, and intelligent buildings [22,34,35,36,37].

4.5. Data Extraction and Presentation

Due to the diversity of the areas analyzed, the literature extracted was summarized in six categories. This was intended to provide a better overview and summarize the most important topics and current trends in the literature.

4.6. Quality Declaration

The review was mostly conducted following the PRISMA framework guidelines and the quality criteria and checklists of the Prisma framework [38]. The corresponding flow diagram is shown in Figure 5. As per the partially semi-structured approach, there is a possibility that the results may be distorted, as not all areas of literature on the topic of security in buildings with building automation were possibly found. This bias was counteracted by analyzing all the reports examined for evidence of other threats or vulnerabilities related to buildings.
A total of 1150 documents were identified for examination, of which 87 are referenced in this review. Description of the reasons for exclusion are listed in Figure 5:
  • Reason 1: The inclusion criteria have not been fully met.
  • Reason 2: Exclusion criterion: Literature regarding safety, natural hazards, or events such as floods, storms, earthquakes, avalanches, and similar.
  • Reason 3: Exclusion criterion: Literature in the context of data privacy or GDPR.
  • Reason 4: Other reasons for exclusion according to the exclusion criteria.

5. Results of the Literature Review

Table 1 shows the summary of the extracted literature and its categorization. The following sections provide more detail on the respective topics.

5.1. Occurrences of Real-World Scenarios in the Literature

Articles in the CPS area on threat classification or vulnerabilities related to asymmetry are rare, appearing in only 8 out of 29 articles examined. This is essentially also supported by [39], who suggests that it is important to taxonomize asymmetries in order to better understand how to deal with the corresponding vulnerabilities. Some approaches on new attack vectors for BASs have been made [40]. In the area of IoT, further contributions deal with the adaptation of existing, standardized databases [41,42] that can be followed up and adopted in regards to BASs.
The distribution of the reviewed literature in the areas of ICS, ICT, and CPS is almost equally distributed, as shown in Figure 6. In terms of practical applicability, the distribution of real-world scenarios is interesting, as shown in Figure 7. The sum of real-world examples and real-world tests scenarios occurs in less than 50% of the literature examined, thus the theoretical treatment of vulnerabilities, weaknesses, and threat scenarios predominates, which is essentially confirmed by [31].

5.2. Adoption of Standardized Vulnerability Databases for CPS and BAS

Looking at the Common Vulnerability Scoring System CVSS [43] or the National Vulnerability Database (NVD) [44], a problem with the various vulnerabilities and their classification is that the information content is sometimes difficult to understand for CPS operators. Often the vulnerabilities are described rather vaguely as information break, distorted input value, channel weakness or similar, which sometimes has little practical significance, allows little conclusion about the effect or the source, or just misses the context to the application [28]. The origin of these designations usually comes from computer technology and poses great challenges for CPS or BAS operators in terms of understanding the statements, as these statements are too focused on the area of network technology or general IT [45]. Without appropriately trained personnel or corresponding specialist departments, such vulnerability reports are therefore mostly useless for CPS and BAS owners, or their informative value can usually not be interpreted appropriately and is even less implemented in countermeasures. In their current form, these databases are therefore rather unsuitable for use in the BAS area.

5.3. Fieldbus Systems, Protocols and Standards in BAS with Regard to Security

5.3.1. Analysis of Fieldbus Systems Used in Relation to Their Security

In the context of ICT, Supervisory Control and Data Acquisition (SCADA), and Distributed Control System (DCS), the National Institute of Standards and Technology (NIST) created an overview of all the corresponding threats and vulnerabilities and provides guidelines to mitigate the associated risks [46]. There is a comprehensive survey of Industrial Internet of Things (IIoT) protocols [42], which is also applicable to some parts of building automation. However, their focus was on IIoT and thus many protocols used in building automation were not investigated. This gap was closed by analyzing 108 protocols and fieldbus systems used in BAS and their implementation of security mechanisms. Figure 8 shows that only 19 of the 108 protocols and fieldbus systems analyzed have implemented security by design and 11 of them have the option of selecting a security mechanism. The vast majority of fieldbus systems, protocols and standards used in building automation can be classified as insecure, at 62%. It should be noted that 42 of the examined protocols are proprietary systems. In these systems, the data transmission protocol is the intellectual property of the manufacturer and is therefore not disclosed. While this increases security to some extent, it does not match the security of a transmission protocol with a built-in encryption mechanism. This suggests that secure systems do exist and can be implemented in practice, but the majority of currently installed systems require significant improvement in terms of fieldbus security.
Furthermore, the potential penetration path via discovery tools has not yet been considered in the literature. Table 2 shows that 15 of the 108 bus systems analyzed enable automatic detection of all bus devices and usually also their entire objects, including the control and regulation parameters. This means that, for BACnet as an example, the ‘Who-Has’ service can be used to determine where certain devices or objects are located without having to know the exact addresses of all devices in the network. Together with the ‘Who-Is’ command, the ‘Who-Has’ service helps to determine the network addresses and object IDs of objects that are located in other BACnet devices. Most protocols also utilize the option of transporting their messages via TCP/IP packets. In practice, this leads to cases where smart sensors in unprotected areas are connected via two-wire bus systems and then connected directly to the OT via gateways using TCP/IP. In addition, they are often also connected directly to the organization’s IT network, as described in Section 3.1, and shown in Figure 2.

5.3.2. Security Strategies at the Field- and Automation Layers

In principle, the implementation of security mechanisms in fieldbus systems already significantly increases security. For example, implementing data encryption would make it significantly more difficult or even impossible to infiltrate malicious devices or eavesdrop [47,48,49]. This is already possible with BACnet Secure or KNX Secure, for example, but is rarely implemented in existing installations. Furthermore, relevant stakeholders still lack knowledge of how to implement BACnet Secure or KNX Secure. In access control systems, for example, switching to mutual authentication between the card and the reader, or encrypted data transmission for read/write access, would also increase security. The drawback is that such implementations are expensive, so they are usually not implemented in existing installations. Considering the longevity of BASs [32], security mechanisms at the field and automation layers are not usually implemented or added to existing systems, only being implemented when the systems are replaced.

5.4. Composite Vulnerabilities in Relation to CPS, ICT, ICS, IoT, and BAS

5.4.1. Literature Around Composite Vulnerabilities in the BAS, CPS, ICT, and ICS Areas

Considering BAS as a ‘system of systems’ with the many connections within the layers and also among each other and between the various trades, new vulnerabilities can arise that are ignored or do not occur in the individual consideration. This perspective was taken up by Ciholas et al. [20] in the higher-level context of CPSs. The resulting system vulnerabilities are referred to as ‘composite vulnerabilities’. It is also noted that organizations such as NIST (National Institute of Standards and Technology), CPNI (Centre for Protection of National Infrastructure), and similar entities have not yet addressed this subject, or have only focused on individual vulnerabilities in their publications, or have used an IDS (Intrusion Detection System) to focus on attacks that are already in progress. New vulnerabilities that can result from the aggregation of different systems or individual vulnerabilities were named as ‘emergent vulnerabilities’ [50]. They try to counteract this complexity of systems from different points of view, for example, by considering the adversary goals, existing cyber and threat databases, or attack-centric analysis. In the area of information systems, Qu et al. [51] mention that there is no way to objectively measure composite vulnerabilities. Besides their general observation that there are currently no established systems for measuring interrelated vulnerabilities in information systems, they point out that there are already established methods for measuring individual, independent vulnerabilities such as the CVSS or the NVD. However, in their specific example, they found that CVSS is not able to measure composite vulnerabilities.
Also in the context of composite vulnerabilities, but not mentioning the term explicitly, refs. [32,35] mention the use of smart sensors and actuators that are connected to the automation layer via a bus system like KNX, BACnet, LON, etc. They point out that the possibility of local access to these bus systems leads to considerable vulnerabilities at the field layer, especially since smart sensors and actuators are often installed in unsecured areas [52,53]. This observation is particularly interesting in conjunction with the study by Ciholas et al. [52], who point to the penetration of threats between the three layers in a BAS during attacks. This can mean that attacks carried out in the often unsecured field layer can lead to the distribution of malware throughout the BAS network. This is in contrast to Brooks et al. [28], who state that local access to field devices only creates local vulnerabilities limited to small parts of the BAS.

5.4.2. Literature Around Composite Vulnerabilities in the IoT Area

In the field of IoT, the networking of many different devices is a fundamental issue and has already been addressed in the literature. For example, a reference is made to the vulnerabilities of conflicting rules between different devices. Mutual influence, vulnerabilities arising from interaction between devices, and inter-rule vulnerabilities are cited as potential threats [54,55]. However, when the BAS is compared with IoT, these vulnerabilities are relatively minor in the context of building automation, since the control rules for automation applications are typically developed by qualified experts. In addition, the control requirements are thought through in advance by planners or end customers and documented accordingly. However, the vulnerabilities remain due to the networking of different devices. This includes the potentially possible impact of an attack on all devices in a control network, which essentially corresponds to the principle of composite vulnerabilities. The issue of diversity among numerous manufacturers, whose hardware and sensor technology are frequently found to be insecure, is also recognized in the context of the IoT, and has already been addressed in the extant literature. Specifically, ref. [29] describes how it is often assumed that data received from other manufacturers is secure, even though it is usually connected via unsecured protocols, as demonstrated in Section 5.3. This predicament gives rise to the issue that hardware-based attacks on CPSs provide an opportunity for attackers to impersonate authenticated and privileged users and also suggests the potential for causing damage to the system without leaving many traces. In the context of building automation, this poses a risk that untested manufacturers or suppliers may be integrated into larger systems without the presence of appropriate system integrators who could potentially monitor these processes [28].
In relation to the utilization of contemporary technologies, Cimino et al. [55] adopt a methodology that employs LLMs (Large Language Models) to identify and counteract conflicting or mutually influential control rules. No literature was found in the field of building automation that uses LLMs or other AI (artificial intelligence) models to increase security, with the exception of the utilization of IDS to detect anomalies, further details of which can be found in Section 5.6. Presently, AI models are predominantly employed in the context of BASs for the purposes of predictive maintenance and the optimization of control strategies, for example [56].

5.4.3. Strategies to Mitigate Composite Vulnerabilities in BASs

Composite vulnerabilities arise from the connection of different systems. Thus, data from a falsified or influenced source can cause damage to another target system. Figure 9 shows a detailed diagram illustrating the diverse data connections between the various devices that are marked in red. This demonstrates that the multiple connections between devices at different layers could make it potentially quite easy to spread malware. Furthermore, Figure 9 illustrates the increased attack surface, caused by the numerous bus systems utilized in building automation. Given these unprotected data sources, introducing trust relationships would enable source data to be integrated into the overall system in a verified manner. One option is to use certificates, which can be used to secure communication from the field layer through the automation layer to the management or enterprise layer. For example, this could be achieved using BACnet/SC, which enables secure communication at the field layer [48,49]. But this would only apply to the HVAC sector. Another option would be to divide the various providers into many, very small network segments [24,57]. This usually involves significant administrative effort, however, and is limited to the IP network level. The division does not extend to the field layer. In order to better protect the diversity of systems used in building automation as a whole, a position should be created that deals with all systems, their integration, and their data connections. One such function would be the system integrator [48], who monitors all systems and not only checks and approves security-related functions, but also considers conflicting rules [54,55]. It should also be noted that in high-security applications such as data security centers or military facilities, this function is sometimes performed by security planners. But such planners usually consider many aspects of building automation, such as heating systems, to be irrelevant to security and thus ignore potential threats, which are discussed separately in Section 5.5.
Figure 9. A practical example of devices and their connections between layers that are often unprotected.
Figure 9. A practical example of devices and their connections between layers that are often unprotected.
Sensors 25 05218 g009

5.5. Hybrid and Asymmetric Warfare Related to CPS, ICT, ICS, and BAS

5.5.1. Literature Related to Hybrid and Asymmetric Warfare in Connection with CPS, ICT, ICS, and BAS

Although from different angles, relevant asymmetric challenges have been extensively studied by only the defense [58,59] and cyber-security research communities [60]. Asymmetric tactics are an important part of the history of warfare. For example, Miles et al. [61] emphasize the need to exploit the opponent’s strengths and weaknesses and use them accordingly. It has been established that nations, organizations, and individuals have either discovered opportunities to use ICT to benefit from asymmetric weaknesses, or, conversely, are threatened by asymmetric weaknesses [62]. The North Atlantic Treaty Organization (NATO) defines hybrid threats rather generally and also includes all asymmetric conflict scenarios, low-intensity threats, cyber-terrorism, organized cyber-crime, and others [19]. Due to relatively recent and rapid developments, the building automation community has yet to address this area.
By mentioning the increasing integration level of automation systems, Mahmoud et al. [18] point out that insecurities of the physical layer are intertwined with the design of the application controller and both must be considered accordingly in the design of the security policy for the entire system. Their reference to the necessity of looking at the whole system was also investigated by [63] in relation to asymmetric warfare. They found that aggressors who have a massive resource disadvantage will utilize asymmetric techniques to a maximum, whereas their definition of asymmetric techniques is that of achieving the best ‘cost-benefit ratio’. Thus, attackers only have to look for the weakest point in the entire system, which often leads to even the most experienced defenders not being able to correctly assess the situation in the attack scenario. In the context of CPSs, this topic was taken up by Gupta et al. [64]. Their work is based on the analysis of a Denial of Service (DOS) attack on the CPS where they try to formulate the behavior of attacker and defender as well as possible mathematically in order to be able to carry out a corresponding simulation. They also showed that the scientific community has become increasingly interested in the diversity of securing CPSs in recent years.

5.5.2. Literature Related to Asymmetrical or Hybrid Weaknesses in Connection with CPS, ICT, ICS, and BAS

In recent years, the term ‘asymmetrical-weaknesses’ threats or vulnerabilities’, also called ‘hybrid threats’ in the context of CPS and ICT, came into play [65,66]. Asymmetry is also cited in relation to the information asymmetry between the attacker and the defender, mostly in reports aiming at general IT security issues [67,68]. A start was made on taxonomizing the concept of asymmetry in a literature review, not in relation to CPS or ICT, but with a focus on security and privacy in networks [69]. With regard to CPS, there is already a good approach to identifying system weaknesses using STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) and evaluating the associated risk using DREAD (Damage, Reproducibility, Exploitability, Affected Users, Discoverability) [70]. Potential system interdependencies and asymmetric threats were also taken into consideration. However, the approach is theoretical and no real-world scenarios are explicitly cited or analyzed. Furthermore, no study was found that linked the issue of asymmetric or hybrid threats and BASs.
Considering the BAS and its limited resources in field devices like memory, computing capacity, power restrictions, etc. [21], it is currently not possible to implement sophisticated, up-to-date security mechanisms [47]. This brings in another factor of asymmetry, namely the difference between the different layers in building automation, which can also be considered as asymmetry [65]. This is broadly in line with [52,53,71], who note that field devices are often located in unsecured areas, leading to further asymmetry in terms of the attack surface of a BAS. This also means that the sum of possible, physical entry points for BAS devices in unsecured areas is higher than for devices in secured areas. Thus, possible perpetrators have several possible points of attack through which the perpetrator can access the BAS behind the device, or even multiple systems if the BAS is connected to them [24,25]. In addition, modern fieldbus systems are usually also available at the IP level [72], which transfers the vulnerabilities from the field layer up to the IP layer, or even the enterprise network [73], if this is not appropriately secured by firewalls or gateways.

5.5.3. Strategies to Mitigate Hybrid or Asymmetrical Weaknesses in BASs

From warfare [59] and CPS [64], it is known that assessing and defending against hybrid threats is a complex process and usually involves many different areas. The literature on the CPS and neighboring areas is still being developed. The Common Weakness Enumeration [36], NIST [44], and ENISA [74] have started working with Threat Modelling Methods (TMMs), which only cover hybrid threat scenarios to a limited extent. Since these only partially cover hybrid threats or are not directly or easily applicable to CPS, ref. [75] attempted to apply the topic of hybrid threats to the area of ICS using STRIDE [10], the CVSS framework [36], and other methods. With reference to BASs specifically, possible methods for mitigating hybrid threats would be based on the examples cited in the above literature. For example, access to unsecured fieldbuses could be prevented more effectively by consistently locking all web servers, gateways, and connection terminals, both inside and outside the building. However, building automation also includes many smart sensors, such as room temperature sensors, light switches, bus couplers, weather stations, etc. Such devices are very difficult to protect against unauthorized access. These would then have to be separated, as also mentioned in Section 5.4.3., ideally by very small, structured networks in order to minimize the damage in case of an attack or to limit it to smaller system areas. In contrast, considering the attack on the outside air intake system cited in example 4, locating the intake ducts on the roof or in inaccessible areas would be a possible strategy to minimize such a risk. In such cases, installing sensors in the air intake tract that detect harmful or lethal gases would be of little use. For detection to occur, the gas would already need to have entered the ventilation unit, which could potentially cause damage even if the ventilation system were immediately shut down and the outside air dampers closed. However, such points would need to be considered during the system planning phase as part of a ‘security by design’ approach. This is because changes to existing systems are usually too costly to implement. As a simple immediate measure, facility management staff and other stakeholders who influence building security could be trained on such threats in order to create appropriate awareness. An expert survey is planned to gain a better overview of hybrid threats to building automation. This survey will analyze the security practices of experts with significant influence over building automation security, with the aim of developing more appropriate measures to improve security.

5.6. Intrusion Detection Systems in CPS

It is also apparent that there is a clear trend towards the use of behavioral models for cyber-physical processes to detect intruders for cyber-attacks. Figure 10 shows that beginning from 2011, the idea of for monitoring the system behavior of the entire physical process has already been thought of for more than ten years [76], whereas in the first reports, it was still assumed that the attackers have access to the configuration system, which might not cover too many attack scenarios. Shortly afterwards, around 2013, references had already been made to industry-standard machine learners for attack detection in ICT applications, which thus maps a function of an IDS [77].
Intrusion detection systems are usually classified into three types: signature-based, which detect based on documented behavior, anomaly-based, which detect based on machine learning including history data analyses, and hybrid, which is a combination of signature- and anomaly-based systems [78]. Most of the current IDSs which have their origin in the IT sector focus on the behavior of network traffic, which is not sufficient for a reliable detection of all attack vectors in a CPS [79,80]. This is also supported by Zhang et al. [78], who add that there are still too few studies on the subject of cyber security in relation to process data. Considering the building automation area, the literature review has shown that there is no literature on the topic of behavioral analysis for anomaly detection, threat prevention, or intrusion detection. Implementing behavioral model analyses for use as an IDS has a lot of advantages. Especially in CPSs, the thought of implementing security comes as an afterthought. This is often due to the fact that security requirements are mutually exclusive to functional requirements [81]. In addition, cost constraints often preclude the implementation of security by design in the early stages of CPS planning.

5.7. Discussion on the Utilization of Behavioral Models in BASs

If security was not implemented by design, a behavior model-based IDS could be used as a later workaround. The use of a digital twin in BASs as an IDS would be an interesting research work, as the digital twin delivers situational awareness of the whole CPS or BAS. If there is already a digital twin available in a BAS, e.g., for energy consumption modelling or predictive maintenance, the same model can be used as a base for an IDS. Dedicated literature in this topic was not found in this review. Table 3 provides an overview of existing research into behavioral models in the context of BASs.
With regard to security monitoring in BASs, for example, Graveto et al. [22] suggest using dedicated devices in addition to the control equipment already implemented, which would then detect anomalies and potential attacks. This is in contrast to most proposed solutions in IDS, which are based on behavioral model analysis and would also not be feasible to implement in BASs, as limited memory, computing capacity, and power restrictions of the devices at the field and automation layers would not be sufficient for this purpose [21,47]. In addition to the limitations mentioned above, there are also other challenges for behavioral models in building automation, for example, the limited bandwidth of fieldbus systems, their high latency, and their highly variable network traffic due to many loosely coupled devices. This is also partially confirmed by Jefrey et al. [31], whereby they point out that further research is necessary in the area of more complex learning models in large and heterogeneous systems in order to achieve better recognition accuracy.

5.8. Security Mechanisms from Other Areas

The field of CPS is broad, and the security mechanisms discussed in the literature are extensive. To cover as many potential security enhancements as possible, literature from the fields of smartphones, automotive technology, and sensor security was also examined at random. The aim was to investigate their applicability to building automation and to identify possible new areas of research. In the smartphone sector, for example, sensors are used for facial or iris recognition and fingerprint scanning. Many applications also use two-factor or multi-factor authentication. Other methods are also being worked on, such as the introduction of audio factors as a further authentication factor [85,86]. Currently, such methods are difficult to implement in building automation systems due to limitations in computing and memory capacity. Additionally, the required sensor technology would incur significant costs [21]. Another interesting approach is that of side-channel attacks, which pose a threat to authentication systems that use fingerprint scanners or facial recognition technology. These threats are already documented in the literature on biometric authentication [87]. The same applies to the field of sensor security in automotive technology. At the present time, physical attacks on sensors, for example, those employed in the context of license plate recognition, are a subject that is being addressed in the extant literature. Of particular concern are attacks that utilize fluorescent materials, ultraviolet light, or laser light, as these have the potential to significantly disrupt detection through the use of rudimentary methods. However, the relevance of these attacks to building automation is negligible, and their projection onto such systems is difficult. However, given the variety of systems used in building automation, biometric authentication plays a rather minor role. Nonetheless, when acquiring such systems, it is imperative to pay particular attention to certified products in order to minimize the resulting hybrid threats.

6. Discussion and Conclusions

Asymmetric attacks and hybrid warfare are well understood in the military domain because there have been studies for decades. In comparison, the IT revolution is still very young and ongoing. Therefore, from a scientific point of view, the taxonomy of cyber vulnerabilities is still immature and the process of categorization is not yet complete. In addition to the security vulnerabilities in the cyber domain, buildings also have potential vulnerabilities in the physical domain that are intertwined with those in the cyber domain. Furthermore, when considering an integrated system such as the BAS, it is imperative to acknowledge the significance of the social and organizational perspectives that it encompasses.
This systematic review has shown that existing literature focuses predominantly on cyber, physical, or organizational vulnerabilities in isolation. The consideration of the entire CPS as a ‘system of systems’ with respect to security has been neglected to date. Specifically for building automation, as a subset of CPS, no literature was discovered. Considering the totality of BASs, their many different trades and their ever-increasing interconnectivity, the question arises as to what new vulnerabilities, which have not yet been investigated in the literature, could result from the combination of individual vulnerabilities. It is recommended that future research place greater emphasis on real-world scenarios, with a view to enhancing the robustness and reliability of behavioral models. In the context of hybrid threats, particular attention must be directed towards unprotected sensor technology.

Author Contributions

Conceptualization, K.D.; methodology, K.D.; validation, M.G.; formal analysis, M.G.; investigation, M.G.; resources, M.G.; data curation, M.G.; writing—original draft preparation, M.G.; writing—review and editing, K.D.; visualization, M.G.; supervision, K.D.; project administration, M.G. All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Data Availability Statement

The original contributions presented in this study are included in the article. Further inquiries can be directed to the corresponding author(s).

Conflicts of Interest

The authors declare no conflict of interest.

Abbreviations

The following abbreviations are used in this manuscript:
ACSAccess Control System
AHUAir Handling Unit
AIArtificial Intelligence
ASHRAEAmerican Society of Heating, Refrigerating, and Air-Conditioning Engineers
BASBuilding Automation System
CCTVClosed-Circuit Television
CPNICentre for Protection of National Infrastructure
CPSCyber Physical System
CVSSCommon Vulnerability Scoring System
DCSDistributed Control System
DDCDirect Digital Control
DOSDenial of Service
DREADDamage, Reproducibility, Exploitability, Affected Users, Discoverability
EPBDEnergy Performance of Buildings Directive
FTAFault Tree Analysis
GPDRGeneral Data Protection Regulation
HAZOPHazard and Operability Analysis
HVACHeating Ventilation and Air Conditioning
IBsIntelligent Buildings
ICSIndustrial Control System
ICTInformation and Communication Technology
IDSIntrusion Detection System
IIoTIndustrial Internet of Things
IMECAIntervention Mode Effects and Criticality Analysis
IoTInternet of Things
ITInformation Technology
LANLocal Area Network
LLMsLarge Language Models
NATONorth Atlantic Treaty Organization
NISTNational Institute of Standards and Technology
NVDNational Vulnerability Database
ODBCOpen Database Connectivity
OTOperational Technology
RBDReliability Block Diagram
SBsSmart Buildings
SCADASupervisory Control and Data Acquisition
SQLStructured Query Language
STRIDESpoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege
TCP/IP Transmission Control Protocol/Internet Protocol
TMMThreat Modelling Method
VMSVideo Management System

References

  1. Fan, C.; Xiao, F.; Yan, C. A framework for knowledge discovery in massive building automation data and its application in building diagnostics. Autom. Constr. 2015, 50, 81–90. [Google Scholar] [CrossRef]
  2. Bakakeu, J.; Schäfer, F.; Bauer, J.; Michl, M.; Franke, J. Building Cyber-Physical Systems—A Smart Building Use Case. In Smart Cities: Foundations, Principles, and Applications; Wiley: Hoboken, NJ, USA, 2017; pp. 605–639. [Google Scholar]
  3. Schmidt, M.; Åhlund, C. Smart buildings as Cyber-Physical Systems: Data-driven predictive control strategies for energy efficiency. Renew. Sustain. Energy Rev. 2018, 90, 742–756. [Google Scholar] [CrossRef]
  4. Perry, C. Smart Buildings: A Deeper Dive into Market Segments; American Council for an Energy-Efficient Economy: Washington, DC, USA, 2017; p. 82. Available online: https://www.aceee.org/ (accessed on 18 August 2021).
  5. Wong, J.K.W.; Li, H.; Wang, S.W. Intelligent building research: A review. Autom. Constr. 2005, 14, 143–159. [Google Scholar] [CrossRef]
  6. Delsing, J. Smart City Solution Engineering. Smart Cities 2021, 4, 643–661. [Google Scholar] [CrossRef]
  7. Tragos, E.Z.; Foti, M.; Surligas, M.; Lambropoulos, G.; Pournaras, S.; Papadakis, S.; Angelakis, V. An IoT based intelligent building management system for ambient assisted living. In Proceedings of the 2015 IEEE International Conference on Communication Workshop (ICCW), London, UK, 8–12 June 2015; pp. 246–252. [Google Scholar]
  8. Nge, C.L.; Ranaweera, I.U.; Midtgård, O.-M.; Norum, L. A real-time energy management system for smart grid integrated photovoltaic generation with battery storage. Renew. Energy 2019, 130, 774–785. [Google Scholar] [CrossRef]
  9. Marksteiner, S.; Exposito Jimenez, V.J.; Valiant, H.; Zeiner, H. An overview of wireless IoT protocol security in the smart home domain. In Proceedings of the 2017 Internet of Things Business Models, Users, and Networks, Copenhagen, Denmark, 23–24 November 2017; pp. 1–8. [Google Scholar]
  10. Khan, R.; McLaughlin, K.; Laverty, D.; Sezer, S. STRIDE-based threat modeling for cyber-physical systems. In Proceedings of the 2017 IEEE PES Innovative Smart Grid Technologies Conference Europe (ISGT-Europe), Torino, Italy, 26–29 September 2017; pp. 1–6. [Google Scholar]
  11. Aghemo, C.; Virgone, J.; Fracastoro, G.V.; Pellegrino, A.; Blaso, L.; Savoyat, J.; Johannes, K. Management and monitoring of public buildings through ICT based systems: Control rules for energy saving with lighting and HVAC services. Front. Archit. Res. 2013, 2, 147–161. [Google Scholar] [CrossRef]
  12. European Union. DIRECTIVE (EU) 2018_844 of 30 May 2018 amending Directive 2010_31_EU on the energy performance of buildings and Directive 2012_27_EU on energy efficiency. Off. J. Eur. Union 2016, 153, 20. [Google Scholar]
  13. Kastner, W.; Neugschwandtner, G.; Soucek, S.; Newman, H.M. Communication systems for building automation and control. Proc. IEEE 2005, 93, 1178–1203. [Google Scholar] [CrossRef]
  14. Hammadi, O.A.; Hebsi, A.A.; Zemerly, M.J.; Ng, J.W.P. Indoor Localization and Guidance Using Portable Smartphones. In Proceedings of the 2012 IEEE/WIC/ACM International Conferences on Web Intelligence and Intelligent Agent Technology, Washington, DC, USA, 4–7 December 2012; pp. 337–341. [Google Scholar]
  15. Kiliccote, S.; Piette, M.A.; Ghatikar, G.; Hafemeister, D.; Kammen, D.; Levi, B.G.; Schwartz, P. Smart Buildings and Demand Response. AIP Conf. Proc. 2011, 1401, 328–338. [Google Scholar] [CrossRef]
  16. Bushby, S.T. Information Model Standard for Integrating Facilities with Smart Grid. ASHRAE J. 2011, 53, B18–B22. [Google Scholar]
  17. Zhukabayeva, T.; Zholshiyeva, L.; Karabayev, N.; Khan, S.; Alnazzawi, N. Cybersecurity Solutions for Industrial Internet of Things–Edge Computing Integration: Challenges, Threats, and Future Directions. Sensors 2025, 25, 213. [Google Scholar] [CrossRef]
  18. Mahmoud, M.S.; Xia, Y. Cyberphysical Security Methods. In Networked Control Systems; Springer: London, UK, 2019; pp. 389–456. [Google Scholar]
  19. Bachmann, S.-D.O.V.; Gunneriusson, H. Terrorism and Cyber Attacks as Hybrid Threats: Defining a Comprehensive Approach for Countering 21st Century Threats to Global Risk and Security. J. Terror. Secur. 2013. [Google Scholar] [CrossRef]
  20. Ciholas, P.; Such, J.M. Composite Vulnerabilities in Cyber Physical Systems; Security Lancaster: Lancaster, UK, 2016; pp. 4–7. [Google Scholar]
  21. Merz, H.; Hansemann, T.; Hübner, C. Gebäudeautomation Kommunikationssysteme Mit EIB/KNX, LON und BACnet; Fachbuchverlag Leipzig: Leipzig, Germany, 2016; Volume 3. (In German) [Google Scholar]
  22. Graveto, V.; Cruz, T.; Simöes, P. Security of Building Automation and Control Systems: Survey and future research directions. Comput. Secur. 2022, 112, 102527. [Google Scholar] [CrossRef]
  23. Sinopoli, J. Advanced Technology for Smart Buildings; Artech House: Boston, MA, USA, 2016. [Google Scholar]
  24. Younus, M.U.; Islam, S.u.; Ali, I.; Khan, S.; Khan, M.K. A survey on software defined networking enabled smart buildings: Architecture, challenges and use cases. J. Netw. Comput. Appl. 2019, 137, 62–77. [Google Scholar] [CrossRef]
  25. Butzin, B.; Golatowski, F.; Timmermann, D. A survey on information modeling and ontologies in building automation. In Proceedings of the IECON 2017—43rd Annual Conference of the IEEE Industrial Electronics Society, Beijing, China, 29 October–1 November 2017; pp. 8615–8621. [Google Scholar]
  26. Macaulay, T. RIoT Control. In RIoT Control: Understanding and Managing Risks and the Internet of Things; Morgan Kaufmann: Burlington, MA, USA, 2017; p. 383. [Google Scholar]
  27. DiMase, D.; Collier, Z.A.; Chandy, J.; Cohen, B.S.; D’Anna, G.; Dunlap, H.; Hallman, J.; Mandelbaum, J.; Ritchie, J.; Vessels, L. A Holistic Approach to Cyber Physical Systems Security and Resilience. In Proceedings of the 2020 IEEE Systems Security Symposium (SSS), Crystal City, VA, USA, 1 July–1 August 2020; pp. 1–8. [Google Scholar]
  28. Brooks, D.J.; Coole, M.; Haskell-Dowland, P.; Griffiths, M.; Lockhart, N. Building Automation & Control Systems An Investigation into Vulnerabilities Current Practice & Security Management Best Practice; ASIS Foundation: Alexandria, VA, USA; Security Industry Association: Silver Spring, MD, USA; Building Owners and Managers Association: Washington, DC, USA, 2017; p. 220. [Google Scholar]
  29. Shwartz, O.; Cohen, A.; Shabtai, A.; Oren, Y. Inner conflict: How smart device components can cause harm. Comput. Secur. 2020, 89, 101665. [Google Scholar] [CrossRef]
  30. Leite, D.; Andrade, E.; Rativa, D.; Maciel, A.M.A. Fault Detection and Diagnosis in Industry 4.0: A Review on Challenges and Opportunities. Sensors 2024, 25, 60. [Google Scholar] [CrossRef] [PubMed]
  31. Jeffrey, N.; Tan, Q.; Villar, J.R. Using Ensemble Learning for Anomaly Detection in Cyber–Physical Systems. Electronics 2024, 13, 1391. [Google Scholar] [CrossRef]
  32. Mundt, T.; Wickboldt, P. Security in building automation systems—A first analysis. In Proceedings of the 2016 International Conference on Cyber Security And Protection of Digital Services (Cyber Security), London, UK, 13–14 June 2016; pp. 1–8. [Google Scholar]
  33. Harzing, A.-W.; Alakangas, S. Google Scholar, Scopus and the Web of Science: A longitudinal and cross-disciplinary comparison. Scientometrics 2015, 106, 787–804. [Google Scholar] [CrossRef]
  34. Coole, M.; Evans, D.; Brooks, D. A Framework for the Analysis of Security Technology Vulnerabilities: Defeat Evaluation of an Electronic Access Control Locking System. In Proceedings of the 2022 IEEE International Carnahan Conference on Security Technology (ICCST), Valec, Czech Republic, 7–9 September 2022; pp. 1–6. [Google Scholar]
  35. Granzer, W.; Praus, F.; Kastner, W. Security in Building Automation Systems. IEEE Trans. Ind. Electron. 2010, 57, 3622–3630. [Google Scholar] [CrossRef]
  36. Common Weakness Enumeration. Common Weakness Enumeration. 2021. Available online: http://cwe.mitre.org/data/index.html (accessed on 17 August 2025).
  37. NIST-Resilience-Research. Resilience Research. Available online: https://www.nist.gov/resilience (accessed on 9 September 2022).
  38. Prisma.org. Transparent reporting or systematic reviews and meta-analysis. Prism. Checkl. 2024, 2024. [Google Scholar]
  39. Kshetri, N. Information and communications technologies, strategic asymmetry and national security. J. Int. Manag. 2005, 11, 563–580. [Google Scholar] [CrossRef][Green Version]
  40. Meyer, D.; Haase, J.; Eckert, M.; Klauer, B. New attack vectors for building automation and IoT. In Proceedings of the IECON 2017—43rd Annual Conference of the IEEE Industrial Electronics Society, Beijing, China, 29 October–1 November 2017; pp. 8126–8131. [Google Scholar]
  41. Kumar, S.A.; Vealey, T.; Srivastava, H. Security in Internet of Things: Challenges, Solutions and Future Directions. In Proceedings of the 2016 49th Hawaii International Conference on System Sciences (HICSS), Koloa, HI, USA, 5–8 January 2016; pp. 5772–5781. [Google Scholar]
  42. Figueroa-Lorenzo, S.; Añorga, J.; Arrizabalaga, S. A Survey of IIoT Protocols. ACM Comput. Surv. 2020, 53, 1–53. [Google Scholar] [CrossRef]
  43. first.org. Common Vulnerability Scoring System SIG. 2023. Available online: https://www.first.org/cvss/ (accessed on 17 August 2025).
  44. NIST. National Vulnerability Database (NVD). 2022. Available online: https://www.nist.gov/programs-projects/national-vulnerability-database-nvd (accessed on 17 August 2025).
  45. Thomas, R.J.; Chothia, T. Learning from Vulnerabilities—Categorising, Understanding and Detecting Weaknesses in Industrial Control Systems. In Computer Security; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2020; pp. 100–116. [Google Scholar]
  46. Stouffer, K.; Pillitteri, V.; Lightman, S.; Abrams, M.; Hahn, A. Guide to Industrial Control Systems (ICS) Security; National Institute of Standards and Technology: Gaithersburg, MD, USA, 2015. [Google Scholar]
  47. Liu, Y.; Pang, Z.; Dan, G.; Lan, D.; Gong, S. A Taxonomy for the Security Assessment of IP-Based Building Automation Systems: The Case of Thread. IEEE Trans. Ind. Inform. 2018, 14, 4113–4123. [Google Scholar] [CrossRef]
  48. Heartfield, R.; Loukas, G.; Budimir, S.; Bezemskij, A.; Fontaine, J.R.J.; Filippoupolitis, A.; Roesch, E. A taxonomy of cyber-physical threats and impact in the smart home. Comput. Secur. 2018, 78, 398–428. [Google Scholar] [CrossRef]
  49. Geismann, J.; Bodden, E. A systematic literature review of model-driven security engineering for cyber–physical systems. J. Syst. Softw. 2020, 169, 110697. [Google Scholar] [CrossRef]
  50. Wittenberg, D.K.; Smith, J.; Gray, R.; Eakman, G. Automotive Vulnerability Detection System. In Proceedings of the 10th escar USA-The World’s Leading Automotive Cyber Security Conference, Plymouth, MI, USA, 20–22 June 2015. [Google Scholar]
  51. Qu, Y.; English, A.; Hannon, B. Quantifying the Impact of Vulnerabilities of the Components of an Information System towards the Composite Rise Exposure. In Proceedings of the 2021 International Conference on Computational Science and Computational Intelligence (CSCI), Las Vegas, NV, USA, 15–17 December 2021; pp. 788–793. [Google Scholar]
  52. Ciholas, P.; Lennie, A.; Sadigova, P.; Such, J.M. The Security of Smart Buildings: A Systematic Literature Review. arXiv 2019, arXiv:1901.05837. [Google Scholar] [CrossRef]
  53. Ly, K.; Jin, Y. Security Challenges in CPS and IoT: From End-Node to the System. In Proceedings of the 2016 IEEE Computer Society Annual Symposium on VLSI (ISVLSI), Pittsburgh, PA, USA, 11–13 July 2016; pp. 63–68. [Google Scholar]
  54. Huang, B.; Chaki, D.; Bouguettaya, A.; Lam, K.-Y. A Survey on Conflict Detection in IoT-based Smart Homes. ACM Comput. Surv. 2023, 56, 1–40. [Google Scholar] [CrossRef]
  55. Cimino, G.; Deufemia, V. SIGFRID: Unsupervised, Platform-Agnostic Interference Detection in IoT Automation Rules. ACM Trans. Internet Things 2025, 6, 1–33. [Google Scholar] [CrossRef]
  56. Li, C.H.; Yuen, H.Y.; Lee, T.T.; Tang, W.F.; Lee, C.C.; Ng, C.; Mak, S.L. How to Embed AI Applications of Building Management System in Campus Management. In Intelligent Sustainable Systems; Lecture Notes in Networks and Systems; Springer: Singapore, 2024; pp. 403–411. [Google Scholar]
  57. BSI Federal Office for Information Security. Unternehmen und Organisationen–Standards und Zertifizierung; BSI Federal Office for Information Security: Bonn, Germany, 2022. [Google Scholar]
  58. Army War College Press. Unorthodox Thoughts about Asymmetric Warfare; OMB No. 0704-0188; Army War College Press: Carlisle, PA, USA, 2003; p. 16. [Google Scholar]
  59. Lele, A. Asymmetric Warfare: A State vs Non-State Conflict. Oasis 2014, 20, 97–111. [Google Scholar]
  60. Chen, A.; Sriraman, A.; Vaidya, T.; Zhang, Y.; Haeberlen, A.; Loo, B.T.; Phan, L.T.X.; Sherr, M.; Shields, C.; Zhou, W. Dispersing Asymmetric DDoS Attacks with SplitStack. In Proceedings of the 15th ACM Workshop on Hot Topics in Networks, Atlanta, GA, USA, 9–10 November 2016; pp. 197–203. [Google Scholar]
  61. Miles, F.B. Asymmetric Warfare: An Historical Perspective; U.S. Army War College: Carlisle, PA, USA, 1999; p. 54. [Google Scholar]
  62. Kshetri, N. Information and Communications Technologies, Cyberattacks, and Strategic Asymmetry. In The Global Cybercrime Industry; Springer: Berlin/Heidelberg, Germany, 2010; pp. 119–137. [Google Scholar]
  63. Pernin, C.G.; Axelband, E.; Drezner, J.A.; Dille, B.B.; Gordon, I.; Held, B.J.; McMahon, K.S.; Perry, W.L.; Rizzi, C.; Shah, A.R. Lessons from the Army’s Future Combat Systems Program; RAND, ARROYO CENTER: Santa Monica, CA, USA, 2012; p. 29. [Google Scholar]
  64. Gupta, A.; Langbort, C.; Basar, T. Dynamic Games With Asymmetric Information and Resource Constrained Players With Applications to Security of Cyberphysical Systems. IEEE Trans. Control Netw. Syst. 2017, 4, 71–81. [Google Scholar] [CrossRef]
  65. Makhdoom, I.; Abolhasan, M.; Lipman, J.; Liu, R.P.; Ni, W. Anatomy of Threats to the Internet of Things. IEEE Commun. Surv. Tutor. 2019, 21, 1636–1675. [Google Scholar] [CrossRef]
  66. Jajodia, S.; Cybenko, G.; Liu, P.; Wang, C.; Wellman, M. Adversarial and Uncertain Reasoning for Adaptive Cyber Defense; Springer: Cham, Switzerland, 2019. [Google Scholar]
  67. Cybenko, G.; Wellman, M.; Liu, P.; Zhu, M. Overview of Control and Game Theory in Adaptive Cyber Defenses. In Adversarial and Uncertain Reasoning for Adaptive Cyber Defense; Lecture Notes in Computer Science; Springer: Cham, Switzerland, 2019; pp. 1–11. [Google Scholar]
  68. Jones, M.G. Asymmetric Information Games and Cyber Security. Ph.D. Thesis, Georgia Institute of Technology, Giorgia Tech Library, Atlanta, GA, USA, 2013. [Google Scholar]
  69. Pawlick, J.; Colbert, E.; Zhu, Q. A Game-theoretic Taxonomy and Survey of Defensive Deception for Cybersecurity and Privacy. ACM Comput. Surv. 2019, 52, 1–28. [Google Scholar] [CrossRef]
  70. Sheikh, Z.A.; Singh, Y. A Hybrid Threat Assessment Model for Security of Cyber Physical Systems. In Proceedings of the 2022 Seventh International Conference on Parallel, Distributed and Grid Computing (PDGC), Solan, India, 25–27 November 2022; pp. 582–587. [Google Scholar]
  71. Siebel, N.T. Securing IT Networks for Industrial and Building Automation Systems. Int. J. Trend Res. Dev. 2018, 134–136. [Google Scholar] [CrossRef]
  72. Soucek, S.; Zucker, G. Current developments and challenges in building automation. Elektrotechnik Und Informationstechnik 2012, 129, 278–285. [Google Scholar] [CrossRef]
  73. Tenkanen, T.; Hamalainen, T. Security Assessment of a Distributed, Modbus-Based Building Automation System. In Proceedings of the 2017 IEEE International Conference on Computer and Information Technology (CIT), Helsinki, Finland, 21–23 August 2017; pp. 332–337. [Google Scholar]
  74. ENISA. Glossary of Threat and Risk Management. 2021. Available online: https://www.enisa.europa.eu/sites/default/files/publications/O.7.2-T2-Risk_Management_standards.pdf (accessed on 17 August 2025).
  75. Badawy, M.; Sherief, N.H.; Abdel-Hamid, A.A. Legacy ICS Cybersecurity Assessment Using Hybrid Threat Modeling—An Oil and Gas Sector Case Study. Appl. Sci. 2024, 14, 8398. [Google Scholar] [CrossRef]
  76. Liu, Y.; Ning, P.; Reiter, M.K. False data injection attacks against state estimation in electric power grids. ACM Trans. Inf. Syst. Secur. 2011, 14, 1–33. [Google Scholar] [CrossRef]
  77. Beaver, J.M.; Borges-Hink, R.C.; Buckner, M.A. An Evaluation of Machine Learning Methods to Detect Malicious SCADA Communications. In Proceedings of the 2013 12th International Conference on Machine Learning and Applications, Miami, FL, USA, 4–7 December 2013; pp. 54–59. [Google Scholar]
  78. Zhang, F.; Kodituwakku, H.A.D.E.; Hines, J.W.; Coble, J. Multilayer Data-Driven Cyber-Attack Detection System for Industrial Control Systems Based on Network, System, and Process Data. IEEE Trans. Ind. Inform. 2019, 15, 4362–4369. [Google Scholar] [CrossRef]
  79. Goh, J.; Adepu, S.; Tan, M.; Lee, Z.S. Anomaly Detection in Cyber Physical Systems Using Recurrent Neural Networks. In Proceedings of the 2017 IEEE 18th International Symposium on High Assurance Systems Engineering (HASE), Singapore, 12–14 January 2017; pp. 140–145. [Google Scholar]
  80. Gawand, H.L.; Bhattacharjee, A.K.; Roy, K. Securing a Cyber Physical System in Nuclear Power Plants Using Least Square Approximation and Computational Geometric Approach. Nucl. Eng. Technol. 2017, 49, 484–494. [Google Scholar] [CrossRef]
  81. Varela-Vaca, Á.J.; Rosado, D.G.; Sánchez, L.E.; Gómez-López, M.T.; Gasca, R.M.; Fernández-Medina, E. Definition and Verification of Security Configurations of Cyber-Physical Systems. In Computer Security; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2020; pp. 135–155. [Google Scholar]
  82. Abdulmunem, A.-S.M.Q.; Kharchenko, V.S. Availability and Security Assessment of Smart Building Automation Systems: Combining of Attack Tree Analysis and Markov Models. In Proceedings of the 2016 Third International Conference on Mathematics and Computers in Sciences and in Industry (MCSI), Chania, Greece, 27–29 August 2016; pp. 302–307. [Google Scholar]
  83. Abdulmunem, A.-S.M.K.; Akhmed Valid Al-Khafadzhi, V.K. The method of IMECA-based security assessment: Case study for building automation system. Ivan Kozhedub Kharkiv Natl. Air Force Univ. (KNAFU) 2016, 1, 138–144. [Google Scholar]
  84. Jones, C.B.; Carter, C.; Thomas, Z. Intrusion Detection & Response using an Unsupervised Artificial Neural Network on a Single Board Computer for Building Control Resilience. In Proceedings of the 2018 Resilience Week (RWS), Denver, CO, USA, 20–23 August 2018; pp. 31–37. [Google Scholar]
  85. Chen, Y.; Ni, T.; Xu, W.; Gu, T. SwipePass. Proc. ACM Interact. Mob. Wearable Ubiquitous Technol. 2022, 6, 1–25. [Google Scholar] [CrossRef]
  86. Duan, D.; Sun, Z.; Ni, T.; Li, S.; Jia, X.; Xu, W.; Li, T. F2Key: Dynamically Converting Your Face into a Private Key Based on COTS Headphones for Reliable Voice Interaction. In Proceedings of the 22nd Annual International Conference on Mobile Systems, Applications and Services, Tokyo, Japan, 3–7 June 2024; pp. 127–140. [Google Scholar]
  87. Ni, T.; Zhang, X.; Zhao, Q. Recovering Fingerprints from In-Display Fingerprint Sensors via Electromagnetic Side Channel. In Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security, Copenhagen, Denmark, 26–30 November 2023; pp. 253–267. [Google Scholar]
Figure 1. BAS automation layer.
Figure 1. BAS automation layer.
Sensors 25 05218 g001
Figure 2. Practical example of interconnectivity in building automation.
Figure 2. Practical example of interconnectivity in building automation.
Sensors 25 05218 g002
Figure 3. Areas included in the literature review and their categorization.
Figure 3. Areas included in the literature review and their categorization.
Sensors 25 05218 g003
Figure 4. Structure and objectives of the review.
Figure 4. Structure and objectives of the review.
Sensors 25 05218 g004
Figure 5. Flow diagram on the basis of PRISMA [38].
Figure 5. Flow diagram on the basis of PRISMA [38].
Sensors 25 05218 g005
Figure 6. Distribution of literature with focus on security in the areas of ICS and CPS.
Figure 6. Distribution of literature with focus on security in the areas of ICS and CPS.
Sensors 25 05218 g006
Figure 7. Distribution of literature with focus on real-world scenarios involvement.
Figure 7. Distribution of literature with focus on real-world scenarios involvement.
Sensors 25 05218 g007
Figure 8. Protocols, standards, and field bus systems with or without security implementation.
Figure 8. Protocols, standards, and field bus systems with or without security implementation.
Sensors 25 05218 g008
Figure 10. Literature around intrusion detection systems in CPS.
Figure 10. Literature around intrusion detection systems in CPS.
Sensors 25 05218 g010
Table 1. Overview and categorization of the extracted literature.
Table 1. Overview and categorization of the extracted literature.
Categories
Real-World ScenariosAdoption of Standardized Vulnerability DatabasesFieldbus Systems, Protocols and StandardsComposite VulnerabilitiesHybrid and Asymmetric Threats and WeaknessesIntrusion Detection Systems
AreaCPS, ICS, IoTBAS, CPS, ICT, IoTBASCPS, ICT, IoTCPS, ICT, IoTCPS, ICT, IoT
References[31,39,40][41,42,43,44,45][13,21,42,46][18,19,20,29,35,47,48,49,50,51,52,53,54,55,56,57,58,59,60][49,50,61,62,63,64,65,66,67,68,69,70][22,31,71,72,73,74,75]
Type of Attacks or Vulnerabilities most frequently listedMalicious code, tampering, eavesdropping, sniffing, noise in data, gateway attacks, unauthorized access, injecting fake information, denial of service.CVSS and NVD as very comprehensive databases that cover almost all types of attacks or vulnerabilities.Unauthorized device discovery, denial of service, writing failure, write property, man-in-the-middle, eavesdropping, replay, spoofing, local manipulation, physical attack.Mutual influence, inter-rule or interaction conflicts, combined vulnerabilities, man-in-the-middle, spoofing, information disclosure.All known types of attacks or vulnerabilities. Typically divided into the cyber, physical and organizational area, physical/environ-mental damage.Most of the known types of attacks or vulnerabilities.
Layers affectedEnterprise Management AutomationEnterprise ManagementFieldEnterprise Management Automation FieldEnterprise Management Automation FieldEnterprise Management Automation
Key messagesMissing threat classification.
Lack of practical examples for training deep learning algorithms and intrusion detection systems.
Focus on the field of cyber security (IT, networking).
Difficult to adapt for BAS.
Lack of trained personnel in the CPS area.
Due to the longevity of BAS, many old and proprietary protocols still in use.
Low prevalence of BACnet Secure, KNX Secure, or other secure protocols.
Vulnerabilities that emerge from a combination of multiple components or systems, which may individually seem harmless but together lead to exploitable conditions.Neither purely cyber, physical, or organizational nature making them challenging to detect and mitigate. Particularly in BAS, many smart sensors are located in unprotected areas, which facilitates such attacks.IDS supports the detection of many types of threats or intrusion. Widespread use in network technology and IT. No literature available on building automation.
Table 2. Bus-systems and protocols with auto-discovery functionality.
Table 2. Bus-systems and protocols with auto-discovery functionality.
Standard-, Bus-, Protocol-NameFull Name or Short DescriptionTrade Mostly SpreadPro-Prietary or Open SystemOwner or DeveloperSecurity per Design or as a Feature ImplementedType of Security If ApplicableObject Dis-covery Tool AvailableStandards Involved/Owner LinkLong Description
BACnetBuilding Automation and ControlHVACopenbacnet.orgno yesISO 16484-5; IEEE 802.2; IEEE 802.3; EIA-485, ASHRAE/ANSI 135Communication protocol standard, object oriented, de facto standard in BAS
C-Bus2-wire EIA-485 basedHVACproprietaryHoneywellno yeshoneywell.com2-wire fieldbus to connect controllers amongst each other and to a BMS, only for Honeywell devices, outdated
DALIDigital Addressable Lighting InterfacelightingopenIEC and DiiAno yesIEC 62386, IEC 60929Widely spread lighting control bus
KNXKonnex, formerly called EIB (Europäischer InstallationsBus) or InstaBuslighting, electrical, HVACopenknx.orgno yesEN 50090-3,4; EN 13321-1,2; ISO/IEC 14543Fieldbus and standard especially for lighting, shading and electrical installations, de facto standard in building automation
LONLocal Operating NetworkHVAC, lighting, securityopenEchelonno yesEN ISO/IEC 14908; ANSI/CEA-709.1-BFramework: LonTalk, LonWorks, CEA-709; more outdated, very commonly used before BACnet
M-BusAlso called Meter-Busmeteringopenoms-group.orgno yesEN13757; EN 61334-4-1; IEC 60870-5Most common bus for metering applications in BAS in Europe
M-Bus wirelessMeter-Bus as a wireless applicationmeteringopenoms-group.orgno yesEN13757-4: 2005Uses frequency of 868MHz, designed primarily for remote reading, battery-supplied devices
Modbus RTU/ASCII2-wire EIA-485 basedBMS, industrialopenModbus Organizationno yesmodbus.org ANSI/TIA/EIA-485-A-98Communication protocol, de facto standard for basic communication between industrial devices, royalty free
Modbus TCP/UDPIP layer for ModbusBMS, industrialopenModbus Organizationno yesmodbus.orgCommunication protocol, de facto standard for basic communication between industrial devices, royalty free
MQTTMessage Queuing Telemetry TransportIoT, smart homeopenOASISyesTLSyesOASIS, ISO/IEC 20922:2016Lightweight message transport protocol for client/server environments
ONVIFOpen Network Video Interface ForumVMSopenonvif.org(yes)(TLS)yesonvif.orgOpen industry forum that provides and promotes standardized interfaces
Open industry forum that provides and promotes standardized interfaces for effective interoperability of IP-based physical security products
OPCOpen Platform Communications / OLE for Process ControlBMSopenOPC Foundationno yesopcfoundation.orgSpecifies communication of real-time plant data between control devices from different manufacturers. Series of standards and specifications, based on the OLE, COM, and DCOM
OPC DAOpen Platform Communications Data AccessBMSopenOPC Foundation(yes)tunneling, COM/DCOMyesopcfoundation.orgClient/Server communication, cross-platform, binary protocol, and web service. Intended for Alarm&Event (A&E) and History Data Access (HDA)
OPC UAOpen Platform Communications Unified ArchitectureBMSopenOPC Foundationyestunneling, COM/DCOMyesopcfoundation.orgClient/Server communication, SOA (Service-oriented architecture), cross-platform, binary protocol and web service. Intended for Alarm&Event (A&E) and History Data Access (HDA). Unified Architecture
SMIStandard Motor InterfaceshadingopenSMI-groupno yesstandard-motor-interface.com5-wire common interface for sunblinds
Table 3. Literature in which behavioral models and BASs are mentioned in the same context.
Table 3. Literature in which behavioral models and BASs are mentioned in the same context.
AuthorsYearScopeFocus AreaBAS MentionedWeaknesses Mentioned in the Context of VulnerabilitiesVulnerabilities or Threat ClassificationCPS/ICS System Behavior ModellingShort Description of the Content
[82]2017security assessment/analysisattack tree analysisyesyesnoyesBased on an attack tree analysis using the Markov model, the report intends to assess the BAS’s security.
[83]2016security assessment/analysisBAS in generalyesnonoyesApply FTA, HAZOP, RBD, and
IMECA to BAS.
[84]2018anomaly detectionunsupervised learning algorithmyesnonoyesIntrusion and anomaly detection via a single board computer which inspects the network traffic between the BAS nodes.
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Gerhalter, M.; Dahal, K. Composite Vulnerabilities and Hybrid Threats for Smart Sensors and Field Busses in Building Automation: A Review. Sensors 2025, 25, 5218. https://doi.org/10.3390/s25175218

AMA Style

Gerhalter M, Dahal K. Composite Vulnerabilities and Hybrid Threats for Smart Sensors and Field Busses in Building Automation: A Review. Sensors. 2025; 25(17):5218. https://doi.org/10.3390/s25175218

Chicago/Turabian Style

Gerhalter, Michael, and Keshav Dahal. 2025. "Composite Vulnerabilities and Hybrid Threats for Smart Sensors and Field Busses in Building Automation: A Review" Sensors 25, no. 17: 5218. https://doi.org/10.3390/s25175218

APA Style

Gerhalter, M., & Dahal, K. (2025). Composite Vulnerabilities and Hybrid Threats for Smart Sensors and Field Busses in Building Automation: A Review. Sensors, 25(17), 5218. https://doi.org/10.3390/s25175218

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop