Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock (
) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Summary
This project will work to strengthen the cybersecurity of building systems, including heating ventilation, and air conditioning (HVAC), security, lighting, and elevators, that provide services to building occupants. The project goal is to develop a suite of building services cybersecurity application profiles within the context of a larger digital building profile effort. This work will be done in collaboration with industry working in the Coalition for Smarter Buildings (C4SB) under the Linux Foundation.
The Digital Building Profile (DBP) effort in C4SB is an industry-driven initiative to help industry identify the key aspects of a modern digital building and specify interoperable open standard approaches to move toward the goal of next generation digital buildings. The DBP gathers the “facts” of a building into a standard format with standard semantics, allowing a user to see: building type, building location, services and integrated applications offered, energy performance, connections to outside service providers, security levels, etc. This data can then be fed into a digital twin, enabling more applications. And, to the point of this project, the data and the applications must be secured to some degree depending on the requirements of the building purpose and owner’s intent.
Connectivity among building systems and with outside service partners is increasing. Building services themselves are moving to the cloud. As more HVAC and other building systems have become connected internally and externally, the challenges and need to keep them secure have become more apparent and urgent. Cybersecurity is a complex field outside the area of expertise of most members of the building services community, yet it is becoming a priority to many of them. Knowledge of cybersecurity is now a need at every stage in the lifecycle of a building, impacting a wide range of interests. This project will help building owners and building system vendors to maintain secure systems in the face of greater cybersecurity risk.
Description
Objective
Develop the building services cybersecurity application profiles and guidance needed by building owners, designers, manufacturers and others involved in the lifecycle of the building, to understand threats, risks, countermeasures and governance approach and to ensure cyber-secure facilities.
Technical Idea
NIST will work with industry stakeholders within the Coalition for Smarter Buildings (C4SB) to establish the Digital Buildings Profile effort and within that to establish a new Cybersecurity Working Group. The Cyber WG will develop a set of application profiles to help building owners and other stakeholders to apply existing cybersecurity frameworks and tools to secure different building types with different cybersecurity requirements. Work inside C4SB is housed in the Linux Foundation, which is dedicated to open-source projects. The Cyber WG will make use of existing frameworks including: NIST Cybersecurity Framework, NIST Risk Management Framework, the DOE Cybersecurity Capability Maturity Model, the FEMP Facility Cybersecurity Framework and ISA/IEC 62443. This project will collaborate with other efforts under the Digital Building Profile effort and within NIST to advance digital twin technology and building semantics standards. The project will advance the Digital Building Profile—a concept for helping to drive industry toward more modern and connected buildings that are safe, cyber-secure, efficient, optimized, and working together with the grid and community.
Research Plan
NIST will initially work with industry thought leaders to develop the Digital Building Profile concept and establish a working group (the DBP-WG) under C4SB and publish a high-level introduction to the mission of this effort. NIST will host an ASHRAE Workshop session at the February 2026 winter conference and use this session to present the DBP WG plans and invite industry stakeholders to engage with a new Cybersecurity WG that will be part of the DBP effort. NIST will lead the Cyber-WG to agree on approach for cybersecurity for the modern digital building and then work with industry to develop application profiles based on existing standards and tools (per above). Industry stakeholders include facility owners (government, commercial and institutional) and operators, service providers (building management and analytics, aggregators, system vendors, etc.), building services staff, architects, engineers and construction.
The Cyber WG will use an iterative and staged development plan for a set of application profiles, using Linux Foundation tools for publication and public review and open development.
Work inside NIST will include collaboration with the Networked Control Systems Group in the Communications Technology Laboratory. That group is developing a Digital Twin for Operation Technology community profile, as well as updating the NIST SP 800-82 Guide to Industrial Control System Security. Both of these work efforts have some overlap with this project.
NIST efforts in this project will be a multi-year effort to identify needed cybersecurity controls at different security levels for different building types. NIST will work with the Cyber WG to identify needed user guidance or tools for different stakeholders.
