BMS Cybersecurity — IEC 62443 & Cyber Resilience Act
Your BMS controllers are networked. Your maintenance technician accesses them remotely. The question worth asking: who else could? Boiler rooms, ventilation, access control — technical installations are becoming an attack surface, and regulation is moving fast.
The framework: IEC 62443 and the CRA
IEC 62443 structures cybersecurity for industrial and building systems: network segmentation, device authentication, access logging, update management. The Cyber Resilience Act (CRA) takes effect on 11 December 2027: any connected product placed on the European market will need to comply, with security updates guaranteed for at least 5 years. The BMS equipment chosen today already needs to anticipate this — and the good news is that IEC 62443 covers most of what the CRA requires.
Our approach: security by design
- Specifications that build in IEC 62443: security requirements set out at tender stage, not bolted on afterwards.
- Open protocols (BACnet, KNX, OPC UA): a closed proprietary system can’t be audited, and its updates depend on a single manufacturer. Vendor lock-in is also a security risk.
- Network architecture and equipment selection: OT/IT segmentation, controlled remote access, and equipment with a documented security policy and update commitment.
Who we work with
Public and private clients, portfolio operators, industry — on new-build projects (integrated from the SIA design phases, alongside our MCR design work) or when assessing existing systems (as part of an audit of your installations).
What you get
An auditable BMS, controlled remote access, and equipment choices that won’t be regulatorily obsolete by 2027. Several clients already trust us for this approach.