CRA Compliance Checklist: Building Automation & Smart Buildings
Default Class to Important Class I — depends on deployment in critical facilities
Building automation systems (BAS/BMS) control HVAC, lighting, access, fire safety, and energy management across commercial and industrial buildings. Most BAS components are Default class under the CRA, but those deployed in hospitals, data centres, and other critical facilities may be treated as critical infrastructure components. The BACnet and Modbus protocols widely used in BAS were not designed with security in mind — CRA compliance requires significant attention to protocol security and access control.
1. Scope & Classification
Confirm which BAS components have network connectivity and are in CRA scope
BAS controllers with IP connectivity are in scope. Field devices with only BACnet MS/TP or RS-485 (no IP stack) may be out of scope — verify connectivity architecture.
Assess whether facilities served by your BAS qualify as critical infrastructure under NIS2
BAS controlling hospitals, data centres, or critical public infrastructure may face stricter regulatory scrutiny. NIS2 may impose additional obligations on the facility operator.
Compile SBOM for all BAS controller firmware, BACnet stacks, HVAC control software, and web interfaces
BAS often run embedded Linux with commercial BACnet stacks and custom web UIs. Each component must be tracked for CVEs.
2. Protocol & Network Security
Implement BACnet/SC (Secure Connect) for all IP-based BACnet communication
Legacy BACnet/IP has no built-in authentication or encryption. BACnet/SC (ASHRAE Addendum bj) provides TLS 1.3 encryption and certificate-based authentication.
Restrict BACnet/IP to authorised subnets — block unauthorised broadcast and unicast access
BACnet broadcasts are a significant attack surface. Implement IP ACLs or dedicated OT VLANs to restrict BACnet to authorised devices.
Disable unauthenticated Modbus access — implement Modbus over TLS where possible
Standard Modbus has no authentication. If Modbus must be used, implement Modbus over TLS (RFC 8966) or restrict to internal OT segments with strict access controls.
Encrypt all web-based management interfaces (HTTPS only, HTTP disabled)
BAS web interfaces exposed over HTTP are vulnerable to interception. Enforce HTTPS with valid certificates.
Implement network segmentation — separate BAS network from corporate IT and the internet
BAS networks should be on dedicated OT VLANs with no direct internet access. Remote access should be via VPN, not direct exposure.
3. Access Control
Implement role-based access control for all BAS management interfaces
Operators, engineers, and administrators need different access levels. Least-privilege access must be enforced across all management interfaces.
Eliminate all default credentials — require unique credentials per installation
BAS default credentials are commonly exploited. Remove all shared defaults. Require unique credentials set during commissioning.
Implement audit logging for all configuration changes and authentication events
BAS log all access and configuration changes. Logs must be tamper-evident and retained for forensic investigation.
4. Firmware & Update Management
Implement signed firmware updates — controller must verify signature before applying any update
BAS firmware controls physical systems. Unsigned firmware enables arbitrary modification of HVAC, access, and other systems.
Define update procedures for air-gapped or poorly connected building environments
Many BAS installations have limited or no internet connectivity. Provide documented offline update procedures via USB or local network.
5. CVD & Vulnerability Management
Publish a CVD policy covering all BAS controller models and associated software
BAS security research is growing. Researchers target building systems in hospitals, data centres, and commercial buildings. A CVD policy is required.
Define security support periods reflecting BAS operational lifetimes (10–15 years)
BAS controllers are often installed during building construction and remain in service for the building's lifetime. Support periods must reflect this.
Establish PSIRT or vulnerability handling function with documented SLAs
Even a small PSIRT function with documented processes satisfies the CRA requirement. The key is that vulnerability reports are tracked and addressed systematically.
Track your Building Automation & Smart Buildings compliance progress in CVD Portal.
Public CVD submission portal, Article 14 deadline alerts, SBOM tracking, and CSAF advisory generation. Free forever for manufacturers.
Start your free portalFrequently asked
Our BAS controllers only use BACnet MS/TP over RS-485 with no IP connectivity — are they in CRA scope?+
Likely not. Products that connect only via wired field bus protocols with no IP networking capability may not qualify as 'products with digital elements' under the CRA. However, if the BAS controller connects to an IP gateway, building management workstation, or cloud service — even indirectly — the gateway or software components with network connectivity are in scope.
We manufacture BAS hardware but a system integrator commissions and programs the installation — who is responsible for CRA compliance?+
The hardware manufacturer is responsible for CRA compliance of the product as placed on the market — including default security configuration, firmware update capability, and technical documentation. The system integrator takes on responsibility for the specific installation configuration. However, manufacturers should ensure their products support secure configuration and provide documentation that guides integrators toward secure deployments.
How does CRA interact with EN 62443 for building automation cybersecurity?+
IEC 62443 (also adopted as EN 62443) is applicable to industrial automation and control systems including building automation. The IEC 62443-4-2 product security requirements closely align with CRA Annex I, and IEC 62443-4-1 covers secure development lifecycle requirements. Certification or conformity assessment against IEC 62443-4-2 can serve as strong evidence of CRA Annex I compliance.
Need a CVD policy for Building Automation & Smart Buildings?
Download a free CRA-compliant disclosure policy template and deploy it in minutes.