The rise of HVAC cybersecurity compliance is about to reshape how organizations manage their buildings. What was once the domain of IT, facilities, or construction teams in isolation is now becoming a shared responsibility — and a regulatory requirement. New rules, starting with the New York Department of Financial Services and likely to spread across sectors, will require organizations to inventory, monitor, and secure every communicating HVAC device. Most buildings aren’t prepared for that level of visibility or accountability. These “cybersecurity rules” apply from everything from IoT all the way down to HVAC systems. And where the finance industry goes, so do other sectors.
There’s always been regulatory, financial, and operational reporting, but this is the first time that compliance has extended to the physical building before. It means that you will potentially have to know and document all communicating devices—every sensor, controller, switch, and access point—as well as their status.
This is an issue that often falls outside of everybody’s purview. IT doesn’t handle building devices; facilities teams are focused on day-to-day equipment requirements (and, let’s face it, occupant complaints), construction teams install once and then wash their hands of ongoing responsibility, and vendors can usually only tell if a device is down, all while executives assume someone has these devices covered.
If this is the status quo for commercial businesses, imagine how challenging a heightened compliance scenario would be for school districts and public agencies with limited staff and budget. It’s more important than ever to make sure someone is familiar with these systems, actively monitoring them on an ongoing basis for optimal performance, and ready to respond to additional compliance requirements.
Meeting the coming compliance requirements will require not just determining which devices exist, but also their network infrastructure, and security status, as well as a thorough understanding how these devices relate to operations.
An HVAC unit connects not only to the room it serves, but also to the upstream and downstream equipment it relies on, the controller that manages it, the network supporting that controller, and the spaces it conditions. Each of these links creates dependencies that must be monitored for facilities managers to gain a truly accurate view of building operations.
A new class of building tech—the virtual engineer—adds an intelligent layer that connects to existing building systems, continuously learns, and automates optimization and reporting. In the immediate term, it responds rather than simply reacts to issues. In the longer term, it tracks the relationship of devices to building spaces that could aid in increased building device compliance reporting.
Traditional “smart” energy management technology uses automated temperature set points and which HVAC units turn on or off. Virtual engineers, on the other hand, “learn” and continually monitor specialized building characteristics like occupant behaviors, thermal building characteristics, utility signals (time-of-use rate in effect, dynamic pricing) to optimize temperature, comfort, energy load, and cost.
While you might expect to rely on occupant reports of rooms being too hot or cold, a virtual engineer knows when occupants are overriding set points and automatically adjusts the range to accommodate the new learned comfort level. First-gen technology would abide by the programming that tells it a space is unoccupied after 4 p.m. whereas a virtual engineer might learn from user overrides that those spaces are actually inhabited during that time. Based on the additional data the virtual engineer is tracking, it can surface these relationships and dependencies and alert the team if a unit is down or has become inefficient by recognizing when the thermostat doesn’t match the reporting of the engineer’s own sensors.
Whether you use an Excel or Google sheet or have graduated to a structured database or even a data layer platform, having these relationships made explicit on an ongoing basis makes it easier to track and report them.
Aside from the sheer amount of time and effort involved in compiling such an inventory, further complicating matters is the fact that this wouldn’t be a one-time audit, but rather an ongoing effort. Future devices connected to the HVAC system would need to meet certain standards and have their connectivity documented as well.
Energy management vendors would be required to implement access controls to subject devices and their data, establish regular testing of the devices’ integration with the organization’s IT systems, identify where and possibly restrict which data is stored, certify destruction of sensitive data, and define acceptable use for data in AI models.
At CEL, we have the visibility into how the HVAC systems we optimize fit into the overall building operations picture and own the AI model that shifts their energy load. We are closely monitoring the development of cybersecurity regulations across states and sectors and stand ready to take responsibility for supporting our partners in more rigorous HVAC compliance reporting.
