Buildings OT Cybersecurity Industry Analysis 2024-2030

Overview

Investment in buildings OT cybersecurity is increasing although it is starting from a relatively low base, highlighting the overall underdeveloped state of many cybersecurity programs across the industry. Global investment is forecast to reach $3.7B in 2024 and will grow at a CAGR of 16% from 2023-2031 as cybersecurity risk awareness improves. The TAM from 2024 to 2031 is $51.7B with over 80% of this investment spread across developed nations. Outside of NA, Europe and developed countries in Asia Pacific, WA expects limited investment and low growth to 2030.

There are strong market drivers in developed economies. Despite economic uncertainties, the construction growth for buildings is expected to strengthen post-2025. Sustainability goals will also drive the renovation market as building asset owners aim to meet energy performance targets such as the Energy Performance Buildings Directive (EPBD), the US EO 14057 which targets net-zero emissions from federal buildings by 2045, India's Energy Conservation Act and Japan's Building Energy Conservation Act, among others. Significant investment in building management platforms, smart sensors, and enhanced connectivity are expected to help reach these sustainability goals. Technological advancements will not only reduce energy costs and improve sustainability but also enhance occupant experiences. However, growing connectivity and smart devices introduce new vulnerabilities and expands the attack surface requiring assets owners to adapt and evolve cybersecurity programs.

Although not specific to buildings, cybersecurity regulations such as NIS2 are expected to enhance awareness and improve cyber risk programs although WA expects the impact to be limited to incremental improvements to current programs rather than large and widespread investment. Although NIS2 has been significantly expanded from its predecessor (NIS), history highlights that without strong enforcement change is slow. WA believes that digital transformation of building assets and growing board awareness of cybersecurity risk are more significant investment drivers than current and forthcoming cybersecurity regulation.

Lowering the typical building operators cyber risk profile is challenging in a sector that lacks cybersecurity skills, has a complex ecosystem of vendors and service companies, limited board commitment, and budget constraints. These barriers need to be overcome through greater industry education and collaboration.

WA believes that attitudes to cybersecurity are slowly changing in response to digital transformation trends. This includes a growing focus on asset and device management, vulnerability management, network segmentation, threat detection and Secure Remote Access Management as organisations move towards zero-trust architectures. However, as data is increasingly processed by edge devices, and forwarded to cloud platforms for storage and analysis, asset owners need to focus on protecting OT devices and networks, whilst ensuring that edge devices and data is protected to and from the cloud. A greater focus on resilience is required, ensuring that organisations can respond and recover from incidents with minimal disruption. This includes a focus on people, processes and technology and a governance framework that aligns cybersecurity with company goals and regulatory requirements.

Buildings OT Cybersecurity Definition

This analysis reviews the Building OT Cybersecurity market, exploring the trends impacting asset owners and security leaders, and evaluates current and future OT cybersecurity expenditure.

The project covers the technologies and services used to protect OT networks and devices. In the Purdue Model this is level 3 and below, covering the supervisory layer, automation layer and field layer described in the accompanying chart.

Building terminologies are often used interchangeably. Building Management Systems (BMS), Building Automation Systems (BAS), Building Control Systems (BCS) and Facility Related Control Systems (FRCS) all overlap and are included within the scope of the project.

Systems, devices and related controllers includes HVAC, energy management, elevators, fire and safety, lighting, electronic security (physical access control, surveillance cameras), mechanical systems (e.g. water pumps) and parking systems.

The project includes technical and administrative cybersecurity controls used to protect buildings OT across the NIST 2.0 framework (Govern, Identity, Protect, Detect, Respond, Recover). The only exception is back-up and disaster recovery technology which has been excluded from the analysis.

The project is global and covers the period 2023 to 2031. The base year is 2023 and 2024 is a forecasted number that may change in subsequent editions of the report. The Total Available Market (TAM) is often quoted for the period 2024-2031 whilst the CAGR for the period covers 2023-2031.