Building commissioning agents have been performing commissioning services for decades across a wide range of industries to see that systems function as intended before handing over the project to the owner. Today building controls are becoming data-driven. Simply commissioning the functionality of new or updated systems may not be enough.

The broad connectivity and technological advancement of our world offers facility owners and operators expansive capabilities to streamline and automate processes. But with those capabilities comes increased risk and vulnerabilities that just didn’t exist in older, analog systems.

As an integral part of the commissioning process, cybersecurity commissioning seeks to go one step deeper. By examining the operation and protocols of control systems within a facility or business, cybersecurity commissioning creates a more secure posture for all systems. The inclusion of this process within the commissioning of a facility’s control systems fosters greater cybersecurity resiliency across the organization.

How It Works

A typical commissioning effort starts in the planning and design stage to identify operational criteria that meet a client’s business requirements. A commissioning agent follows these parameters through installation and startup of equipment, overseeing the startup of certain systems — such as HVAC controllers, building automation systems, lighting controls, fire alarms or microgrid controls — to determine if the operational functionality of these systems meets the prescribed design criteria.

Cybersecurity commissioning operates hand in hand with the typical commissioning effort. Using best practice guidance from organizations like the National Institute of Science and Technology, a cybersecurity commissioner determines if systems on the operational technology (OT) network meet the design criteria for functionality and efficiency, as well as the security needs of the organization. These best practices can be applied across a variety of industries regardless of facility type, from airports, government and ports to manufacturing and utilities.

By understanding the criticality of each system, the cybersecurity commissioner creates a hierarchy of systems, then identifies any outside connections, remote or wireless, that could be exploited. In this way, the commissioner can assist operators in separating their OT network from other networks within the facility to build more secure systems.

Commissioners will also look closely at the human-machine interfaces used to configure and control each system, the networks, the sensors, and the overall control architecture to see what can be done to harden each system. This is achieved by turning off or eliminating different services or functions that are not in use by the system or organization but may allow entry into that network or device.

Why It Matters

Whether it’s done as part of a whole-system commission approach or performed during a system or equipment update, cybersecurity commissioning offers owners and operators the confidence that control systems are as secure as possible. Because threats are always developing, nothing is 100% secure, but performing this step in the commissioning process contributes to a system that meets or exceeds requirements for the organization.

Beyond its analysis of the hardware, cybersecurity commissioning provides organizations with the policies and procedures needed for operating and maintaining its systems and equipment at the appropriate, acceptable level of risk. This can go beyond the specific facility, impacting multiple facilities or the entire organization, creating a road map to cybersecurity maturity.

By integrating cybersecurity commissioning into the standard commissioning process, facilities and systems can be made more secure, ultimately protecting the organization from undue risk and providing the resilience to withstand and recover from a cybersecurity incident.


Risk management and resiliency for critical infrastructure environments are all about safety and reliable operations. Our services provide your business with resilient operations and workforce safety.

View Our Perspective

Robert Bradford is a federal market lead for cybersecurity at 1898 & Co., part of Burns & McDonnell. With more than 20 years of experience, Robert focuses on supporting facility cybersecurity in federal and aviation projects as well as consulting on policies and procedures related to risk management and business continuity.