The Internet of Things (IoT) enables buildings to be “smart” and offers new opportunities for improved facility energy and operational efficiency by connecting machines, sensors, data and real-time analytics with facility managers. Smart buildings are instrumented with thousands of network-connected sensors from lighting to HVAC that enable reduction in energy and water use through continuous monitoring and control. The remote monitoring capability not only helps in efficient management of ongoing facility operations but also helps with fault detection and diagnostics. Data from sensors and smart meters from the remote equipment can send alerts of imminent failure and identify action to be taken immediately to avoid costly downtime or equipment damage. 

Forecasts vary for the number of connected devices that will be installed over the next 5-10 years but there is consensus that the IoT market will experience significant growth and smart buildings will be one of the main drivers [1][2].  The rapid proliferation of IoT can be attributed to a few key developments [3]: 1) low cost and size of sensors, controllers and transmitters. In the last decade, the average cost of sensor has fallen by 50%; 2) dramatic cost reductions of internet bandwidth and the expansion of wireless coverage; 3) expansion of data storage and processing capacity combined with significant reductions in processing costs; and 4) innovative software applications and machine learning techniques.

As IoT and smart buildings become the norm, the Department of Defense (DoD), as the owner-operator of over 500,000 buildings and structures, has an opportunity to realize significant benefits.  However, as DoD facilities incorporate more networked systems as part of a transition to smart buildings, threat and vulnerability to cyber-attacks has increased. Connected devices and Control Systems (CS) range in application from building environmental controls to large scale systems such as the electrical power grid, and are often integrated with mainstream organizational information technology (IT) systems to promote connectivity, efficiency, and remote access capabilities. This level of interconnectivity poses security, operability and reliability threats. Within the DoD, there are an estimated 2.5 million unique CS systems that are used in over 300,000 buildings (each building may have 5-20 subsystems such as HVAC, lighting, fire, etc.) and over 250,000 linear structures (airfield lighting, pipeline, rail, etc.). 

Figure 1: Smart Installations

In order to protect and defend the DoD’s information and information technology from cyber-attacks, the DoD has established a cybersecurity program to develop its cyber forces and strengthen its cyber defense. DoD’s cyber strategy has three primary cyber missions [4]:

  1. Defend DoD networks, systems, and information
  2. Defend the U.S. homeland and U.S. national interests against cyberattacks of significant consequence
  3. Provide cyber support to military operational and contingency plans

While smart buildings and the IoT offer potential for DoD to improve facility energy efficiency and realize operational cost reductions, the increased vulnerability to cyber-attack must be addressed before the full benefits of smart building technology can be realized.  In an effort to address this issue, the ESTCP Energy and Water program issued a topic on cybersecurity under its FY18 solicitation: Innovative approaches to obtaining authority to operate for facility-related control systems. One of the most common barriers faced by installations in adopting and implementing new technologies is the time and cost it takes to meet the cybersecurity requirements and obtain an Authority To Operate (ATO) that allows these systems to operate on a DoD network. The objective of the solicitation is to find innovative approaches that reduce the time and cost to obtain ATO for common current and future network-reliant facility energy control systems and devices and that can be applied broadly across DoD installations. It is anticipated that solutions will employ Type Authorization [5] (TA) and Reciprocity [6], along with other innovative technology and process improvement solutions to address this need.  

Another area of interest related to smart buildings and the IoT is the military installation’s participation in energy markets.  With the development over the past several years of large renewable energy systems on DoD installations and the outlook for deploying microgrids, there is increasing interest in finding innovative ways to finance these systems.  ESTCP has a few ongoing Energy and Water projects that are demonstrating how distributed energy resources on DoD installations can generate revenue through participation in energy markets.  However, as with smart building technology, one of the main barriers to these solutions is meeting the cybersecurity requirements.  Two of these projects that have made progress on this front will be presenting during the upcoming April 20th webinar on Solutions for Installations' Participation in Energy Markets topic:

The project leads will discuss the technology, some results and challenges ahead in this area of development.  For more details on the webinar and registration, visit the webinar page



 [3] Goldman Sachs, “The Internet of Things: Making Sense of the Next Mega-trend,” September 3, 2014,


 [5] Type Authorization-An official authorization decision to employ identical copies of an information system or subsystem (including hardware, software, firmware, and/or applications) in specified environments of operation.  

 [6] Reciprocity-Mutual agreement among participating enterprises to accept each other’s security assessments in order to reuse information system resources and/or to accept each other’s assessed security posture in order to share information. Can apply to both TA and non-TA systems.