Supporting More Resilient and Sustainable Building Operations: A Q&A with Dean Zwarts

What major shifts do you expect in building safety, security and sustainability practices by 2030 and beyond and what is driving them?

Looking ahead to 2030, we're seeing a clear trajectory where everything becomes connected. This will continue to transform traditional environments into dynamic digital ecosystems that integrate physical, cyber-resilient and sustainability systems. With that in mind, we're seeing a few major shifts.

First is the integrated safety ecosystem. Systems like fire, access control and Internet of Things (IoT) sensors now share real-time data, allowing for a proactive, preventative approach rather than a reactive one. A second trend is the cyber-physical security convergence. Because buildings are fully connected, attack vectors have increased. They are now high-value cyber targets where digital vulnerabilities create physical safety risks.

We also have to consider sustainability by design, which is driven by electrification, automated carbon tracking and stricter emissions reporting. Finally, there are data-driven aspects like artificial intelligence and digital twins. AI automates mundane tasks and enables faster decision-making, while digital twins serve as an operational backbone for remote inspections and continuous sustainability optimization. Ultimately, all of these shifts are fueled by rapid urbanization of connectivity, climate commitments, insurance pressures and accelerating digitization.

Thinking about new cybersecurity risks as everything becomes increasingly connected, how do you see those new risks and new access paths impacting some of these new technologies like AI and digital twins?

Emerging technologies like AI and digital twins are becoming the backbone of modern building requirements. AI automates tasks like threat detection, energy optimization, predicting equipment failures and supports real-time safety decisions across the entire building ecosystem.

Digital twins are rapidly emerging as data-driven replicas of buildings to support remote inspections, incident simulations and sustainability while leveraging IoT, AI and building information modeling (BIM) for energy management and predictive maintenance.

However, although all of this is technologically feasible, adoption is currently slow due to high upfront costs. We also face challenges with complex data integration, skills gaps and cybersecurity risks concerning system interoperability and data governance.

To tackle these challenges, UL Solutions Smart Systems Rating Program provides a standardized framework that evaluates and validates digital twins. It assesses their connectivity, interoperability, resilience and functionality, bringing much-needed clarity to an otherwise inconsistent market.

Do you see regulatory requirements and standards evolving to accommodate these new technologies?

As everything becomes connected in this dynamic market, new vulnerabilities and attack vectors are introduced. Systems like connected HVAC, life signaling and smoke detection are now real cyber targets. Regulators are shifting towards risk-based, data-driven security compliance. There is a much stronger cybersecurity mandate for operational technologies, particularly in Europe. The Network and Information Security 2 (NIS2) Directive expands critical infrastructure classifications, while the Cyber Security Resilience Act addresses connected hardware and software. These regulatory requirements can act as barriers to entry, but also serve as market access enablers, like the CE marking.

Globally, we're seeing alignment on safety and sustainability standards, focusing on digital recordkeeping, life cycle reporting and supply chain transparency. Newer areas like digital twins and AI are also maturing under these same fundamental principles. We're seeing developments like the proposed AI Act, ISO 42001 and even UL 3115, the Outline of Investigation for Safety of AI-Based Products. Because these digital domains are interconnected, AI and cybersecurity are key focus areas, driving the global adoption of industrial standards like IEC 62443.

You mentioned these merging requirements and standards are both barriers to and enablers of market entry. Can you talk through that?

If we compare the U.S. to the European market, we have two very different demand drivers. The European market is very much driven from a regulatory perspective, true regulations, and then they play catch-up in terms of which standards need to apply. We've seen that with everything from AI to NIS2 to even the Cyber Security Resilience Act. So, regulations are out and then there's a catch-up in terms of standards. From the U.S. market perspective, it's a little bit different. Standards and standard development generally seem to be ahead of the curve. The deployment and the ability to deploy are already there and then it's a matter of how it gets driven from a procurement perspective. So, there is an investment required from manufacturers, from the solution providers, from the integrators to make sure that they can provide strong cybersecurity resilience in terms of education in the market. In other words, enabling a safer ecosystem versus seeing it as a barrier to entry, such as the European market, where it becomes a mandatory requirement.

Building technologies

What safety and reliability challenges emerge as buildings move toward autonomous and fully integrated smart system operations?

This is interesting because we need to view it through the lens of cyber-physical safety and reliability. As we introduce new technologies and capabilities, the risk amplifies. For example, as fire, access control, HVAC and life safety systems become interconnected and share real-time data, attack surfaces grow. This creates multiple single points of failure that could have a cascading effect across the ecosystem.

Interoperability becomes increasingly important, as well, but it introduces its own vulnerabilities when multiple systems share information. This brings new data risks, such as data loss, latency or misconfigurations, which can degrade life safety product performance. With autonomous functions, systems heavily depend on accurate and timely data. Poor governance or stale digital twins with outdated data can trigger unsafe decisions, especially when integrating artificial intelligence. To address this, we need to focus on skills and process gaps. These new operational modes require continuous monitoring and need to be operationalized using tools like incident playbooks. We also need to upskill operators to avoid an over-reliance on automation.

What is your perspective on how today’s new, younger workforce is impacting the industry from a safety and reliability standpoint?

We have to step back and look at the skills needed for these new requirements. As we move from manual validation into a digital domain, new expertise is required. This gives us an opportunity to cross-skill the legacy workforce, allowing them to evolve their roles as manual processes become automated.

There are really two main skill sets needed. First is the expertise to create a safer ecosystem right from implementation. This starts with the supply chain. Procuring secure vendors and integrating them to create a cyber-safe, interoperable environment from day one is essential. The second is the operational side. It's still ill-advised to rely entirely on autonomous systems. Human oversight is always recommended, especially with AI. We need manual validations and data oversight to prevent false positives.

Ultimately, it's not about needing a completely new workforce. It's about upskilling people to leverage dashboards and automation while maintaining strong quality assurance.

How can building platforms balance cybersecurity resilience with the need for seamless interoperability?

Looking at the life cycle of these platforms, balancing interoperability and cybersecurity resilience comes down to a few main points. First and foremost, implement systems that are secure by design. This means designing products to be secure throughout their entire life cycle, from procurement to the supply chain, across both operational and IoT technologies. Second, focus on integration models and APIs. These create scalable, secure, plug-and-play interoperability as your ecosystem naturally evolves.

Then, we need to address data requirements. This includes data ownership, quality service level agreements (SLAs) and encryption, following regulatory governance frameworks for managing data. Fourth, use strong validation frameworks to benchmark connectivity and cybersecurity, making the system user-friendly without compromising security. Finally, prioritize continuous assurance. Because software constantly changes, ongoing patch management and updates are vital to mitigate emerging threats and ensure smooth, secure integrations over time.

It’s a dynamic environment, so activities such as vulnerability management and reporting become part of the continuous responsibilities. It must be maintained throughout its life cycle for cybersecurity resilience and to support seamless interoperability on an ongoing basis.

Is it fair to say the nature of all of this keeps the process of regulation on its toes to evolve at the speed of the software?

The challenge is making sure regulations and frameworks keep pace with external threats, since they often take time to catch up. When zero-day vulnerabilities emerge, manufacturers and integrators must quickly find ways to mitigate them before they can be exploited. It's a constant battle. While regulations and standards provide a necessary baseline, a strong risk management approach is ultimately crucial to protect assets and mitigate potential attack vectors.

In addition to AI and digital twins, are you seeing other digital building innovations that show promise for sustainability performance gains in the next five to 10 years?

Something we haven't touched on is electrification intelligence. Coordinating heat pumps, storage, and electric vehicle (EV) charging with grid signals acts as a digital enabler for decision-making within integrated ecosystems. Another key area is automated carbon tracking, though its prioritization heavily depends on geopolitics. Ultimately, AI and operational digital twins will really change the playing field, provided we ensure these technologies are secure, interoperable, and cyber-safe.

Do you see any differences are variations by country or region?

Absolutely, global viewpoints vary significantly. The U.S., Europe, China and emerging countries in Latin America, Africa and the Asia Pacific all hold unique perspectives. Without a one-size-fits-all solution, achieving a unified approach remains challenging.

How do you expect the growth of semi or fully autonomous building systems to change facility management in the years ahead?

Operations are definitely moving from reactive to proactive and predictive. With fully autonomous systems, we're applying exception handling, analytics oversight, and playbook orchestration to enable these new digital capabilities. This shift requires higher-skilled staffing for initial setups and configurations. For ongoing maintenance like system integration, data governance and cyber resilience, you'll likely see a growing opportunity for niche expertise.

We also must consider digital command centers. When managing multi-site portfolios, remote supervision becomes a critical role. Here, tools like digital twins play a major part in creating a single source of operational truth. Ultimately, these will be the key areas of growth for the facility management side.

As buildings become more connected, what are the top cybersecurity vulnerabilities you see emerging by 2030?

Looking at what connected buildings will face, we are seeing an expanding area of risk. As I mentioned earlier, new connectivity opens up attack vectors across operational technology (OT) and IoT devices, creating a higher-impact attack surface. For instance, if an unsecured mobile app provides remote access to a data center's HVAC system, a hacker could alter the temperature, potentially causing millions in damages.

This bridges the gap between physical and cybersecurity. Major vulnerabilities emerge through this integrated ecosystem, including risks from third-party integrators, cloud services, weak identity controls, and mobile access. Additionally, AI and digital twins depend on sensor data that can be manipulated, and outdated legacy building management systems are often the first to be attacked.

Ultimately, you must prioritize security by design from implementation through continuous management. Crucially, conduct a proper risk assessment of your existing environment to ensure systems are securely configured with strictly limited remote access.

What do you think facility managers should prioritize to safeguard IoT devices and critical building infrastructure?

There is no silver bullet. This is a process of many smaller steps for effective cyber-physical protection. First, apply security by design by segmenting networks and enforcing zero trust principles for least-privilege access. Second, security teams must maintain complete hardware and firmware inventories, backed by strong patch and operational management. Third, implement strict identity controls like multi-factor authentication, ensuring full auditability and logging. Fourth, data governance is vital for continuous monitoring, especially with AI and digital twins, because data and physical access risks often go hand-in-hand. Finally, implement incident response playbooks such as IEC 62443 that integrate cyber and physical impacts to limit effects on critical areas like life safety operations.

So, there might be better places to start depending on the organization, but there's no single correct option?

Correct. To add to that, a strong starting point is always a good risk management system or risk management approach. Asking “Where do I need to start?” and completing a proper risk assessment should probably be step zero.

What do you see as the most overlooked challenge surrounding these new innovations between now and 2030 or now and 2035?

The increasing complexity of digital integration. For example, a Las Vegas casino was hacked through a connected fish tank used for temperature tracking. The real risk lies not in a single technology, but in the interdependency between all these connected systems. By 2030, success will depend on planning for cyber-physical convergences, building trustworthy data flows and developing the right capabilities and governance models. You must ensure life cycle digital strategies keep pace with rapidly evolving technology, regulations, and external risks, addressing all of them together rather than in isolation.

Are there any emerging regulations or policy shifts that you think will have a significant impact in the next five to 10 years?

Some markets are driving regulations aggressively, particularly the European Union with the NIS2 Directive, the Cyber Security Resilience Act and the proposed AI Act. Manufacturers and operators should look at these international trends today. Even if not locally required, implement strong practices like security by design and data governance using existing standards. To prepare for 2030, learn from these global mandates now because these regulations will eventually come to secure your own ecosystem.

Are you suggesting that the most stringent regulations or standards will eventually ripple out more broadly?

Correct. The EU exemplifies strong cybersecurity mandates. They started lightly with the Radio Equipment Directive for wireless tech and established baseline best practices. This evolved into the stricter Cyber Security Resilience Act, requiring compliance for all connected products by 2027. The U.S. is following suit with new NIST standards and Executive Order 14028. Applying these global best practices today will benefit manufacturers and operators as these inevitable regulations expand.

How can industry stakeholders strengthen collaboration across the value chain to drive resilient and future-ready buildings by 2030 or beyond?

It starts with understanding a shared digital ecosystem and defining a common performance framework. This enables seamless collaboration from early design through operations among developers, original equipment manufacturers (OEMs), architects and engineers. They must align governance, data sharing, cyber resilience and sustainability to effectively leverage technologies like AI and digital twins.

From UL Solutions’ perspective, I think we need to act as an enabler across this entire ecosystem. We support the customer journey by providing global compliance insights, so stakeholders know what's required. From there, we offer advisory support, gap analysis, testing, validation, certification and continuous surveillance. Ultimately, UL Solutions acts as a seamless partner, supporting different stakeholders at different phases.