Data security and privacy in smart buildings: “People are the weakest link”

Smart buildings bring many benefits. They make our environment comfortable, safer and efficient. But the increased connectivity of devices to the cloud also makes buildings vulnerable to cyber attacks. Cybersecurity in smart buildings is therefore necessary to keep data safe and to ensure the privacy of the users. Together with Elena Chochanova and Tousif Rahman from TNO, we look at the challenges in protecting data.  

By: Eline te Velde

To highlight the importance of data security and privacy in smart buildings, Chochanova and Rahman developed a framework for data security, privacy & ethics in smart buildings. The framework is part of the results of the Brains for Buildings project and includes a step-by-step plan with recommendations. “The project started two and a half years ago with the aim of using big data to improve comfort, sustainability and energy consumption of smart buildings. The question of what privacy, ethics and security mean for smart buildings plays an important role in this,” says Chochanova.

IT and OT connectivity

Chochanova explains that securing smart buildings requires a new way of thinking: “Historically, the Information Technology (IT) and Operational Technology (OT) domains are very different: IT is completely in the digital world, but OT is in contact with the physical world. They were therefore strictly separated by a literal 'air gap'. But as technology develops, for example through the use of Internet of Things (IoT) devices, they become increasingly interconnected. This exposes OT to external influences and now also needs to be secured against cyber attacks, not just against physical threats. And IT security principles cannot simply be applied to OT systems. This makes it considerably more complicated to secure. You have to think of other solutions.”

“IT security principles cannot simply be applied to OT systems. This makes it considerably more complicated to secure. You have to come up with other solutions.”

The TNO researchers emphasize that the connection to the internet is a weak spot. “The architecture usually shows a division, the part inside the building and outside. Everything in the building is under your control, here you can take various security measures. As soon as the data is connected to the internet, the outside world, it becomes more complicated.” Rahman adds: “Make sure you ask the party that stores your data enough questions. Where do you store the data? What about security? Are you certified? Do you make backups? People tend to go for the cheapest option, but think carefully when it concerns data.”

In addition to increased connectivity, it is also not always clear who is responsible for the data from buildings. “It would be good to record the responsibility, for example as part of procedures. If it is clear who the data belongs to, it is also easier to manage and trace. Traceability in data is one of the most important points when it comes to security.”

The weakest link

The increased connectivity is a weak link in the system, but not the weakest. That is the human being. People make mistakes: someone forgets to change a password, uses a 'wrong' USB stick or clicks on a link in a phishing email. To prevent this, training and education are essential, as Rahman explains: “There is always a risk that people make mistakes, but of course awareness and training are very important. Especially to teach people what they are protecting. Because if you know the value, if you know what you are protecting, then you see the importance of it.”

“There is always a risk that people make mistakes, but of course awareness and training are very important. Especially to teach people what they are protecting. Because if you know the value, if you know what you are protecting, then you see the importance of it.”

Recommendations

As part of the framework, Chochanova and Rahman have formulated ten steps to build better cyber resilience. The first step is risk assessment. You can’t make a security plan without assessing the risks, the researchers say. “It should be clear that the risks for a nuclear power plant are different than for a hotel. However, a hotel is also not safe from cyber attacks, and can easily fall prey to ransomware, for example,” Chochanova notes. She refers to a hotel in the austrian alps, where the electronic key system was hacked.  

After the risk analysis, the recommendation is to create a risk mitigation plan and establish policies and procedures. Step five focuses on the risk of people. Training and awareness are essential to minimize risk. Awareness goes beyond insight into the collected data and risks, it also involves knowledge of your own system: “It is almost too easy to make a connection these days. It would be a shame if you put a lot of money and effort into securing your building and connections, but then unknowingly connect a new sensor that sends signals directly to the internet. That way, you roll out the red carpet for bad actors.”

Brains for Buildings (B4B) is an innovation project focused on developing methods to utilize data from smart meters, building management systems and IoT devices. By giving buildings a brain, so to speak, building owners and users are enabled to make better decisions. Want to know more about the project? Then visit the Brains for Buildings website or read more about the privacy, ethics and security framework.