Integrating Privacy, Security, and Ethics in Smart Buildings: A Practical Framework for Digital Resilience

Key words: Smart buildings, data privacy, cybersecurity, IoT, ethics, resilience, GDPR, cyber-physical systems, operational technology, building management systems

Smart buildings, powered by IoT, AI, and advanced automation, offer significant gains in efficiency, comfort, and sustainability. However, they also expose organizations to new privacy, security, and ethical risks. This article integrates lessons from current international standards, major cyber-physical incidents, and the Brains for Buildings (B4B) project, presenting a practical ten-step framework for practitioners. Emphasis is placed on actionable strategies rooted in international standards and best practices to ensure digital resilience and stakeholder trust in the built environment.

The rapid digital transformation in building management is enabling unprecedented levels of operational insight, efficiency, and occupant comfort (IBM Security, 2022). Through pervasive IoT, interconnected Building Management Systems (BMS), and advanced analytics, buildings now function as integrated, data-driven environments (ENISA, 2022). However, the same technologies that underpin this progress introduce new vectors for data and privacy breaches, targeted cyberattacks, and ethical concerns (ENISA, 2022; GDPR, 2016).

Notable European initiatives, such as the NIS and NIS 2 Directives and The Cyber Resilience Act , have highlighted that privacy, security, and ethics are foundational—not optional—requirements for operational technology (OT) with a digital component, including that in smart buildings. Without robust, holistic frameworks, building stakeholders face legal penalties, reputational damage, and even threats to occupant safety (Lee, Assante, & Conway, 2016; GDPR, 2016).

The Challenge: Security, Privacy, and Ethics in the Smart Built Environment

Smart buildings aggregate and process large volumes of personal, behavioural, and operational data. The challenge for practitioners lies in managing three deeply interconnected dimensions:

·         Data security: Measures to prevent unauthorized access, manipulation, or loss of digital information, including cyber and physical safeguards (ISO/IEC 27001, 2017).

·         Data privacy: The obligation to respect individuals’ control over their personal data, particularly as mandated by the General Data Protection Regulation (GDPR, 2016).

·         Data ethics: Responsible, fair, and transparent use of data, which includes upholding societal expectations, informed consent, and accountability (European Parliament, 2016).

Figure 1. Navigating responsible smart building data management.

If left unaddressed, deficiencies in any one of these areas can undermine trust, cause business interruption, or invite regulatory sanctions (GDPR, 2016; ENISA, 2022).

Main Vulnerabilities and Risks in Smart Building Data

Operational Technology (OT) differs significantly from Information Technology (IT), historically relying on physical isolation (“air gaps”) to maintain security. However, the rise of smart and connected technologies has led to increased convergence between IT and OT, transforming traditionally closed OT legacy systems in buildings (such as the ones controlling HVAC, lighting, and security) into open, networked environments, integrating IT, remote access, and cloud services. This introduces the systems to new cybersecurity risks, including data breaches, accidental loss, insider threats, third-party access, and phishing (Siemens, 2018). Key vulnerabilities can be found in software, hardware, physical security or network and access controls. Examples include:

·         Legacy devices lacking security updates (ENISA, 2022; Siemens, 2018)

·         Default credentials and weak password practices (ENISA, 2021)

·         Complex vendor and supply chain ecosystems (Dutch Digital Trust Center, n.d.)

·         Inadequate network segmentation and encryption (ISO/IEC 27001, 2017)

These weaknesses are not just theoretical. The 2015 cyberattack on Ukraine’s power grid (Lee et al., 2016), the Stuxnet incident (Langner, 2011), and the Maroochy Water breach (Australian Cyber Security Centre, 2001) each caused operational shutdowns, equipment damage, and wide-scale service disruption, often originating from a single exploited vulnerability.

These vulnerabilities are particularly severe because IT and OT systems have fundamentally different security priorities and operational requirements. While IT environments focus primarily on protecting data confidentiality, integrity, and regular maintenance, OT environments prioritize continuous operation and safety—often at the expense of regular security updates and standardization. Figure 2 summarizes the most important distinctions between IT and OT security in the context of smart buildings (Luiijf & te Paske, 2015).

Figure 2. Comparison of IT and OT security priorities.

Regulatory and Standards Landscape

Europe maintains one of the most advanced and comprehensive regulatory frameworks for data privacy and cybersecurity, setting a global standard. For example, the General Data Protection Regulation (GDPR, 2016) strictly governs personal data collection, storage, and use. The NIS Directive (2016) imposes security and incident reporting obligations on essential services, including buildings with critical functions. Several other international standards provide practitioners with guidance. Figure 3 visually maps these standards and regulations to their main focus areas and applications in smart buildings.

Figure 3. Summary of key standards and regulations relevant to smart buildings.

Meeting these standards is not merely a legal duty, but a prerequisite for digital trust, business continuity, and insurance eligibility.

A Practical Framework: People–Process–Technology (PPT) with Bottom-up and Top-down Integration

Effective risk mitigation in smart buildings demands a systematic framework. The People-Process-Technology (PPT) model, reinforced by the complementary top-down and bottom-up approaches, provides one such comprehensive framework to address the complex challenges of data privacy, security, and ethics in smart buildings. A smart building system architecture lies at the core of the framework and should be assessed from both perspectives (ISO 31000, 2018; Dutch Digital Trust Center, n.d.). 

The bottom-up approach is more risk-driven and involves a detailed examination of the asset characteristics and conducting risk assessments. The Top-down approach is more policy-driven and focuses on establishing appropriate security measures and risk mitigation strategies based on the evaluation conducted in the bottom-up approach.

Figure 4 illustrates how these three pillars—people, process, and technology—work together, supported by both risk-driven (bottom-up) and policy-driven (top-down) strategies, to build robust cyber resilience and compliance in real-world building operations.

Figure 4. People–Process–Technology (PPT) framework for smart buildings.

Recommendations for Practitioners

Drawing on the systematic research, standards analysis, and extensive stakeholder engagement carried out in the B4B project, we present a ten-step, practitioner-oriented framework to enhance cyber resilience in smart buildings. This set of recommendations clusters findings from technical assessments, cross-sector workshops, and validation with asset owners, facility managers, IT experts, and suppliers. The framework is designed to be actionable, scalable, and adaptable, supporting organizations at different stages of digital maturity in the built environment. Figure 5 illustrates this practitioner-focused approach, highlighting the key steps from risk assessment to continuous improvement.

Figure 5. Ten-step framework to enhance cyber resilience in smart buildings.

Ten Steps to Enhance Cyber Resilience in Smart Buildings

1.       Conduct a comprehensive risk assessment
Analyze all relevant systems, networks, and devices to identify potential vulnerabilities and threats. This foundational assessment enables prioritization of risks and guides the selection of effective countermeasures tailored to the specific context of each building.

2.       Develop a risk mitigation plan
Establish and regularly update a plan that ranks identified risks according to their impact and likelihood, detailing the technical and organizational countermeasures required. This dynamic plan should evolve in response to new threats and changes in the building’s technological landscape.

3.       Establish clear policies and procedures
Develop, document, and communicate robust policies on data ownership, access control, and incident response. Ensure all stakeholders, including staff, service providers, and contractors, are aware of and adhere to these procedures.

4.       Implement robust security measures
Deploy advanced technological safeguards such as network segmentation, firewalls, intrusion detection systems, and strong data encryption to protect critical systems and sensitive information against unauthorized access and cyberattacks.

5.       Train and educate stakeholders
Implement ongoing training and awareness programs for all personnel, including facility managers, maintenance teams, and third-party suppliers. Foster a culture where security is viewed as a shared responsibility, promoting proactive behavior and vigilance.

6.       Monitor and audit security measures
Schedule periodic security audits and technical assessments to verify the effectiveness of implemented controls, identify emerging vulnerabilities, and ensure continued compliance with regulatory and organizational requirements.

7.       Develop an incident response plan
Clearly define roles, communication protocols, and step-by-step actions to be taken during and after a security incident. Regularly test, review, and update the plan to ensure preparedness for a variety of threat scenarios.

8.       Address supply chain security
Assess and manage the cybersecurity posture of all suppliers and vendors, integrating stringent security requirements into procurement processes and contracts. This is essential for minimizing risks introduced by third-party products, services, and integrations.

9.       Encourage collaboration and information sharing
Promote open communication and active information exchange among stakeholders—building owners, operators, IT and OT teams, vendors, and occupants—to identify risks early, share best practices, and strengthen the overall security posture.

10.   Continuously review and update the data privacy, security, and ethics framework
Recognize that threats and technologies evolve rapidly. Regularly revisit and adapt the organization’s policies, procedures, and technical controls to address new challenges, remain compliant with emerging standards, and maintain effective protection for both building systems and occupant data.

This ten-step framework highlights the essential steps that building owners and operators, facility managers, suppliers and maintenance service providers and other stakeholders should consider to mitigate potential threats and vulnerabilities and to build and maintain cyber resilience in the age of smart, connected buildings. By following these recommendations, practitioners can move beyond reactive measures toward a proactive, integrated, and sustainable strategy for privacy, security, and ethical management in the built environment.

Conclusion

Digital transformation in smart buildings is a double-edged sword. The convergence of IT and OT systems in smart buildings for advancing operational efficiency, sustainability, and occupant experience comes with growing cyber-physical risks and regulatory scrutiny. International experience and European research underline that the integration of privacy, security, and ethics is not only a compliance exercise, but a pathway to trust and long-term value in the built environment. By adopting a structured, standards-based framework, practitioners can ensure that smart buildings are not just connected, but secure, resilient and trustworthy, protecting occupant data while enabling trustworthy, intelligent, and responsible building operations.

Acknowledgment

This framework has been developed as part of the four-year, multi-stakeholder B4B project. Key input for this work has come from hands-on workshops, such as the #hackmybuilding workshop, where practitioners simulated different attack and defense scenarios on a BMS testbed to identify vulnerabilities across physical, network, and application layers. The project is sponsored by the Dutch grant program for Mission-Driven Research, Development and Innovation (MOOI) and executed by RVO Netherlands Enterprise Agency.

References

Australian Cyber Security Centre. (2001). Maroochy Shire sewage spill incident report. https://www.acsac.org/2008/program/case-studies/Abrams.pdf

Dutch Digital Trust Center. (n.d.). Online security check for process automation. Digital Trust Center.https://www.digitaltrustcenter.nl/tools/doe-de-security-check-procesautomatisering/  

ENISA. (2021). Threat Landscape 2021. European Union Agency for Cybersecurity.https://www.enisa.europa.eu/publications/enisa-threat-landscape-2021 

ENISA. (2022). Threat Landscape 2022. European Union Agency for Cybersecurity.URL: https://www.enisa.europa.eu/publications/enisa-threat-landscape-2022 

European Parliament. (2016). Ethical aspects of cyber physical systems: STOA Scientific Foresight Project. https://www.europarl.europa.eu/stoa/en/document/EPRS_STU(2016)581826

European Union. (2016). Regulation (EU) 2016/679 (General Data Protection Regulation). Official Journal of the European Union https://eur-lex.europa.eu/eli/reg/2016/679/oj 

European Union. (2016). Directive (EU) 2016/1148 on the security of network and information systems (NIS Directive). Official Journal of the European Union. https://eur-lex.europa.eu/eli/dir/2016/1148/oj  

IBM Security. (2022). Cost of a Data Breach Report 2022 (p. 59). IBM Corporation. https://www.ibm.com/downloads/cas/3R8N1DZJ

International Electrotechnical Commission. (2018). IEC 62443: Security for industrial automation and control systems. IEC. https://www.isa.org/standards-and-publications/isa-standards/isa-iec-62443-series-of-standards

ISO. (2018). ISO 31000:2018:Risk management—Guidelines. International Organization for Standardization. ISO. https://www.iso.org/standard/65694.html

ISO/IEC. (2017). ISO/IEC 27001:2017:Information technology—Security techniques—Information security management systems—Requirements. ISO. https://www.iso.org/standard/27001

Langner, R. (2011). Stuxnet: Dissecting a cyberwarfare weapon. IEEE Security & Privacy, 9(3), 49–51. http://dx.doi.org/10.1109/MSP.2011.67

Lee, R. M., Assante, M. J., & Conway, T. (2016). Analysis of the cyber attack on the Ukrainian power grid. SANS Industrial Control Systems (ICS). https://www.sans.org/blog/confirmation-of-a-coordinated-attack-on-the-ukrainian-power-grid

Luiijf, Eric & Te Paske, Bert. (2015). Cyber Security of Industrial Control Systems. TNO. http://dx.doi.org/10.13140/RG.2.1.3797.4566

Siemens Building Technologies. (2018). Security system design in critical infrastructure (Whitepaper). https://www.siemens.com/global/en/products/automation/topic-areas/industrial-cybersecurity/downloads/white-paper-infrastructures.html

Williams, J. (1994). Purdue enterprise reference architecture: Model for control systems integration. Computers & Chemical Engineering, 18(9), 885–891. https://doi.org/10.1016/S1474-6670(17)48532-6