Cybersecurity and Privacy Risk Management Preparation Questionnaire and Handbook
Questionnaire
Smart Buildings integrate information and communication technologies with infrastructure to manage resources and to coordinate and improve services. Building automation systems (BAS) are used to control a wide variety of physical building infrastructure, including HVAC systems, lighting, water, and power. BAS may be more or less integrated with Building Management Systems (BMS), energy management systems, property technology, and tenant or occupant service applications. All of these systems may communicate over building-area networks and access the Internet through connections to broadband networks. We refer to this broad collection of systems and communication technologies as Smart Building technologies. As Smart Building technologies link cyber and physical infrastructure and transform dependencies among building systems, cybersecurity controls become increasingly essential to protect occupants, building infrastructure, and smart building functions. As data about individuals is collected, stored, processed and communicated among systems to enable personalized occupant services, privacy controls have also become essential.
Choosing appropriate cybersecurity and privacy controls requires a clear understanding of context regarding the building’s purpose and the criticality of physical and cyber systems to that purpose. Risk management is a comprehensive process for addressing organizational risk throughout the lifecycle of a building and its many component systems. The widely adopted U.S. National Institute of Standards and Technology’s (NIST) Risk Management Framework (RMF) [1] describes an actionable process for integrating cybersecurity and risk management activities into the lifecycle of system design and operations.
The RMF addresses risk management at three different levels to inform leaders and facilitate decision-making regarding risks to assets and operations. The first two levels, the organizational level and the mission/business process level, focus on identifying critical assets, making choices regarding risk tolerance, and identifying stakeholders, especially including third parties with important responsibilities for security and privacy. At these first two levels, the framework steps focus on preparing the organization to select, implement, and operate the necessary security controls to appropriately address risk in the context of the mission/business needs of the organization. At the third level, the RMF focuses on specific system components, requirements definition, system architecture, and more detailed technological controls.
While the RMF focuses primarily on cybersecurity, NIST has produced a draft privacy framework [2], with a process that parallels that of the RMF. An organization following the process in the privacy framework would first define a profile describing the desired privacy outcomes (informed by laws, regulations, organizational best practices, etc.) and identify information about individuals that the organization handles. The latter steps of the privacy framework address technology-dependent details such as access permissions and network segmentation.
Organization Level Questions
The hierarchical breakdown of activities and tasks in the NIST RMF begins at the highest level with the organization. An independent organization will be held accountable through laws, regulations and contracts for the security (and privacy) impacts of the systems it operates. In the Smart Buildings space, a building owner or property management company is likely the most relevant organization. A large property management company may have multiple departments, each of which could also take on the role of an organization with respect to the RMF, but with a more focused scope than that of its parent organization. Subcontractors that provide specific building management services could also use the RMF to address cybersecurity within the scope of their operations.
The following questions are intended to help guide building management in gathering necessary information and making decisions necessary to prepare for executing the later tasks in the RMF.
Identifying stakeholder organizations and individuals
- Building management/maintenance: Which organizations manage or maintain equipment for the building? Consider, for example, organizations that manage or maintain: HVAC system, fitness center/pool equipment, elevators, grounds, business center.
- Service providers: Which organizations provide services on behalf of building management or tenants? Consider, for example, delivery services with direct access to facilities, custodial/cleaning services, security and reception services, facilities maintenance staff, and consulting services.
- Utilities: Which utilities provide essential services to the building? Consider electrical power, gas, water, cable or satellite network.
- Occupants: Which building occupants (organizations or individuals) will interact with building systems? Note that, for example, building sensors may detect the activities of individuals, either in their offices or in their personal residences. Building networks may carry the personal or business data of tenants.
Identifying the regulatory environment
- Governance: What laws, regulations, and contracts influence the cybersecurity and privacy requirements for the building?
- Consider federal, state and local laws. In some cases, international law may be applicable (e.g., the European Union’s General Data Protection Regulation (GDPR)[3].
- Consider laws related to organizations that maintain building equipment or provide services. For example, laws that protect data about individuals’ energy use may limit collection of tenant data for building energy assessments.
- Consider laws relating to building or tenant functions. For example, in a hospital building, HIPAA protections for patient data privacy may affect plans to track locations of individuals for fire safety.
- Consider contracts with service providers and equipment maintenance providers.
Creating and communicating cybersecurity and privacy policies
- Policy development: Who is responsible for writing the cybersecurity and privacy policies by which organizations and individuals that interact with the building must abide and that must be implemented via Smart Building technologies? Who is responsible for updating these policies in response to changing laws and regulations, new contracts, or evolving goals of building stakeholders?
- Policy communication: Who is responsible for communicating about changes to cybersecurity and privacy policies with building stakeholders and with organizations responsible for policy implementation through building Information Technology (IT) and Operations Technology (OT). Consider, for example, the impact of a new privacy law that prohibits the collection of certain personal information about building occupants. What if the smart thermostats installed in the building collect that personal information?
Identifying sources of guidance and leverage
- Guidance sources: Which sources of guidance will you use to evaluate cybersecurity and privacy risk and implement controls? Consider, for example, NIST’s publications, available through its Computer Security Resource Center.
- Leverage sources: What sources of leverage do you have to influence the cybersecurity and privacy characteristics of systems and services that interact with your building?
- Consider aspects of your supply chain, including contracts with suppliers, contracts with service providers, procurement standards and processes.
- Consider your response options if you learn that an operational system, product or service has unacceptable cybersecurity or privacy characteristics. Can you cancel the service? Remove and replace a system or product?
Identifying necessary staff skills and expertise
- Expertise: Does your organization currently have the expertise to build and operate your building and meet (at least) your legal obligations for cybersecurity and privacy? If not, have you identified the roles that you will need to fill and sources for hiring or contracting to establish the necessary capabilities? Have you identified education or training resources to help current staff develop the necessary skills?
Ongoing operations
- Operational oversight: Which organizations and individuals will be responsible for operational oversight of the cybersecurity and privacy performance of building systems? Who is responsible for ensuring that building systems and personnel are meeting legal responsibilities? Consider who will respond to queries from law enforcement or city officials regarding any cybersecurity/privacy issues that may arise from building operations.
- Implementing cybersecurity and privacy policies: Which organizations and roles are responsible for configuring building IT or OT systems to implement cybersecurity and privacy policies? Which operational organizations (IT and OT) and roles are responsible for communicating with building policy makers to ensure that technology configurations reflect current cybersecurity and privacy policies?
Mission/Business Process Level
In the Smart Buildings context, cybersecurity incidents that impact system or data availability or integrity can lead to building system failures (outages) or malfunctions. Incidents that violate the confidentiality of building, service provider, or tenant information may also have serious ramifications. Incidents that result in disclosure of information about individuals (e.g., residential tenants, employees of commercial tenants, building management staff, employees of building service providers) may have serious privacy impacts. The following sections describe an approach to identifying the most critical building systems, business- or mission-sensitive data, and private data of individuals that must be protected. Identifying and characterizing these items is an essential step toward planning, prioritizing, and allocating resources to protect them.
Critical Systems
The effect of failures in different building systems may range from serious, safety-critical impacts to financial impacts to a tenant or building owner to long-term damage to the physical building infrastructure. Identifying the mission-level criticality of each building system will later enable building system designers and operators to focus risk mitigation efforts on the most critical systems.
At the mission/business process level, it is essential to identify the major building systems/functions and whether that system/function is critical to:
- Human safety: Failure of the system could result in serious injury or loss of life for the building occupants
- Business operations: Failure of the system could jeopardize business operations. For example, the failure of a service metering system could prevent building management from billing occupants for resources (e.g., water, power) consumed
- Tenant operations: Failure of the system could jeopardize tenant business operations or day-to-day living of residential tenants
- Third party operations: Failure of the system could jeopardize the operations of third- party services (e.g., residential tenant services such as dry-cleaning pickup/dropoff, property maintenance services such as landscaping or swimming pool maintenance) operating on behalf of building management.
- Business confidentiality: Failure of the system could disclose sensitive business data (e.g., contract pricing or terms, salaries, partnership terms, planned acquisitions)
- Tenant business confidentiality: Failure of the system could disclose sensitive business data of tenant businesses
Note that system criticality is highly dependent on the purpose of the building and the occupants. The systems critical to the operations of a hospital building are very different from those that are critical to the operations of a shipping warehouse or a plant nursery. For example, an HVAC system outage in a refrigerated warehouse for storing frozen foods would have a very high impact on business operations; in a hospital, an HVAC outage could be a safety risk for patients; in an office building, an HVAC outage could be unpleasant for employees, though in extreme weather, employees might need to leave the building. The building mission context (e.g., the purpose of the building and some characteristics of its expected occupants) is necessary to identify the potential severity of a cybersecurity incident that leads to an HVAC system outage.
Table 1 shows and example for an assisted living building for senior residents. Note that an extended outage of any building system may become a more serious problem over time.
Human Safety | Business ops | Tenant ops | 3rd party ops | Business Confidentiality | Tenant Business Confidentiality | |
Power monitoring | High | High | High | |||
HVAC controls | High | Low | High | |||
Lighting controls | High | Low | High | |||
Fire/CO sensors | High | High | ||||
Security sensors | High | High | ||||
Broadband network | High | High | High | High | ||
Common WiFi | High | High | High | |||
Landscape | Med | |||||
Waste management | Med | Med | ||||
3rd party service | ||||||
3rd party service | ||||||
City service | ||||||
First responder link | High | High |
Table 1: Example building system criticality assessment for assisted living facility
- Power Consumption Monitoring: Monitor the energy consumption of individual assets and building zones to identify waste sources and improve energy efficiency
- Intelligent HVAC Control: Measure temperature, humidity and air quality in remote building areas for decentralized, granular control of the HVAC system
- Smoke and Carbon Monoxide sensors: Interconnect alarm systems to trigger alerts to dangerous conditions and monitor battery life
- Landscape sensors: Provide data on landscape irrigation and other systems to detect leaks and optimize water use
- Waste Management: Monitor waste container fill-levels and optimize pick-up routes and disposal schedules
- Third-party services: Sensors and monitoring systems that support third-party services, such as sensors that monitor status of exercise equipment in on-site gym, managed by third-party service
- City services: Sensors and monitoring systems that support smart city operations
- First responder link: Sensors and monitoring systems (e.g., occupancy sensors) that provide information to first responders (e.g., police, ambulance, fire department) in emergencies
The workbook in the appendix contains a table template that you can use to identify critical systems within your building.
Personal data about individuals
The European Union’s General Data Protection Regulation (GDPR) [3], adopted in 2018, is a comprehensive privacy regulation that protects the rights and freedoms of individuals with regard to the processing of personal data and movement of personal data. GDPR offers a broad definition of “personal data”:
The United States Executive Office of the President, Office of Management and Budget [5] defines “Personally Identifiable Information (PII)” as:
In [4], the US National Institute of Standards recognized widespread inconsistencies in the definitions and use of the term “Personally Identifiable Information,” so provided the following distinctions among similar terms:
Because the European GDPR impacts any organization that handles information about European individuals, even when those individuals are traveling outside of Europe (e.g., occupying a building somewhere outside of Europe), we use the GDPR terminology “personal data.”
Building systems may receive, collect, store, process, or send personal data about individuals that must be protected to prevent unauthorized disclosure or unintended aggregation. While building systems for a hospital may use sensitive patient diagnosis or treatment information (e.g., air exchange rates for rooms where patients with infectious diseases are treated), even buildings that serve more public functions (e.g., hotels, offices) may use or link to sensitive data about occupants. For example, some hotels offer a digital room “key” via a cellphone app that enables physical access to the guest’s hotel room and links to the hotel guest’s account, including information about the guest’s home address, phone number, credit card, past stays and future reservations. Many office buildings are accessible to employees of tenant companies via smart card (or phone app) readers that link to some form of employee record.
Personal data about individuals whose inappropriate disclosure could present a risk to privacy include, but are not limited to: identifying information (e.g., name, street address, email address, phone number, age, sex, marital status, biometric data), health information, genetic information, physical location information, communication (e.g., voice conversations, email or text messages, and app-based communication), relationships with other individuals (e.g., “address book” contacts) and personal habits (e.g., activity patterns, personal calendar). Information collected through building systems may also be used to infer information that individuals consider private. For example, data about energy use patterns in a residence could be used to infer personal habits of individuals. Aggregation of such data with identifying information could enable construction of a very detailed electronic dossier about an individual.
While a building’s immediate use of information about individual occupants may be benign, serious privacy problems may arise when that information is shared with third parties or aggregated through interconnected systems. Best practices for privacy protection include:
- Use as little personal data as possible to enable the necessary system functionality. Collect as little personal data as possible. Thoroughly delete such data from the system as soon as possible. Do not communicate personal data between systems, unless it is essential. Inhibit methods of linking multiple systems that store personal data to limit the breadth of impact of a data breach of one of the systems.
- Limit access to and carefully prevent unauthorized disclosure of any personal data that must be used or stored.
- Audit access to personal data and review logs of these accesses periodically to promptly identify and address unauthorized or unexpected accesses.
The example shown in Table 2 indicates how each building system treats information about individuals. Shaded columns and rows indicate transmission of such information among systems. By identifying exactly which information is managed or transmitted to/from building systems, potential risks to privacy can be identified and addressed.
Receives | Collects | Stores | Processes | Sends | |
Power monitoring | ☒ | ☐ | ☒ | ☒ | ☒ |
HVAC controls | ☒ | ☐ | ☐ | ☒ | ☐ |
Lighting controls | ☒ | ☐ | ☐ | ☒ | ☐ |
Fire/CO sensors | ☐ | ☐ | ☐ | ☐ | ☐ |
Security sensors | ☐ | ☒ | ☒ | ☒ | ☒ |
Broadband network | ☐ | ☐ | ☐ | ☐ | ☐ |
Common WiFi | ☒ | ☒ | ☐ | ☒ | ☐ |
Landscape | ☐ | ☐ | ☐ | ☐ | ☐ |
Waste management | ☐ | ☐ | ☐ | ☐ | ☐ |
3rd party service | ☐ | ☒ | ☐ | ☐ | ☐ |
3rd party service | ☒ | ☐ | ☒ | ☒ | ☐ |
City service | ☐ | ☐ | ☐ | ☐ | ☒ |
First responder link | ☒ | ☐ | ☒ | ☐ | ☐ |
Table 2: Identifying which systems receive, collect, store, process or send information about individuals
- Receives: The system receives information about individuals from another system
- Collects: The system collects information about individuals (e.g., data is provided by sensors or gathered from an app)
- Stores: The system stores information about individuals
- Processes: Information about individuals is used by the system in its processing
- Sends: The system sends information about individuals to another system
The workbook in the appendix contains a table template that you can use to identify how your building systems treat information about individuals.
References
[1] National Institute of Standards and Technology, NIST Special Publication 800-37 Revision 2: Risk Management Framework for Information Systems and Organizations.
[2] National Institute of Standards and Technology, NIST Privacy Framework: An Enterprise Risk Management Tool, Discussion Draft of April 30, 2019.
[3] Regulation (EU) 2016/679 General Data Protection Regulation, adopted April 27, 2016. https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679
[4] National Institute of Standards and Technology, NIST Internal Report 8053: De-Identification of Personal Information, October 2015. http://dx.doi.org/10.6028/NIST.IR.8053
[5] United States Executive Office of the President, Office of Management and Budget, OMB Memorandum M-07-1616: Safeguarding Against and Responding to the Breach of Personally Identifiable Information, May 22, 2007.
Workbook 1
Organization Level Questions
The following Workbook provides questions Organization Level questions with space for responses. Please complete all that is possible. Refer to the information and examples offered above for these questions to ensure completeness of answers. You may find it necessary to complete this in a separate document. Note and highlight for yourself and your team where answers are not complete. It is recommended that these become priority areas of focus.
Identify stakeholder organizations and individuals
- Building management/maintenance: Which organizations manage or maintain equipment for the building?
|
- Service providers: Which organizations provide services on behalf of building management or tenants?
|
- Utilities: Which utilities provide essential services to the building?
|
- Occupants: Which building occupants (organizations or individuals) will interact with building systems?
|
Identify the regulatory environment
- Governance: What laws, regulations, and contracts influence the cybersecurity and privacy requirements for the building?
|
Create and communicate cybersecurity and privacy policies
- Policy development: Who is responsible for writing the cybersecurity and privacy policies by which organizations and individuals that interact with the building must abide and that must be implemented via Smart Building technologies?
|
|
- Policy communication: Who is responsible for communicating about changes to cybersecurity and privacy policies with building stakeholders and with organizations responsible for policy implementation through building Information Technology (IT) and Operations Technology (OT).
|
Identify sources of guidance and leverage
- Guidance sources: Which sources of guidance will you use to evaluate cybersecurity and privacy risk and implement controls?
|
- Leverage sources: What sources of leverage do you have to influence the cybersecurity and privacy characteristics of systems and services that interact with your building?
|
Identifying necessary staff skills and expertise
- Expertise: Does your organization currently have the expertise to build and operate your building and meet (at least) your legal obligations for cybersecurity and privacy?
What are the needed capabilities and roles?
|
Name the education and training resources:
Ongoing operations
- Operational oversight: Which organizations and individuals will be responsible for operational oversight of the cybersecurity and privacy performance of building systems?
|
|
- Implementing cybersecurity and privacy policies: Which organizations and roles are responsible for configuring building IT or OT systems to implement cybersecurity and privacy policies?
|
|
Workbook 2
Mission/Business Process Questions
The following section of the Workbook provides questions Mission/Business Process Level queries. As shown in the main document, please complete this Building System Critical Asset Assessment. Identify the property purpose, and with that in mind, complete the grid with High, Med or Low ratings.
Building System Criticality Assessment
Property purpose and use case drives building infrastructure. Please describe the property type and purpose:
|
Human Safety | Business ops | Tenant ops | 3rd party ops | Business Confidentiality | Tenant Business Confidentiality | |
Power monitoring | ||||||
HVAC controls | ||||||
Lighting controls | ||||||
Fire/CO sensors | ||||||
Security sensors | ||||||
Broadband network | ||||||
Common WiFi | ||||||
Landscape | ||||||
Waste management | ||||||
3rd party service | ||||||
3rd party service | ||||||
City service | ||||||
First responder link | ||||||
Add as needed | ☐ | ☐ | ☐ | ☐ | ☐ | ☐ |
Add | ☐ | ☐ | ☐ | ☐ | ☐ | ☐ |
Add | ☐ | ☐ | ☐ | ☐ | ☐ | ☐ |
Identify System Usage of PII
In the grid below, identify which systems receive, collect, store, process or send information about individuals. Note all that apply. For an example and further information, refer to the Table 2 (page 8) in the main document.
Receives | Collects | Stores | Processes | Sends | |
Power monitoring | ☐ | ☐ | ☐ | ☐ | ☐ |
HVAC controls | ☐ | ☐ | ☐ | ☐ | ☐ |
Lighting controls | ☐ | ☐ | ☐ | ☐ | ☐ |
Fire/CO sensors | ☐ | ☐ | ☐ | ☐ | ☐ |
Security sensors | ☐ | ☐ | ☐ | ☐ | ☐ |
Broadband network | ☐ | ☐ | ☐ | ☐ | ☐ |
Common WiFi | ☐ | ☐ | ☐ | ☐ | ☐ |
Landscape | ☐ | ☐ | ☐ | ☐ | ☐ |
Waste management | ☐ | ☐ | ☐ | ☐ | ☐ |
3rd party service | ☐ | ☐ | ☐ | ☐ | ☐ |
3rd party service | ☐ | ☐ | ☐ | ☐ | ☐ |
City service | ☐ | ☐ | ☐ | ☐ | ☐ |
First responder link | ☐ | ☐ | ☐ | ☐ | ☐ |
Add as needed | ☐ | ☐ | ☐ | ☐ | ☐ |
Add | ☐ | ☐ | ☐ | ☐ | ☐ |
Add | ☐ | ☐ | ☐ | ☐ | ☐ |