As commercial real estate buildings get “smarter,” the need for cybersecurity becomes greater. So much of a building’s inner workings, whether it’s the locks, lighting, temperature controls and security systems operate over the Internet. And for every device or system that’s connected to the Internet, there’s a hacker looking for an opening to take a building “hostage.”
Fortunately, CRE owners do not have to face these threats alone. There are cybersecurity experts available to help building owners keep their buildings’, as well as their tenants’, data safe. Some of that expertise was on display at the “Bringing Sanity to Your Cybersecurity Platforms” panel during the Connected Real Estate Summit show in February.
Panel sponsor Jaros, Baum & Bolles (JBB) Cybersecurity Technology Business Development Lead Min Kyriannis moderated the discussion that featured Johnson Controls Global Product Security Program Leader John Deskurakis, 5Q Cyber CEO Don Goldstein and Clarus CEO and Founder Christine Baird. The discussion covered the biggest cyber threats to CRE buildings, the steps building owners can take to prevent them, best cyber-related policy practices and more.
WHAT CYBERSECURITY ISSUES KEEP YOU UP AT NIGHT?
The Department of Homeland Security’s (DHS) warning that industrial control systems (ICS) were being targeted has been on Deskurakis’ radar. Johnson Controls focuses on these types of warnings as well as attacks from sources like the Stuxnet computer worm to keep them from harming their customers.
“We’re trying to prevent or remediate even the possibility, because many of our products and services are protecting critical infrastructure,” Deskurakis said. “We have government customers and customers from all spectrums, so these are things we really worry about.”
Baird echoed Deskurakis’ concerns, but said seeing that some companies do not have any cyber plan in place worries her, too.
“I see some things that get pushed off to a future phase,” she said. “That concerns me then for my clients because we all see what’s going on. We all read about the hacks and the different countries that are trying to hack into our government systems. It is not going to get better; it’s also going to be more intrusive. The attacks are going to be coming more rapidly and intensely.”
Surprisingly, until a few years ago, cybersecurity was not a high priority at the executive level in the CRE industry despite how much money is invested in it, according to Goldstein. Billions of dollars were going into property technology (proptech) and there was a sudden realization that hackers could greatly benefit from getting into buildings and the CRE supply chain.
“If there’s anything that keeps me up at night, it’s more about the fact that what we’ve self-imposed in this industry made people take notice of us,” Goldstein said. “The second thing is that information about compromises in this industry is not shared. We’d be much better off if we found a way to share information.”
HOW TO SHIELD YOUR BUILDING AND SYSTEMS FROM CYBER ATTACKS
It’s good that CRE owners know they need to have solid cybersecurity measures in place. However, it’s even better if they know how to go about doing so. The first step is to have a cyber security system—but what kind of system?
“What we learned from the (Stuxnet) attack was that with OT (operational technology) systems, even if they are not necessarily connected to the Internet, they’re still vulnerable to problems and could create a lot of big issues for you—this is where we spend a lot of time,” Deskurakis said. “If I’m an owner of a building and have networks that I manage, maintain, and am responsible for, and I have products deployed on those networks or maybe in a closed loop somewhere, you really have to think of everything.”
“Everything” would include the products that are connected to CRE owner’s systems as well as the type of products that are sold, manufactured and distributed in the building.
“Traditionally, a lot of our customers have not thought of these things because they think, ‘That’s a cooler or chiller and HVAC system, or that’s a video camera and it’s connected to something guarded inside of a closet—no big deal,’” Deskurakis said. “But in reality they have potential vulnerabilities and could be exploited if you don’t know the security posture of all of those things.”
CRE owners should also look at their entire building as one ecosystem and recognize that everything it in can impact everything else. From there, they can try to determine and the manage all of the potential risks. It’s by no means an easy job, but it’s an important one.
Goldstein recommended that all building owners, whether they have a retail, multi-family, office or multi-use property, need to make sure any open ports are locked down. Ports are an easy way for someone to get plugged into a building, obtain a lot of information and take what they want.
“Often you’ll go in and (the building owner) will say, ‘we’re locked down, nobody can do that,’” Goldstein said. “Then we will show them, ‘Oh look, there’s your lighting management system.’”
A “Zero Trust” mindset is another way to help keep a building’s systems safe. That means granting people access to only the systems that they need and only when they need it.
“There are technology solutions, and they aren’t necessarily expensive, that you can have in place and say, ‘When you need access, you have it because you’re authorized and nobody else is. You’ll get your credentials when you need it and then it will go away—the next time you come in you’ll get new ones,’” Goldstein said. “The same thing we do for elevated access inside of our buildings on the corporate side, you can do on the building side.”
Physical access in buildings remains a security issue, too. Goldstein noted his company has gone into buildings and seen intermediate distribution frame (IDF) doors are propped open or there’s tape over the locks because people don’t want to have to unlock it every time. “There are just so many things like that that happen in buildings that aren’t difficult to fix, but somebody has to do it and be aware of it,” he said.
“One of the key things is, it has to come from the top-down,” Kyriannis said. “There has got to be an assessment of the equipment in a building environment and it’s policy driven—policies have to be set in place.”
It’s also important for building owners and companies to recognize that IT (information technology) teams and cyber security experts are not one in the same. Baird noted a lot of executives will assume that their IT team has everything locked down, but that’s not the case.
“The IT teams are the first to come to us and usually say, ‘We need your help because we need to make sure we’re both cyber safe and compliant,’” she said. “I usually recommend that we do a security risk assessment. We look at everything and ask a long series of questions. We bring in different parts of the organization and find out what we can from a network and physical security side. That’s a first step into looking how to be safe.”
CRE owners should look at any IT or OT products around their buildings that are designed to make their building smarter when identifying potential risks. The products include employee ID card readers, building alarms and video surveillance systems.
“If somebody could leverage these systems and get beyond them, they could own your intellectual property,” Kyriannis said. “They could make your business go under.”
As building owners access their building for cyber security risks, they should be asking several different questions about any products they purchase. How is it supposed to be configured? Is it patched? Is it up to date? What operating system is it running on?
“A lot of times your OT systems are just deployed and ‘set it and forget it,’” Deskurakis said. “But these things tend to have operating systems that become outdated, out-modeled and no longer supported. Sometimes, this is how someone can exploit one of those OT systems and then all of a sudden, they’re in your building and they are doing who knows what.”
“There’s still a lot of work that needs to be done in (the security breach) area because companies are taking some steps, but some are still in denial,” Baird said. “I always try to break it down for companies to say, ‘Let’s do a phased approach because this is a big deal and it’s work. But it’s important work because if you lose your assets, what is worth to your company?’ I feel like I’m having to educate because the public hears about these breaches, but doesn’t know what to do.”
EVERYTHING STARTS WITH THE POLICY
Sometimes a building’s cyber security levels are only as strong as the company’s policy—and if employees follow it. When 5Q Cyber works with a client, the first thing it asks for is the company’s policies to see if they’re relevant—and how long or short they are.
“Are they 50 pages, or are they three pages? Because if they’re 50, forget about it,” Goldstein said. “It has to be real, and that’s what you’re measuring against.”
In terms of a terminated employee, companies like 5Q Cyber would want to know, how long it would take to notify IT to deactivate their ID card and how long did it take to turn off the card? Ideally, the process would be automated, but if not then it’s a matter of determining the best way to move forward.
“There are frameworks in security that speak to all of these things and there are a lot of boxes that have to be checked,” Goldstein said. “Typically, a consultant that doesn’t know our industry would say you have to do these 50 or 100 things. Then the customer would say, ‘We can’t do any of those because it’s too much.’ Hopefully you’ll have someone who understands your business and industry that can boil it down to, ‘If you just do these couple of things, you’ll be so much better off. Lock down the simple things first, all of the low hanging fruit, and make sure the policies are in place and it’s understood across your organization. Then hold everyone accountable to that, measure it and report on it.’”
