As part of the nation’s critical infrastructure, commercial real estate is a cybersecurity risk category that is part of the nation’s wider “critical infrastructure.”
Most people think about the risks from an operational technology perspective. No one wants to have to pay $5000 in bitcoin in exchange for a ransomed network, right? But while these are very legitimate concerns, cybersecurity risks in the commercial real estate industry can be an even bigger problem, especially in older buildings that aren’t equipped with Smart Technology.
Cybersecurity Risks in Legacy Buildings
Since the 1980s, nearly all building control systems have been installed with digital systems, which means a computer manages the main controls. For example, your nearby thermostat probably speaks to the controller in an equipment room on your floor and each of those controllers is linked back to the main computer. Multiply this by three, six, or ten floors in a typical commercial building and you can imagine the hundreds of computers, networking equipment and wires that exist by necessity.
These systems are almost always connected to the internet by various contractors with little to no or disparate IT training or cybersecurity standards. It’s not uncommon to see residential-grade DSL equipment or cell modems dangling from the shelf with a green light flashing, indicating that this equipment is connected with traffic flowing in and out.
And that’s just the HVAC system. Even a commercial building with a modest six building control systems in HVAC, elevator, lighting, parking, metering, and access control can easily contain well over 100 little computers all talking to each other. That’s 100 points of cybersecurity risk.
Additional Cybersecurity Risks in Commercial Real Estate
Commercial real estate has arguably one of the most fragmented organizational structures of any industry. There are many different ownership arrangements, such as joint ventures, where it may be unclear who is ultimately responsible for risk and technology decision making in each building. The operational structure is outsourced to replaceable property management companies, replaceable facility management staff and silos of contractors that install and manage those many different building systems – not to mention the turnover in each of these respective organizations.
Now imagine a portfolio of 100 buildings that has the modest six building control systems per building. That is 600 separate monitor and control systems with corresponding computers and wires, 2,000 network connections, 300 service companies, and 3,000+ individual technicians who aren’t typically affiliated with the building owner that are constantly accessing and configuring those systems. This is exactly what a study by Realcomm found.
Cybersecurity Awareness and Risk Management
The first step in mitigating cybersecurity risks is awareness. We don’t know what we don’t know, after all. Here’s what to do next:
Inventory & Assessments
Most building owners and investors rightly have no idea what is in their building control systems; how they are connected, configured, and backed up; and who did or didn’t do it all. The building owner and/or investor should know this information, or establish a policy to manage it. There should also be a review of insurance including general liability, property and casualty and Director and Officer (D&O) liability.
Develop a cybersecurity and vendor risk management (VRM) policy. Policies should be basic and quickly understandable. This can evolve over time, covering some very basic best practices for passwords, backups, software updates and exposure to the internet at first. Include policies in vendor contracts. Communicate policies and updates to all technicians and staff.
This should be a proactive approach not only for internet exposure but for the systems set up and backup as well as auditing contractors for compliance. There is much that can be done and can evolve overtime, but the important point is it’s an ongoing process. Complement audits with tailored phishing campaigns and automated training for your people. Audits should be fast and easy with a series of yes/no compliance questions and phishing messages should be tailored to the facility industry segment.
Cybersecurity in CRE is Evolving
The CRE industry has the challenge and opportunity to proactively deal with information security to help clients remain secure without violating privacy and data protection laws, even as new threats emerge. For CRE, it’s time to achieve a balance in the future of security. Contact Miller’s Landing to discover how easy it is to provide security and peace of mind for your clients, now and beyond. Let’s create the future together!
Miller’s Landing is the first mixed-use SmartTown development in the country. Technology has a role across multiple dimensions – including mobility, transportation, sustainability, public health, safety, and community – to help the people who live, work, play, and invest in our communities be successful.