Can You Hack It?

BY JESSICA BATES

A decade ago, the idea of a building being hacked may have seemed like science fiction. But, as technology has allowed commercial properties to operate more smoothly and efficiently, it also has left them vulnerable to cyberattacks—attacks that can cause physical damage.

Dashboards and servers often need to be accessed by multiple users off-site and individual devices may not be considered sensitive, so they are not necessarily designed to be difficult to access. Building systems—such as those controlling lighting and security—were once kept in "silos," but, as the industry has moved towards higher levels of integration and efficiency, they now are more likely to be networked together through the Internet of Things (IoT). As a result, hackers can use these connected devices to access critical systems.

Talk to the experts on cybersecurity, and over and over again you’ll hear the same thing: The commercial real estate industry is nowhere near secure. Buildings may be ready for a wide range of emergency situations—everything from fires to active shooters—but they simply are not prepared for cyberattacks.

"An important part of our job is to minimize risk for our clients; the cost of fully securing a building against a cyberattack may seem high because the risk of an attack seems low," says Trish Moosbrugger, a San Francisco-based real estate manager for CBRE. Implementing a comprehensive cybersecurity plan into a building can range in cost from a few thousand dollars to as much as $100,000, leading many building owners to decide that the risk of a cyberattack is not enough to justify the cost.

"But," Moosbrugger warns, "we may be grossly miscalculating the risk." Cyberattacks on commercial buildings are rarely in the news, but that doesn’t mean they aren’t happening. A property’s elevators may be easily taken over by ransomware, for example. In such an instance, the property team resolves the issue by either employing the services of an outside vendor or paying the ransom to the hacker (or both). Then, elevator controls are turned back over to the property team and the attack is never made public. Because everyone involved typically signs a non-disclosure agreement, word never gets out about the attack.

In another spine-chilling possibility, building systems all over the world could be remotely monitored by hackers at this very moment. Unless you’re looking for it, you may never know this is happening…until the hackers decide to act.

ONLINE LEARNING

If you simply don’t know if your building is protected against a cyberattack, then it probably isn’t. Building systems are complex and cybersecurity is still an emerging field; the average IT department is unlikely to have the necessary expertise. "General IT professionals are not the same as cybersecurity professionals," says Luciano Cedrone, vice president of National Security for Brookfield and based in Toronto. "I’d strongly encourage property managers to seek out cybersecurity professionals to assess and develop a secure cyber environment for their buildings."

This is exactly what Moosbrugger decided to do, though she initially felt a little at sea. Like most property managers, she knows at least a little bit about a lot of topics, but cybersecurity was a new area for her and her team. "We have long-standing relationships with most of our vendors, and if I need expert advice then I know who to ask for assistance," she explains. "But with cybersecurity, I felt like I was starting from scratch."

Many property professionals may put off beginning this process for that reason. Moosbrugger had a simple solution, however: She decided to let vendors do some of the work for her. She invited potential vendors to speak with her team and asked if they would be willing to collaborate on developing a scope of work that included best practices for them to present to their building owners and to use to solicit bids.

One vendor took her up on it, and he was enthusiastic. "It was clear to us that educating people in our industry about the need for these protections was a personal passion of his, and he was happy to empower us in the process—whether or not we ended up using his services," she recalls. After receiving bids on the project, Moosbrugger ended up choosing the vendor who helped them create the scope of work. "A lot of vendors will come and give you a sales pitch and a brochure," she says. "I don’t need a brochure; I want someone who will teach me about the technology because I’m going to have to talk to my client, my staff and other key vendors about it."

Harry Koujaian, principal engineer of Technical Support for Siemens’ Building Technologies division, backs this up: "Cybersecurity vendors must be educators." This is partly because simple user error can create huge security gaps. "Quite a bit of technology you might use in a building has a default name and password and users aren’t automatically prompted to change it," he explains. "It’s very easy for those outside the building to find out what the default password is and access it." Having a password-protected system won’t help if the password is easy to guess.

Maintaining a secure building also requires strong communication among the stakeholders. For example, if a new vendor needs access to a building’s systems, it must be made aware of the security protocols, others on the team need to know about the change to the building and the cybersecurity vendor must be notified to ensure the system remains secure.

A SAFETY NET

But what, exactly, do cybersecurity vendors do? In 2013, the Obama administration issued an executive order directing the National Institute of Standards and Technology (NIST) to create a cybersecurity framework for companies to study. The resulting framework is designed to offer strategies for determining what security gaps exist and how to close them.

"It was originally designed more towards the nation’s critical infrastructure, but can be applied to any system," explains Koujaian. The framework is freely available online at www.nist.gov/cyberframework and is broken into five steps: identify, protect, detect, respond and recover. A cybersecurity expert will assess what assets need to be protected and predict potential threats, check for vulnerabilities and have a plan in place for bringing systems back online quickly if they do go down. While man-made attacks are usually the focus for these plans, cybersecurity can encompass natural disasters as well and should be a critical part of any resiliency effort.

A CYBERSECURITY EXPERT WILL ASSESS WHAT ASSETS NEED TO BE PROTECTED AND PREDICT POTENTIAL THREATS, CHECK FOR VULNERABILITIES AND HAVE A PLAN IN PLACE FOR BRINGING SYSTEMS BACK ONLINE QUICKLY IF THEY DO GO DOWN.

"I think the industry is generally exposed and poorly prepared, partly because there’s still a lack of awareness and understanding, but also because by its nature, cybersecurity is a game of catch-up," says Cedrone. "We don’t know what the next vulnerability is until it’s detected; at which point, the question really becomes how quickly and effectively are you able to mitigate the threat."

Each building faces a different set of threats, based on such factors as location and the types of tenants who occupy it. A law firm may be more likely to have its email hacked for private information on mergers and acquisitions, whereas a healthcare tenant’s database containing valuable medical information might be a target. Some organizations will automatically have higher security requirements, such as any tenant that does work with the U.S. Department of Defense. These systems all are likely to be secured, but because IoT technology often is easy to access remotely, hackers can use it to gain access to other systems within a building—putting tenants at much greater risk.

AN EVER-CHANGING THREAT

Having consistent internal protocols and remaining vigilant can create a more secure smart building. "What worked yesterday becomes vulnerable today," warns Cedrone. "At a strategic level, a framework that provides consistent governance and response to cyberthreats should still be reviewed at least annually, if not more often, depending on the level of risk and the threat environment."

CBRE’s Moosbrugger agrees that these threats should never be far from your mind. "Cybersecurity is a living, breathing thing," she says. "It’s as much an active process as posting a security guard at the front desk to screen people as they come in."

And, as with physical threats, property professionals may want to consider sharing what they know with their peers and with appropriate law enforcement agencies. Just as you might send out an alert about an attempted break-in or a building scam, sharing knowledge about cyberattacks can make the industry much safer.

This article was originally published in the September/October 2018 issue of BOMA Magazine.