By Tom Shircliff and Rob Murchison
From the January/February 2016 Issue
With headlines of cyber attacks on victims ranging from bank cards and Target to a Hollywood movie studio, the issue of cyber security has become top of mind. Now the real estate industry is awakening to significant cyber security risks for building monitor and control equipment. With systems such as HVAC, lighting, fire alarms, sprinkler systems, and elevators all using information technology (IT) such as computers, servers, operating systems, protocols, and networking including Internet connectivity, it’s not hard to imagine an array of scary scenarios. A hacker could manipulate HVAC and CRAC systems to damage temperature-sensitive equipment, disable elevators or life safety systems, or even “hop over” to attack corporate computer networks—not to mention lost productivity and brand damage. These remotely accessible controls systems create a massive amount of exposure for the real estate industry in many different environments, including commercial office, corporate office, campus, retail, industrial, and others.
However, to correct a common misconception, the exposure is not because of the more recent smart buildings revolution. Rather it’s the so-called “dumb buildings” built over the past 25 years with standard controls systems that have these inherent risks but have not employed any cyber-safe requirements. The standard controls systems and the contractors installing them use Internet-connected computers for remote maintenance and software updates. In addition to adding convenience, this also creates a dangerous pathway to the building, its controls systems, occupants, and other networks.
You can’t buy a control system without a computer server and remote access capability, and almost all of these systems have been installed by different vendors with different standards—with little or no concern for cyber security. An estimated 95% of building systems connected to the Internet have insecure connections, and 65% of vendors have remote access to building systems.
Let’s look deeper at why the real estate industry is vulnerable. Use of IT in controls architecture and the back office has outpaced the technology abilities of the typical industry vendor resources, such as architects, engineers, and facility and property managers. These vendors generally have not integrated current-day IT practices into the design, construction and operation standards, while at the same time real estate developers and owners have not aligned their internal departments to the new reality of IT in monitor and control systems. The result is just enough IT to connect and turn on systems—and systems that are each put in by different vendors to different IT standards for reliability, backup, cyber, and other critical IT principles.
There are many examples of contractors who are establishing remote connectivity using low-cost, off-the-shelf routers, with free Wi-Fi built in that is constantly broadcasting, and simply plugging in a DSL line without changing the generic password (such as “admin admin”). Multiply that times dozens of vendors who have different systems installed throughout the building(s).
Part of the reason the industry has been slow to respond to the risks is rooted in historically different approaches between IT and facilities management. In most enterprise IT environments, the owner has control of all IT devices and networks even if using contractors for certain tasks and equipment. But in the real estate and facilities environment, there is a large ecosystem of vendors that almost completely controls and manages all of the IT components themselves and are responsible only for their own level of IT reliability and security.
To bridge these cultural differences, mediation and even language interpretation between the departments is often necessary to explain what facilities is trying to do and then to integrate the organization’s IT requirements into facilities procurement and management. Typical questions to resolve are: Who buys the software, facilities management or IT? Who determines the requirements? How sensitive is the data? What are the remote access policies and requirements? Who manages compliance? Whose budget is it coming out of?
The first step toward more cyber-secure facilities is an inventory and vulnerability assessment. This requires skill sets in several areas, including facility management, IT, controls systems, and risk management. For example, our firm, Intelligent Buildings, has developed a scorecard (shown above) that applies existing IT best practices from National Institutes of Standards and Technology (NIST) Risk Security Framework (RSF) and International Organization for Standardization (ISO) as well as the Department of Homeland Security (DHS), and then grafted those best practices into the facility environment. The evaluation areas include the computer systems, controls software and hardware, networking, contractor practices, and internal practices.
It is critical that all areas are addressed since this chain is only as strong as its weakest link. For example, a trusted vendor that has access through many IT security layers can create risks by not having a password custody policy during staff turnover. A quick site assessment with some preparation and follow-up can produce a categorical score set and a total score which leads to a step-by-step remediation plan.
While it’s the legacy systems that are the base of the problem, with the increasing phenomenon of the Internet of Things (IoT), the industry is seeing just the beginning of the architectural and operational vulnerabilities of digital building monitor and control systems.
The number of cyber incidents involving industrial control systems (including buildings) reported to the DHS increased by 74%, from 140 to 243, between fiscal years 2011 and 2014. In 2012, hackers penetrated the building energy management system (EMS) of a New Jersey manufacturing company. And, in another 2012 incident, an intruder changed the temperature settings of a state government facility’s building EMS. The Government Accountability Office (GAO) recently warned that even the DHS lacks a strategy to protect sensitive buildings from cyber attacks.
While these examples suggest the likelihood of many more incidents, it’s important to keep the risks in perspective. We need to account for IT realities and risks while also leveraging IT efficiencies. For example, “big data” and analytics also offer powerful opportunities to help facility management executives make data-driven decisions that will reduce their operational costs, increase productivity as well as improve the occupant experience and overall sustainability.
The good news is that the advent of smart building technology has the potential to decrease cyber risks and is prompting long overdue conversations about the importance of cyber security.
For example, in consulting with a large government agency on its smart buildings initiative, our firm worked with both facilities and IT to develop a strategy and standards for a building systems network that would be secure and separate from core business operations. This not only created separation from business data but also reduces the chance for mischief and safety risks related to power, elevator, lighting, and air conditioning. In the design of a large commercial office tower, we worked with 17 different systems controls companies to integrate these into a common backbone and empower a new, more secure way of managing the building that was also “analytics ready.”
Whether reducing cyber risks or leveraging smart building opportunities, it’s important to remember that any strategy must encompass three pillars: buildings, people, and technology. State-of-the-art software is only effective if the building is able to access the data. And technology achieves its potential only if people, decision-making processes, and workflows are also in place. It’s not just new technology; it’s a new way of working.
Shircliff and Murchison are co-founders of Intelligent Buildings, LLC, a real estate advisory services company that provides planning and implementation of next-generation strategy for new buildings, existing portfolios, and smart communities. Founded in 2004, Intelligent Buildings has worked extensively in more than 85 cities, and has developed smart building standards for the U.S. and Canadian federal governments. It consults in multiple real estate environments, including corporate, government, utility, institutional, and campuses. In 2015, Intelligent Buildings was ranked among the nation’s fastest-growing private companies on the Inc. 5000 list.
To share your thoughts on cyber security in real estate, visit the Comments section below.