Facing Security’s New Challenges, 20 Years After 9/11

As the nation marks the passing of two decades since the Sept. 11 terrorist attacks, application of lessons learned has helped make buildings safer than ever. In many cases, properties are designed to thwart physical attacks and make evacuation in an emergency easier. But there are emerging threats, such as cyberattacks, that commercial real estate property owners and managers also need to be on guard against.

As recently as two or three years ago, some commercial real estate clients showed little interest in talking about or investing in cybersecurity, noted Julie Ho, partner at Deloitte and an expert in enterprise system security, controls, risk and compliance.

That changed in early 2020, when remote work suddenly became the norm. Though it was often necessary to physical safety of office occupants, the step raised the level of vulnerability to phishing and other cyber risks. An increasing number of high-level data breaches and cyberattacks, such as the Colonial Pipeline ransomware attack in May that disrupted the fuel supply for nearly half the country, also spurred more calls for help with cybersecurity issues.

In response, real estate companies are putting more defensive measures in place and catching more anomalies in their network, preferably before a full-blown incident arises.

 “We’re definitely seeing a bit of a mindset shift,” Ho said, noting that CRE clients have been making more cybersecurity investments since the pandemic began. “We also see more sophisticated real estate companies and other companies are starting to do cyber tabletop exercises or cyber war game exercises,” she said.

That’s a practice experts say should be done annually at a minimum and ideally at least twice a year. One recommended practice is conducting a cyber tabletop exercise every time a major new tenant is added to a commercial asset or a new system or technology is added to the building, suggested Noelle Brisson, co-founder of CyberReady LLC.

Third-party risks

Tenants, whether new or existing, can become third-party risks to a property owner’s system or others in the building. Third-party management is often a weak link when it comes to cybersecurity risk assessment.

“You or your tenants may be working with a third party and if their security is wide open, now your network is also compromised,” Ho said.

Ho suggested that it’s not enough to check the credit rating of a new supplier or new tenant. It’s advisable to dig deep and ask about their security policies to ensure that they are not sharing your information randomly, they don’t share passwords and that they properly screen their employees for good cyber hygiene.

Determining whether current cybersecurity efforts are sufficient requires assessing potential threats from cloud-based communication and collaboration tools. Cloud vulnerability poses a big challenge, as most companies don’t know the location of the cloud they use.

“People assume it’s local, but it could be in China,” Brisson said. “The cloud is good, but it has to be overseen; it has to be controlled for data and privacy issues.”

Companies must need to have cybersecurity policies in place and keep them on their employees’ radar through repeated training. That requires breaking silos so that cybersecurity is a company-wide concern, not just an issue for the IT department.

A McKinsey report issued after the Colonial Pipeline attack stated that organizations should be mapping the interdependencies of their IT (informational technology) and OT (operations technology), including core systems and applications, to discover the links and overlapping between them. That effort enables understanding the full implications of a ransomware attack on any part of the company.

In the wake of the Colonial Pipeline incident, cybersecurity is getting stepped-up attention from policymakers, as well. One topic of interest is the Terrorism Risk Insurance Act (TRIA), the 2002 legislation that authorizes the federal government to backstop losses with private insurers in the event of a terrorist attack. Its mission is to ensure the continued availability and affordability of commercial property and casualty insurance for terrorism risks. TRIA has been reauthorized several times since 2002 and was most recently extended until Dec. 31, 2027.

TRIA is the subject of a potentially consequential study by the U.S. Government Accountability Office. The Treasury Department, which oversees the program, has never certified a cyberattack as terrorism. The GAO is studying whether it could be applied to cyberattacks.  

Smart buildings link physical, cybersecurity

Brisson contends that smart building technology, which is helping commercial properties adjust to pandemic-related changes, potentially increases cybersecurity risks. There are more contactless entries, elevators, inter- and intra-building systems that reduce emissions, save energy, improve preventative maintenance and control many other physical and now health and safety aspects of a commercial building.

“The Internet of Things has brought the physical security into the cybersecurity,” she said. “It is one thing now.”

Despite additional cybersecurity concerns, forward-thinking developers view the rise of smart buildings as a positive trend.

“Building apps, for example, can grant a tenant touchless, or near touchless, access to minimize contact in high-frequency touchpoints. You can access the garage, security turnstile, elevator, or even schedule a conference room through your phone,” said Clare De Briere, executive vice president at Skanska USA Commercial Development. “We believe that the more activated, livable and engaged with the community our buildings are, the inherently safer they will be.”

After the 9/11 attacks, office buildings around the world placed a new emphasis on security. That has produced changes in construction and design, particularly for high-profile new projects that might be viewed as targets of bad actors or otherwise be vulnerable to an emergency.

“Tall buildings have come a long way over the last two decades. The combination of high-tech solutions with common-sense measures will propel design and engineering innovations in the future,” said Russell Gilchrist, a principal with Gensler and expert on tall building design.

Those improvements range widely from improvements in elevator design; technology advances in pressurization to clear smoke faster paired with efficiently placed smoke sensors; and an increased use of composite structural systems such as concrete-encased steelwork.

One factor is a difference in fire resistance. Concrete offers inherent fire-resistant properties, while a steel-framed high-rise requires a regular maintenance regime to ensure compliance. “The risk for failure of the steel decreases when composite structural systems are used,” Gilchrist said. “The next generation in talls must now look at sustainability and resilience to climate change. The innovations in this space will, once again, change how we design for height and the human experience.”

Much has been written about the high-strength concrete used in the design of One World Trade Center for Silverstein Properties by David Childs of Skidmore, Owings & Merrill. Rising 1,776 feet, it is the nation’s tallest building. In addition to 2.6 million square feet of Class A office space, One World Trade offers restaurants, an observation deck and broadcast and antennae facilities to replace those lost with the Twin Towers.

While 9/11 has significantly impacted tall building design, high-strength concrete and heavily reinforced windowless podium were specific responses for the first new tower at the site after the attacks.

“It is very much a localized, symbolic and understandable response,” Gilchrist said. From what we see, to date, that response seems to be hyper-localized to the site in New York City. It is not the norm in tall buildings designed in Europe, Middle East and Asia, where most of the world’s tallest buildings are currently being designed and built,” he said.