It’s Time CRE Got Serious About Cybersecurity

Tom Shircliff

We all know about cybersecurity risks either firsthand or from the headlines that tell of high-profile incidents involving credit card records, government records, corporate email and social media accounts. Add to that critical infrastructure incidents involving municipal water systems and gasoline pipelines, along with more threats from nation states, including Iran and Russia.

Commercial real estate is another cybersecurity risk category that is part of our “critical infrastructure” and a wide variety of buildings such as office towers, malls, banks, hotels and industrial facilities are highly vulnerable. The U.S. Energy Information Administration estimates the size of the U.S. market alone at nearly six million buildings totaling 97 billion square feet. In addition to commercial buildings, the same vulnerabilities apply to hospitals, schools, government and military facilities, and just about any other non-single-family facility you can think of.

Elevated Threat

Commercial buildings are substantially affected by the systems in them, such as HVAC, elevator, lighting, parking, metering, physical access control and many others. When these systems are shut down or manipulated, they can cause serious problems that go well beyond discomfort. Imagine if you could stop or control air flow, disable elevators, turn off lights, close down parking decks, cause equipment failure, or lock and unlock doors. The consequences include life-safety risks, hazardous environmental conditions, public health danger, equipment replacement, regulatory noncompliance, productivity and financial loss, valuation, insurance gaps and brand damage.

It was recently revealed in secret Iranian documents that commercial real estate was specifically listed as a target and Russia has loudly threatened the West with cyberattacks. Those have not been idle threats as the U.S. Government’s Cybersecurity and Infrastructure Security Agency has identified Russian malware recently found in U.S. commercial office buildings. This malware often comes through email sent to unsuspecting building staff and technicians. In addition, the industry has also seen significant operational interruption from internal building system mismanagement, leaving hidden costs, growing risks and lack of awareness.

Many people naturally think about the risks in so-called smart buildings and the compounding technology complexity from the Internet of Things (IoT), artificial intelligence (AI) and other buzz phrases from technology alphabet soup. These are legitimate concern areas but are currently a very small part of the commercial real estate industry and not nearly as big of a problem as the legacy conditions in existing building stock.

How We Got Here

Since the 1980s nearly all building control systems such as those mentioned above have been installed as “digital” systems, which means they use a computer for the main controls (not surprising). For example, your nearby thermostat likely speaks to the controller in an equipment room on your floor and each of those controllers is linked back to the main computer. Multiply this by six, eight or even a dozen such systems in a typical commercial building and you can imagine the many computers, networking equipment and wires that exist by necessity.

What is more startling is that they are almost always Internet connected, not by your IT department, but rather by a disparate array of different contractors with little to no IT awareness or cybersecurity training. It’s not uncommon to see residential-grade DSL gear or cell modems dangling from the shelf with a green light flashing, indicating that this equipment is connected with traffic flowing in and out.

This technology hairball is still not the worst facet of the problem. CRE has perhaps the most fragmented organizational structure of any industry. Not only are there many different ownership arrangements, such as joint ventures, where it may be unclear who is ultimately responsible for risk and technology decision making in each building, but the operational environment is made up of changing property management companies, changing facility management staff and silos of contractors that install and manage those many different building systems -not to mention the turnover in each of these respective organizations.

Imagine a portfolio of 100 buildings that had a modest six building control systems (HVAC, elevator, lighting, parking, metering, access control) per building. That is 600 systems with corresponding computers, wires, networks and Internet connections, 200 to 300 service companies and upwards of 3,000 individual technicians that are constantly accessing and configuring those systems.

Finding a Remedy

To create some awareness and order there are three things that must be done.

1. Inventory & Assessments: Most portfolio owners and investors rightly have no idea what is in their buildings in the way of building control systems (HVAC, elevator, parking, access control, etc.), how they are connected, configured, and backed up and who did or didn’t do any of that. There must be a single source of truth residing with the owner and/or investor. Along with this should be a review of insurance gaps including general liability, property and casualty and Director and Officer (D&O) liability.
2. Policy Development: Develop a cybersecurity and vendor risk management (VRM) policy. This does not have to be complex at first and can cover some very basic best practices for passwords, backups, software updates and exposure to the Internet. This should also make its way into vendor contracts.
3. Ongoing Monitoring: This needs to be a proactive approach not only for Internet exposure but for the systems set up and backup as well as auditing contractors for compliance. There is much that can be done and can evolve overtime, but the important point is it’s an ongoing process.

It’s time for commercial real estate senior executives, board rooms, administrators and government leaders to recognize cybersecurity risk as an industry-wide, systemic problem that has been building up vulnerability and fragility for four decades. The problem requires assessment and remediation at the organizational and property levels. With real risks of safety, financial impact, and director and office liability, this can no longer be someone else’s problem downstream.

Tom Shircliff is a member of The Counselors of Real Estate and is the co-founder & principal of Intelligent Buildings LLC, which offers portfolio-wide cybersecurity site assessments and ongoing managed services including secure remote access, system backup and policy audits.