Five Reasons Your Building Isnít as Secure as You Think
Building technology and security are often seen as an afterthought to building operations. Frequently, assumptions are made that everything is secure from todayís cybersecurity threats, or the risk is low because buildings arenít e-commerce platforms or other obvious targets. But are you really secure?
Many buildings have internal systems that were built in a simpler time, often with security as an afterthought Ė think default passwords, unpatched control systems, and operating systems that are no longer maintained or patched. In a world where cybersecurity is a daily headline, complacency for IT operations in commercial buildings is truly a false economy. While e-commerce and data centers may get the bulk of the attention from hackers, targeting building systems can be easy prey for the bad guys out there.
We have spent considerable energy analyzing and documenting the inner workings of building systems, and Ė not surprisingly Ė found many weaknesses that could be exploited by hackers, compromising your systems or tenants, and creating unwanted reputational risk. The following Top Five list is comprised of actual findings encountered during our efforts to secure building systems from cyber attacks.
(1) The Unpatched Digital Video Recorder (DVR)
Building surveillance systems are incredibly common Ė the technology is inexpensive enough that even the smallest properties have installed cameras and other monitoring devices. The vendor that is responsible for installation is often not concerned with the security implications of the digital video recorder (DVR) or digital video cameras that are network accessible. We consistently see many DVRs sitting on the same network as other building systems. To make matters worse, recent DVRs now have Internet-enabled features. For the vendor to enable these features, they typically open one or more inbound firewall ports so the DVR is easily accessible from anywhere. This is commonly done so the building engineer can remotely monitor their cameras. While having remote access to the cameras is incredibly convenient, it is also a security threat. These DVRs are rarely patched, and outdated firmware versions can become easily exploited, especially when internet accessible.
(2) We Donít Need No Stinking Firewall
Do your properties have modern firewalls with up-to-date patches and monitoring? Consider yourself in the minority if you do. There are many properties that simply have an old consumer router that hasnít been patched in years, or possibly worse, just the box furnished by the internet provider. Those boxes do a fine job providing Internet connectivity, but provide zero control over traffic and lack basic or advanced monitoring capabilities. They donít include things like content filtering, advanced malware protection, and intrusion detection and prevention (IDS/IPS). To add insult to injury, these providers by default openly advertise wireless access points that the public can attach to. Do you really want the public on your WiFi sucking up bandwidth and unmonitored for abuse? And if the cable company isnít trying to give away your WiFi, you can bet that someone inside has tried, which leads us to:
(3) Free WiFi for Everyone!
Wireless is a great advance which has transformed how we work over the last 20 years. But this convenience has created a completely new security challenge. Remember that engineer that briefly worked at your building last year? Well, he installed a $20 access point on your network so he could get internet while in the cafeteria. And now there are 50 people on your building network and you donít even know it. You would think something like this isnít very common, but with vendors and engineers coming and going over the years, the possibility is very real. We find these wireless access points hidden everywhere like cockroaches.
(4) Misbehaving Snack Machine
In the old days, a snack machine sat in a break room eating quarters and giving your tenants a quick sugar fix. No one carries quarters any longer, and your snack machine is now on the internet. Unfortunately, we have seen your snack machine Ė and it has malware on it. Worse, itís on your building network next to your unpatched energy management system from 2005. Better contact that vendor (who doesnít specialize in security either), because the bad guys are swiping credit card numbers from your tenants, and youíre about to have a PR nightmare on your hands.
(5) The Public PC
You hope that you have hired vendors that are savvy about security. But the guy installing your access control or DVR system is not necessarily a networking guru/security expert. Recently we found a PC that the vendor decided needed to be completely on the Internet with its own public IP address (no firewall). We donít know if the malware on this PC came directly from the internet, from the engineer browsing the web, or simple email malware. There are so many ways (or threat vectors) this PC could have been compromised that it didnít stand a chance. And to save money, this one PC had energy management, access control, and general office work all happening on its infected self. If that malware had remote control capability, hackers could have easily caused building environment issues, locked out the scan cards, and stolen the access control list of everyone with a badge. If that had happened, cleaning up the mess could be far more expensive than having a secure architecture in the first place.
Itís Not Too Late
We hope your corporate environment doesnít have these issues. These problems are, unfortunately, all too typical in the commercial building sector. But you can get ahead of your cybersecurity threats with some planning and detective work. Your best bet is to schedule a comprehensive walkthrough of your building Ė identifying your vulnerabilities is the first step in building a plan of attack to close the holes in your building security. Once you have your plan, at least you will know if you are vulnerable to the next Wannacry or Petya attack.
This Week’s Sponsor
Leveraging decades of industry experience, 5Q Partners offers a full spectrum of commercial real estate technology solutions, including - cybersecurity consulting, CIO level leadership, applications integration, private cloud management, help desk support and onsite IT operations - managing as much, or as little, of your company's technology projects or operations as needed. Visit www.5qpartners.com.
UPCOMING REALCOMM WEBINARS
Achieving Optimum Energy Efficiency in Buildings - New Benchmarks Being Set - 7/26/2018
Five years ago, the driving factor for smart buildings was energy costs. While operational efficiency and occupant experience have been added to the discussion, energy savings still play an important role in the smart building strategy. Energy usage in buildings accounts for over 40% of electrical consumption which has ties to coal, natural gas, petroleum and nuclear energy. Energy waste in buildings is easily evident and provides great opportunities when addressed. Advanced energy analytics, enhanced building automation monitoring, new lighting solutions, low voltage infrastructure, micro grids and other technologies are reshaping the building energy landscape. This webinar will bring best practices and new benchmarks into focus.
Tom Shircliff is a co-founder and principal of Intelligent Buildings, a nationally recognized smart real estate professional services company that was started in 2004. Intelligent Buildings provides planning and implementation of next generation strategy for new buildings, existing portfolios and urban communities. Tom is a speaker and collaborator with numerous universities and national laboratories, a gubernatorial appointee for energy strategy and policy and founding Chairman of Envision Charlotte, a Clinton Global Initiative.
Kevin Bates is the owner of Sharp Development company. Over the past six years, he has concentrated on retrofitting older generation concrete tilt-up buildings that are carbon neutral, have a net zero energy bill as well as a strong emphasis on the health and wellness of the interior environment for the occupants. The driver for Kevin is to demonstrate that this way of repurposing existing building stock can be done in a manner that is more profitable for the ownership than the less expensive way of building to meet minimum code.
Dana bridges the gap between buildings and their occupants through fun initiatives that drive energy efficiency across LinkedInís global portfolio. With over six years of experience in corporate sustainability at both startups and large corporations, Dana understands the crucial role that business plays in addressing climate change. She is excited about how technology is transforming the built environment, and looks for opportunities to scale innovation and to help LinkedIn and others achieve audacious sustainability goals.
Matt Eggers is currently VP, Yardi Energy where he leads the development of software for energy management and high performing buildings at Yardi. He has extensive experience in leading teams to record sales and growing operations and market share.
With over 30 years of experience in commercial real estate and IT/Internet-based building services, Chris leverages his deep rooted knowledge of what is important to building owners and operators. He will discuss how ICONICS advanced building optimization software solutions with real-time Fault Detection and Diagnostics (FDD) help customers by integrating information from all disparate building equipment systems and energy metering into a uniform building automation system. Automated FDD visualizes in a meaningful manner what is critical to achieving energy reduction, operational efficiency and sustainability goals. Chris holds a BA from the University of Pennsylvania.
Ralf VonSosen has 20 years experience in technology product, marketing and customer operations. He is passionate about transforming data into actionable insights. Ralf leads Lucid's customer onboarding and professional services.
Karthik is the Director of Energy Management Solutions at EnerNOC. His team works with large energy users in the Commercial and Industrial sectors to deliver outcomes using energy intelligence software, utility bill management, smart building solutions, microgrids, and more. Karthik has over 10 years of experience in the energy industry and holds a Bachelors in Engineering Physics from Queenís University and a Masters in Systems Engineering from Cornell University.