Hack Proof: Cybersecurity & Smart Buildings
It was January 2017 during a busy tourist season in Austria, and the Romantik Seehotel Jaegerwirt was filled with guests. Ready to ski and sightsee, some travelers had paid more than $500 a night for the alpine lodging. When multiple guests began complaining that their key cards could not unlock their rooms, hotel staff tried in vain to remedy the problem, but they were frozen out of their own computer system. Then the ransom email arrived.
Sent to the hotel's managing director, the note demanded about $1,800-worth of bitcoin if the hotel would like to regain access to their system. The note ended with a friendly, "Have a nice day," news sources reported at the time. If not paid soon, hackers indicated that the ransom amount would be doubled. With the full house of guests to consider, the hotel complied and paid the hackers.
The Austrian hotel incident is one of many that highlights new considerations property managers must take as buildings and their features get smarter and more connected. Anywhere there is automation, there is risk, and with the growing popularity of IoT (Internet of Things) in real estate and smart buildings, property managers need to be prepared for all of the threats that come with the convenience and simplicity.
POINTS OF ATTACK
David Peterson, the director of smart properties at the Maryland-based Blackpoint Cyber and a 25-year commercial real estate veteran, explains that adding automation like climate controls, security systems or timed lights comes with additional potential "attack surfaces."
"These devices typically rely on an IP-based communication system—much like on a PC—and these can be vulnerable to malicious hackers," Peterson says. "It could be a building automation system, an unsecured maintenance portal, a CCTV or a security system, or even an individual laptop, and if there's a weak point, attackers can get in."
Peterson says the most common method hackers use to quickly bring down a network is called "lateral spread," and it's one that you probably have already seen attempted. "It starts with a well-worded email to the right individual, coercing that person to inadvertently give up their credentials or click on a link; if this succeeds, the hacker is now in the network where they will perform reconnaissance to gain access to privileged accounts and high-value targets and eventually spread their malware," Peterson says.
Jim Young, co-founder and CEO of San Diego-based Realcomm Conference Group, says hackers are looking for easy points of access, and every new piece of equipment that comes into a building may be a risk, along with anything attached to a modem.
"There are modems on equipment in the closets of some buildings that nobody even knows about," he says, adding that these devices are fairly simple for a hacker to locate. He says websites like shodan.io, which calls itself "the world’s first search engine for Internet-connected devices," is an easy way for anyone to find the devices that are exposed and vulnerable.
Just like the potential points of attack, the motives of hackers vary wildly. "If it’s a nation-state, they could be looking for disruption or a financial goal," Young says. "It could be disgruntled employees or kids just playing around, saying, 'Let’s turn off the lights.' There are multiple goals, multiple types of people and multiple types of threats." Other possible aims are making the buildings inaccessible, stealing visitor or occupant data or even destroying equipment.
Highlighting the power a hacker can wield, Peterson asks, "If they get into a building with tenants and manipulate the HVAC system, lights or security, what can the staff do?"
Adds Young, "Imagine turning off the heat in Chicago in winter or the air conditioning in L.A. in the summer. Then there’s negative impact on the brand."
To regain control of the building, victims may need to pay a certain amount of money (ransom demands differ) to unlock the system and unencrypt the files. "It could be as easy as cleaning up a desktop or laptop with an anti-virus software, but it may also take a team of experts to unlock. The longer it takes, the more expensive it could be," Peterson says.
Depending on how severe the hack is, it could take days or weeks to gain control and a secure status again, Young says. Both Young and Peterson agree that it all depends on how prepared the building and its managers and owners are.
"You want to disincentivize these nefarious characters," says Peterson.
CYBERSAFE AND SOUND
In this ever-changing tech environment, Peterson encourages property managers to get educated and be prepared. "You have to ask yourself what you would do," he says. "You have to assume a cyberhack is on the horizon."
Questions for property managers to consider include: Does your insurance cover a hack? Who would pay for the damage? What about the damage to your reputation? Whether a smart system is in place or in the plans, these concerns must be addressed.
Rather than trying to navigate cybersecurity alone, Young suggests property managers have the guidance of their organization’s IT experts. "You need to have an IT liaison or partner inside the company to help," he says. Then, with the help of IT (and after making sure that the corporate office does not already have cybersecurity measures in place), property managers can reach out to a cybersecurity expert for a consult.
"There are a lot of impostors in IT, OT and IoT," Young says. "If they don’t have experience with all three, you are going to pay for their learning curve."
Because hackers are looking for easy targets, Peterson says having an expert perform a cyber assessment on your property can be very informative. Without giving any identifying information about his client, Peterson recounted his company’s recent security evaluation of a large North American shopping center. "They wanted us to assess their system, and it was wide open. It literally took our experts 15 minutes to figure it out," he says.
Blackpoint Cyber takes a three-tiered approach in protecting smart buildings through monitoring, detecting and responding to threats, he says. Monitoring involves 24/7 live monitoring of a building’s systems. If something out of the ordinary is detected, Blackpoint determines if it is a nonissue that should be ignored or if it requires action. "If an alert gets escalated to the next level, our team has the ability to make an immediate response, and we will alert your team according to our predetermined action plan that we set up in the onboarding process," Peterson says.
Being educated and safe doesn’t mean you and your building will be completely immune to hackers, "but it will be less likely to happen, and if you're better prepared, it's more likely the building will get back on track," Young says.
REPRINTED FROM THE JOURNAL OF PROPERTY MANAGEMENT, VOL. 84, NO. 4, WITH PERMISSION FROM THE INSTITUTE OF REAL ESTATE MANAGEMENT. FOR MORE INFORMATION ON IREM AND ITS PUBLICATIONS, VISIT WWW.IREM.ORG.
This Week’s Sponsor
Altus Group is a market leader providing software, data solutions and technology-enabled expert services enabling commercial real estate professionals to connect to the market. ARGUS® solutions are the industry standard for creating cash flows and valuations helping thousands of commercial real estate professionals gain transparency into their property assets, manage risk and optimize their portfolios.
For a list of suggested topics and to submit a proposal, visit: Speaking Opps.
Register early and save!
UPCOMING REALCOMM WEBINARS
CORPORATE REAL ESTATE & Technology – The Importance of Developing a STRATEGY - 10/24/2019
The Corporate Real Estate industry has quickly gone from constantly resizing the corporate real estate portfolio based on the everchanging business needs of the corporation, to having to understand and deal with a myriad of issues relating to technology, automation and innovation. Not only do CRE professionals need to understand things such as IWMS, intelligent buildings, the smart workplace, AI, VR/AR and other emerging technologies, they also need to understand the fundamental shift on how we use space. Technology which is enabling mobility has shifted the landscape. This webinar will feature some of the most innovative professionals discussing the importance of developing a comprehensive Corporate Real Estate portfolio strategy around the concept of Digital Transformation.
Founder of Realcomm Conference Group, an education organization that produces Realcomm, IBcon and CoRE Tech, the world's leading conferences on technology, automated business solutions, intelligent buildings and energy efficiency for the commercial and corporate real estate industry. As CEO, Jim interacts with some of the largest companies globally pertaining to some of the most advanced and progressive next generation real estate projects under development.
Chuck Niswonger has over 30 years of successful leadership experience in technology-related roles that range from operating his own consulting company (www.nicenets.com) to directing the IT strategy of a real estate investment management firm to manufacturing and technology-enabled education. Chuck has also been the chair of the Realcomm Investment Management (IM) Advisory Council for the last ten years, managing content selection for the conference educational sessions, IM forums, workshops and webinars.
Emmanuel Daniel is responsible for building and delivering the Digital Transformation strategy for campuses across Microsoft and leads a global multidisciplinary team of architects and experience designers. He builds experiences that merge technology with the built environment, leading to the formation of spaces that respond to the needs of its users. He is also accountable for identifying, building and implementing the next generation of products that will make smarter and sustainable buildings.
Paul Maximuk is the Product Owner as well as a technical SME at Ford Land, leading all BMS and controls integrations globally. He has over 30 years of experience in the industry managing multiple types of energy systems and specializing in strategic smart building implementation and management. Paul’s expertise in the built environment spans real estate assets from large industrial facilities to Class A office buildings.
Ronna Davis has been in the networking and telecommunication industry for 23 years. She has been with CommScope for over 13 years and has held positions in sales, channel and product line management. She is currently on CommScope’s Strategy and Technology Team for Buildings and Campuses. Previous to CommScope she worked in the design and construction of telecommunications networks for eight years and in wholesale distribution for two years. She studied marketing and is a LEED Green Associate.
Ron Victor is a Silicon Valley based technology entrepreneur with 20 years of experience and expertise launching new ventures at start-ups and fortune 1000 technology companies. To-date he has enabled raising more than $30Million in start-up capital for multiple start-ups in silicon-valley. Ron has founded and led three companies to-date with successful exits. His latest venture is IoTium Inc. – a Silicon Valley start-up that provides a secure, cloud-managed, easy-to-deploy software defined network infrastructure for all IoT verticals.
Marc is a pioneer in leading the Intelligent/Smart Buildings and M2M movements pushing the industry forward and has contributed to transforming and changing the Intelligent Buildings and M2M (now IoT) industries. As Chief Marketing and Communications Officer for Lynxspring Marc leads corporate and product marketing, strategy, brand management, public relations and communications that support the company’s strategic and growth initiatives.
Brent Boekestein is the CEO of Vintra, Inc., a leading video analytics company from Silicon Valley that uses artificial intelligence to transform any video surveillance into actionable and tailored intelligence. Forward-thinking enterprises and public safety organizations like Sacramento City, NYC DOI, Sacramento County, and more use Vintra’s solutions to organize, analyze, and derive critical insights from overwhelming amounts of stored and live video.