Weekly Briefing

article sponsor image
Feature

Cybersecurity for Commercial and Corporate Real Estate – IT and OT

4 min read
listen to article Listen to this article

“East is East, and West is West, and never the twain shall meet…” Those words written by Rudyard Kipling over a hundred years ago could be applied today when we think of the differences between the teams that support Information Technology (IT) and the teams that support buildings and facilities aka Operational Technology (OT).

While the phrase is interpreted to mean that differing sides will never see eye-to-eye, I would like to think it infers that while ideologies may differ, those of differing perspectives should continuously try to better understand each other. This is especially important when they share a common goal: to keep an organization’s real estate operations running efficiently and securely.


I recently moderated two webinars for Realcomm on Cybersecurity for Commercial and Corporate Real Estate. The webinars focused on cybersecurity as it relates to both Information Technology (IT) and Operational Technology (OT). We explored the areas of teamwork, culture, and the underlying process changes required to help these two areas come together to address their collective challenge – real estate cybersecurity. The building operations and IT worlds differ because IT’s purpose differs from OT. The purpose of IT is to manage information, the bits and bytes that flow through our networks and computers. Whereas the purpose of OT is to control and manage our physical environment, raising/lowering temperatures, and turning on/turning off everything from lights to secure access to our buildings. Now as OT encompasses the world of IoT and especially IIoT (Industrial Internet of Things), the challenge to secure the OT world has taken on greater importance.


In discussing the cultural differences, Jesse Carrillo (SVP & CIO, Hines Properties)shared a great story of how playing softball with the facilities and properties teams helped build camaraderie and understanding between the teams. As the two groups got to know each other, an awareness of each team’s culture developed. Brian Roper (Cybersecurity Manager, Silverstein Properties) concurred, “I couldn’t agree more as the human connection is one of the most important parts of any IT project.” All the panelists agreed that personal relationships are critical to ensure success, especially as it applies to securing commercial and corporate real estate information and operational technologies. Don Goldstein (CEO, 5Q) conveyed that it is also necessary to ensure that whatever team is supporting your OT has a good understanding of the OT functional purpose and how the underlying security is managed. While this is important for internal support teams, if any of the OT support services are outsourced, it is crucial. Don said that ANY outside firm that is brought in to help must have a good understanding of the OT as you can’t manage or insure what you don’t understand!


Sabine Lam (Building Operating Systems Global Lead, Google) stated that while IT policies should be applied to the OT world, you need to be pragmatic in your approach and understand that OT has a lot to catch up on. At a minimum, OT devices must meet security requirements to sit on the network. Sabine went on to say, “IT principles are guiding the solutions we are putting in place around managed networks, network scanning, password management, etc.” In my experience, and during our vendor discussions we conveyed a similar premise. As a device on our network, you are a guest and must abide by our rules. While we thought this was a basic tenet that everyone could support, not every manufacturer could address security deficiencies in either their products or support models.


Data privacy was raised as another concern that companies are facing with the increasing presence of OT devices. Sabine said that a key element of their device qualification process requires systems are not installed if there is any concern around data privacy, employee privacy, or GDPR compliance when PII (Personally Identifiable Information) is captured. This has drastically limited their deployment of third-party solutions for anything that uses personal data.


Ken Kurz (CIO, COPT) agreed with eliminating the cultural barriers, as IT and OT teams should learn from each other, “…from the facilities engineer to the boardroom, everyone has a role to play relative to risk management… the organization needs to think about it holistically.” Ken said that he believes, “showing how you can help” is a good start to building rapport between support groups and that collaboration is key. Collaboration extends beyond your organization, to other peers and industry bodies like the Real Estate Cybersecurity Consortium (RECC).


As anyone who has been on this journey can attest, it is not simple and there are many paths available. Still, not all paths lead to successful management of the problem. Like many collaborative organizations, the RECC offers a community of seasoned industry professionals who have come together to “improve the industry.” Along the way, we hope to provide insight and aid to others on their journey. The key message here is to collaborate and learn from others, whether that comes from within an organization, or with outside peers and associations. By collaborating with others, we have the proof that “twains can meet.” RECC is an example of how active participation from both the IT and OT sides of the commercial real estate industry is helping to bring the twains together.

Charles Meyers, Executive Director, RECC
Charles Meyers has over 40 years of financial systems and technology experience. Currently, he is spearheading the Real Estate Cyber Consortium (RECC) to elevate awareness across the real estate community to improve cybersecurity preparedness for buildings and facilities. He recently retired and was formerly the SVP & Chief Technical Architect, Corporate Property Group of Wells Fargo and was responsible for emerging technologies that optimize the company's real estate portfolio.

This Week’s Sponsor

iOFFICE creates the most responsive, frictionless workplaces everywhere through space planning, employee experience, and asset management SaaS solutions. Our cloud-based, open-API platforms and mobile apps help businesses of all sizes connect data, people, and things wherever work takes place. Facility and workplace leaders leverage our namesake next-generation IWMS for insights to enhance experiences and scalability of their real estate portfolios. iOFFICE also provides ManagerPlus, an enterprise asset management solution, user-friendly maintenance tool Hippo CMMS, and simple space booking and visitor software Teem. See why leading organizations choose iOFFICE software to optimize their spaces and assets at www.iOFFICECORP.com.