Weekly Briefing

article sponsor image

Incentivizing Investments in Cyber Safety for Buildings

6 min read
listen to article Listen to this article

The Colonial Pipeline cyber incident that shook the nation started with an e-mail received at 5:30 am on a Friday morning. Bad actors had found and exploited a weakness in the common information technology (IT) software for automated business operations, including the smart system between meters and billing software. The goal was to seize systems (including back-ups), quickly extract a reasonable bitcoin ransom, and quietly move on to the next business target. This had been going on for months with more than $90 million collected from all types of companies.

The unintentional consequences are now history – product stopped flowing, gas prices jumped, lines formed, citizens expressed outrage, the President vowed to implement protections, and even some called for military action – the absolute last thing the bad guys wanted. When the CEO of Colonial made the difficult decision to stop the hemorrhage of the product and to ensure the pipeline controls (i.e. valves, pumps, switches) were safe, it became a bad day for the bad guys as well.

Although the ransom was paid, Colonial’s systems took weeks and millions of dollars to recover. While the forensic investigation is underway, one thing is clear – similar attacks are occurring in every business sector, with most of the victims remaining anonymous as not to alarm investors or shareholders. The business model is ideal for bad actors to monetize a cyber vulnerability – very little expense, easy to deploy and a simple payoff. Every hacker, criminal or terrorist with a keyboard wants in, sometime with the protection of host governments. And every business with cyber weaknesses are targets.

In 2020, ransomware attacks cost healthcare organizations nearly $21 billion and targeted more than 600 clinics, hospitals and organizations. Another global cybersecurity company reported that since January 2021, victims have ranged from the National Basketball Association, governments and schools to energy companies, international law firms, and automobile manufacturers. With damages from cybercrime expected to hit $6 trillion in 2021 (up from $3 trillion in 2015), the number of ransomware attacks will increase as more sophisticated and disruptive attacks promise bigger payoffs. Advanced technology in every part of society make it entirely possible that even your smart coffee machine can end up asking you for ransom – that’s enough to get the world’s attention in the morning. Which begs the question, can it happen to you? Do your assets have similar vulnerabilities?

In real estate, technology is a moody partner. It brings great gifts and can be a best friend on most days, but it can stab you in the back on a bad morning when the “systems are down.” Even so, commercial real estate owner and occupiers are buying and using rapidly advancing PropTech data and hardware technologies to enable smart homes, buildings, cities, and infrastructure to be more efficient and effective. “Smart” is defined as any device or system connected into the Internet of Things (IoT) to be centrally controlled, managed, or monitored. The PropTech industry is exploding with new technologies for the built environment to be more responsive to tenant needs, sustainable, energy friendly, and clean. PropTech automated solutions that allow owners and operators to increase marketing and operations efficiency and enhance value extraction while enhancing the tenant experience. All have positive impacts to net operating income, but at what risk?

A smart device can be compromised through a weak router, malware, internet interface, or even wireless commands. The digital commands embedded in these “smart” devices (firmware) can be made to do things that were not intended. A smart TV or even a thermostat could be turned into a listening device for sensitive conversations. Those elevators monitored by security at the front desk can also be controlled by a bad actor wanting a ransom. Same with cipher locks, security cameras, fire suppression, and other building systems. Electricity can be shut off or surged to destroy equipment. As seen in the pipeline attack, a threat can spread to every corner of a business operation immediately. A bad day can happen to anyone who hasn’t taken the time to assess and subsequently mitigate that risk. And who bears the liability?

When we walk into our homes, offices, schools or stores we assume we are safe. But cyber threats to human safety and property can be an even more compelling and lucrative target than data threats. The Colonial Pipeline CEO knew the liability incurred by not reacting quickly to the threat of a catastrophic breach of the pipeline and the threat to human safety. Paying the ransom was for the good of the country. More CEOs and asset owners will face similar dilemmas. Gartner predicts 75% of CEOs will be personally liable for cyber physical security incidents (CPS) by 2024. Gartner also predicts that the financial impact of CPS attacks resulting in fatal casualties will reach over $50 billion by 2023. So, what can be done about it?

First, do you know what technologies you have in your asset or portfolio, and what risk it poses? Most companies do not know if the smart systems being used in buildings can threaten their reputation, compromise operations, or even harm employees. Furthermore, in many cases building owners may not have the insurance coverage that would protect the owner from the cost of responding to a cyber incident affecting property or tenant health. For those who are aware, a dizzying array of cyber tech companies offer a full range of protection services, but other than reputation and client lists, its difficult to determine how effective the services will be without some sort of national framework. And bottom line, what real estate company wants to take a hit on NOI to reduce what seems at the time to be a remote risk? Where is the value proposition?

Building Cyber Security, Inc. (BCS) , a 501 (c)(6) non-profit organization, has gathered private sector stakeholders from the real estate industry, technology companies and insurers, all with a mutual need for a framework offering marketing incentives to building owners and operators to improve the security and safety of all the systems in a building , and ultimately protect the tenant.

What makes BCS unique in the nexus between the built environment and technology is the collaboration with leading global insurers to incentivize the adoption of cyber certifications for tiered levels of protection (bronze, silver, gold and platinum) to match the risk identified by asset owners. Like Realcomm’s Real Estate Cyber Consortium (RECC), BCS will offer the framework to all interested parties and will review your asset to deliver a cyber protection assessment and rating based on evolving industry best practices. The company's framework will also reward persistent cyber hygiene, addressing the people (training), processes (governance) and the technology (controls) over the life cycle of your asset. Adopting the framework will be the signal to bad actors that you have made the investments to protect your systems, and they should move on.

As insurance policy rates related to cyber risk continue a rapid climb and potentially start impacting the costs of property and casualty policies, the BCS framework may help reduce those policy costs or even mean the difference in getting insurance at all, particularly if you are investing in PropTech for your building. Bottom line – would you rather spend millions to recover from a ransomware attack and restore trust in your asset, or see a firm ROI through reduced premiums on proactive protections to your asset? We need not simply wait to react, but take the initiative to recognize the growing threat, and encourage public and private sectors to share understanding of risks and threats.

Lucian Niemeyer, CEO, Building Cyber Security
Lucian Niemeyer is the CEO of Building Cyber Security, a non-profit organization enhancing global safety in a smarter world. He applies his expertise and experience in the convergence of facilities, real estate and technology to counter emerging global threats. Lucian is also a former Assistant Secretary of Defense, US Senate professional staff member, small business owner, and an Air Force veteran.

This Week’s Sponsor

AVUITY is a data-driven technology firm based in Cincinnati, OH with a hardware, software, + mobile app platform focused on understanding human interaction within space. Our flagship products, VuAI, VuSpace, and the upcoming OpenVu, can be configured as needed to identify and analyze trends in space usage to help organizations increase efficiency, optimize their real estate portfolio and extending these benefits to end users to enhance employee experience.