Weekly Briefing

article sponsor image
Partner Content

Traditional IT Cybersecurity Methods Don’t Work in Commercial Real Estate

4 min read
listen to article Listen to this article

VPNs and firewalls alone are difficult to implement and manage in CRE at scale and could make things worse.

Our previous newsletter article described the radically different environment in commercial real estate compared to traditional enterprise IT and the three areas that must be addressed:

  1. Remote access and networks
  2. Building systems backup and configuration
  3. Technician policy management

This article focuses on remote access and networks, followed by the next two topics in subsequent articles.

The typical (and risky) approach to building system network set up includes one of the following:

  • The building owner’s IT group provides a network drop and VPN for the building system(s) in need, relying on the contractor to manage network access
  • The contractor sets up their own network before the owner’s IT group gets involved, managing the network with no IT oversight, including redundant monthly internet service fees in their service contract

In either of these circumstances, this results in at-risk networks. Networks need constant care to stay secure, and building system networks require their front end, network controllers, and field controllers to be managed and monitored to remain safe.

Vendor actions can create new risks, especially with remote access to building systems.

The convergence of OT with the networking and IT world results from technology improvement that enables efficient building operations. Many vendors have unmanaged remote access to their systems to improve the timeliness of troubleshooting and software modifications. While remote access benefits owners in the form of fewer onsite vendor visits, it also creates an avenue for bad actors to get inside.

Remote access should not be provided by the vendor, but by the owner, and the owner should ensure that proper user management be applied for any vendor access. This ensures that vendors can focus on what they are good at, namely their system and its operation, not networking.

After many years of advisory, research and development, we determined there are three critical characteristics necessary for managing remote access risks in commercial real estate:

  1. Invisible: 1-to-1 connection, invisible to the Internet, no random inbound traffic, no routing choices, no personal use, social media, or rogue connections. Unlike traditional IT security, there is no visible “front door” to enter, nor permissible access to unauthorized destinations.
  2. Simple: The solution must be shippable and plug and play and can only “phone home” when connected. No IT expertise required.
  3. Inexpensive: Our Zero Trust approach has a much lower cost structure than traditional VPN, cutting down budget processes for buildings and portfolios that often dictate how facility management and controls contractors are engaged.

This approach to remote access protects from the outside in and helps from the inside out. In other words, it prevents technicians from web browsing, social media, and other non-work Internet access. Most of the ransomware in commercial real estate does not come in through hacking or the system’s “front door,” but from a phishing email with a malicious link or attachment opened by a vendor. After accessing your building system, malware frequently needs to “phone home” to start the ransomware process. Zero Trust blocks these attempts and prevents the malicious sequence from proceeding.

Zero-trust makes systems invisible to the Internet and only allows one-to-one, trusted connections. Every other connection type is denied by default, from inside or outside the network. By providing a zero-trust network, systems are protected from outside access and prevent the use of personal email and social media - prime phishing targets - on network computers. Defaulting to zero-trust means that the owner defines the ONLY trusted access. The owner working with the vendor to establish who can access and their level of access (read/write, read-only, etc.) ensures that remote access is done safely.

Additionally, it's important to have an inventory and threat detection function as part of the overall protection. This function identifies rogue devices and spots malware, which can then be quarantined and eliminated. Contractor technicians and staff are continuously plugging additional devices into building system networks - almost always for convenience and speed in the absence of IT policy or enforcement. These rogue devices become new risk endpoints for malware in addition to phishing and workstation contamination.

You can see how Zero Trust and threat detection work in together and alongside the building system backups and technician audits that we will address in the subsequent articles. In the fragmented and inconsistent commercial real estate environment, you must have an assessment and monitoring approach that addresses the entire chain of risk and not simply the narrow and limited traditional IT methods.

While it is unfortunate that current global events have escalated the urgency of securing systems, it is past time for commercial real estate owners to change their approach from the traditional vendor-led model to the more owner-led model.

Rob Murchison, Co-Founder, Intelligent Buildings
Rob Murchison has over 20 years experience in strategy consulting, sales and design of technology to real estate developers and commercial businesses with expertise in networking, and software and data base applications. He is currently a Principal and Co-Founder of Intelligent Buildings, LLC, founded in 2004 to help customers manage risk, enhance occupant wellbeing, and improve performance.

Tom Shircliff, Co-Founder, Intelligent Buildings
Tom Shircliff is a co-founder and principal of Intelligent Buildings. Intelligent Buildings was founded in 2004 and provides managed services and advisory services that reduce operational risk and lower cost structure in commercial real estate. Their services support smart building design development, contractor cybersecurity and facility public health solutions.

This Week’s Sponsor

Intelligent Buildings® offers portfolio-wide cybersecurity site assessments and ongoing managed services including secure remote access, system backup and policy audits. We are the only company solely focused on real estate technology advisory, assessment, and managed services. Since 2004, we are the most trusted and experienced name in Smart Buildings. Find out more at www.intelligentbuildings.com.