Traditional IT Cybersecurity Methods Don’t Work in Commercial Real Estate
Tom Shircliff, Co-Founder, Intelligent Buildings
VPNs and firewalls alone are difficult to implement and manage in CRE at scale and could make things worse.
Our previous newsletter article described the radically different environment in commercial real estate compared to traditional enterprise IT and the three areas that must be addressed:
- Remote access and networks
- Building systems backup and configuration
- Technician policy management
This article focuses on remote access and networks, followed by the next two topics in subsequent articles.
The typical (and risky) approach to building system network set up includes one of the following:
- The building owner’s IT group provides a network drop and VPN for the building system(s) in need, relying on the contractor to manage network access
- The contractor sets up their own network before the owner’s IT group gets involved, managing the network with no IT oversight, including redundant monthly internet service fees in their service contract
In either of these circumstances, this results in at-risk networks. Networks need constant care to stay secure, and building system networks require their front end, network controllers, and field controllers to be managed and monitored to remain safe.
Vendor actions can create new risks, especially with remote access to building systems.
The convergence of OT with the networking and IT world results from technology improvement that enables efficient building operations. Many vendors have unmanaged remote access to their systems to improve the timeliness of troubleshooting and software modifications. While remote access benefits owners in the form of fewer onsite vendor visits, it also creates an avenue for bad actors to get inside.
Remote access should not be provided by the vendor, but by the owner, and the owner should ensure that proper user management be applied for any vendor access. This ensures that vendors can focus on what they are good at, namely their system and its operation, not networking.
After many years of advisory, research and development, we determined there are three critical characteristics necessary for managing remote access risks in commercial real estate:
- Invisible: 1-to-1 connection, invisible to the Internet, no random inbound traffic, no routing choices, no personal use, social media, or rogue connections. Unlike traditional IT security, there is no visible “front door” to enter, nor permissible access to unauthorized destinations.
- Simple: The solution must be shippable and plug and play and can only “phone home” when connected. No IT expertise required.
- Inexpensive: Our Zero Trust approach has a much lower cost structure than traditional VPN, cutting down budget processes for buildings and portfolios that often dictate how facility management and controls contractors are engaged.
This approach to remote access protects from the outside in and helps from the inside out. In other words, it prevents technicians from web browsing, social media, and other non-work Internet access. Most of the ransomware in commercial real estate does not come in through hacking or the system’s “front door,” but from a phishing email with a malicious link or attachment opened by a vendor. After accessing your building system, malware frequently needs to “phone home” to start the ransomware process. Zero Trust blocks these attempts and prevents the malicious sequence from proceeding.
Zero-trust makes systems invisible to the Internet and only allows one-to-one, trusted connections. Every other connection type is denied by default, from inside or outside the network. By providing a zero-trust network, systems are protected from outside access and prevent the use of personal email and social media - prime phishing targets - on network computers. Defaulting to zero-trust means that the owner defines the ONLY trusted access. The owner working with the vendor to establish who can access and their level of access (read/write, read-only, etc.) ensures that remote access is done safely.
Additionally, it's important to have an inventory and threat detection function as part of the overall protection. This function identifies rogue devices and spots malware, which can then be quarantined and eliminated. Contractor technicians and staff are continuously plugging additional devices into building system networks - almost always for convenience and speed in the absence of IT policy or enforcement. These rogue devices become new risk endpoints for malware in addition to phishing and workstation contamination.
You can see how Zero Trust and threat detection work in together and alongside the building system backups and technician audits that we will address in the subsequent articles. In the fragmented and inconsistent commercial real estate environment, you must have an assessment and monitoring approach that addresses the entire chain of risk and not simply the narrow and limited traditional IT methods.
While it is unfortunate that current global events have escalated the urgency of securing systems, it is past time for commercial real estate owners to change their approach from the traditional vendor-led model to the more owner-led model.
This Week’s Sponsor
Intelligent Buildings® offers portfolio-wide cybersecurity site assessments and ongoing managed services including secure remote access, system backup and policy audits. We are the only company solely focused on real estate technology advisory, assessment, and managed services. Since 2004, we are the most trusted and experienced name in Smart Buildings. Find out more at www.intelligentbuildings.com.
Top Three ESG Reporting Challenges You Can Solve with Tech Driven by new regulatory requirements, sustainability or ESG reporting is evolving rapidly. ESG exposes important aspects of environmental impact (E), social impact (S) and governance (G).
Smart Buildings, Districts and Portfolios Featured at the Smart Building Showcase An exciting event at the Realcomm | IBcon conference was the Smart Building Best Practice Showcase. This interactive learning experience featured the most innovative commercial and corporate sites in the world.
A Seven-Step Plan for Achieving Your M&A Targets Few events have greater potential to vastly improve the performance and value of a real estate company than mergers and acquisitions (M&As).
Pandemic Pulse Check We’ve been watching as the nation again grapples with getting students back in school due to the ramifications of remote learning, hailed by most as a failure.