Weekly Briefing

article sponsor image
Feature

Cyber Threats Keep Changing: Can Your Security Strategy Keep Up?

5 min read
listen to article Listen to this article

With the growing landscape of intelligent building systems being deployed in commercial real estate, asset owners must develop a cyber-physical strategy to meet the ever-changing threats. As we continue integrating access controls, cameras, smart lighting, and even intelligent irrigation at scale, we must ensure that we do not sacrifice security for accessibility.

As CRETech, PropTech, OTTech, and every other "Tech" solution boomed over the past years, the industry has experienced a building technology renaissance that has not been seen for decades. The workplace has transformed into a hybrid experience where individuals expect the comforts of a mature network while also having amenities from home. Buildings are becoming more connected, smarter, and accessible every minute. With the addition of new technologies, we must vet a solution's software and hardware integrations to ensure they meet the ever-growing security challenges threatening our industry.


As an industry, we spend millions on technology usage and development to meet the properties' challenges. There are elevators that track your phones and take you to the correct floor, turnstiles that can recognize an individual's appearance to allow access, and sensors that can tell you how busy the cafeteria is so that you can catch that hot cup of coffee. The comforts are there, yet we still need more understanding of the hardware security that operates those systems. Some individuals are still under the impression that because these are not your traditional "IT systems," they don't require extensive security policies around them. Accessible technology makes the lives of both the occupants and operators easier, but it also opens the sites up to potential harm from others. This leads to damaging scenarios such as::

  • Threat actors expose camera vulnerabilities of 150,000 devices
  • The breach of consumer information managed by retailers and service providers
  • Attacks on power grids

Note that the common thread in these cases was an attack vector from a system prioritizing accessibility over security.


Historically, the seriousness of deploying a cyber-physical foundation for building systems was lacking. Many believed that building technology networks was less complex and thus did not require the necessary amount of seriousness as a traditional enterprise. Some companies deployed 4K cameras without thinking that unmanaged legacy switches would never be able to handle the traffic. Others provided vendors with access to their data via open internet connections, unaware of the potential threats they had created. Even I was surprised when we produced more than 15,000 data points daily from a single occupancy system. It wasn’t until business journals began to publish real-world incidents surrounding building threats that it finally piqued the interest of building owners. If someone were to breach those systems, the impact on buildings could have significant repercussions.


Traditionally, building systems were managed by the vendors who supported the site. While these groups are best in class at their functions, they may not have had the adequate cyber posture to secure the buildings properly. Manufacturers also increased their innovation and technology integrations, leading MSIs to deploy technology solutions that may need more depth. We found ourselves in an industry where recommendations were being made for properties to upgrade to the latest and greatest piece of hardware without the guidance of integrating that equipment into secure networks. Would you place your enterprise servers on an unsecured network connection? Then why would you place industrial control devices on a network with minimal security?


As a result of the technological innovations going into buildings, it was critical that enterprise IT teams became involved in the vetting of systems being deployed. Cyber policies became imperative as all these systems now connect to either one or many outside solutions. Within these policies, we must also look closely into the historically deployed hardware. Cameras that may have never been patched now connect to remote solutions to increase surveillance efficiencies, but they may be exposed to threat actors. Access control panels that store information on users can have their communications monitored; onboard relays can be modified, and attackers can even deny services to those specific devices. Manually operating buildings has always been an answer to system interruption incidents, but what happens when more than one building, region, and portfolio gets targeted? Security at scale is a much harder target to achieve. We became infatuated with having more tech, more systems, and more shiny things that we hoped would distract threat actors from really looking under the hood. There was an explosion of solutions, and if you had an idea, there was a vendor that would promise you that it was possible. As the layers of systems and data became deeper and deeper, cracks began to show on the foundation.


Fortunately, the industry has moved toward building systems being enterprise-grade. Fantastic work has been done on converged networks, zero trust architecture, and the IT department actively participating in building construction from the beginning. Leaders in our industry, such as the Real Estate Cyber Consortium (RECC), are helping spearhead the development of better practices and standards. Member organizations such as Kilroy, QuadReal, BXP, Brookfield and COPT, just to name a few, are leading innovation in the deployment of smart building technology.


At Kilroy, we have taken a foundational approach by selecting intelligent building standards, integrating them into our processes and wrapping them around cyber security in depth. Within our construction/development team, adoption of technology standards has helped shape the way we think of deploying a building. For our Kilroy Oyster Point project, Nate Marshall, VP of Development-Kilroy, Warren Forster, Director of Construction Services-Kilroy, and Marcus Lim Project Manager- Hathaway Dinwiddie, worked together to implement our technology standards into real world projects. They utilized development/construction best practices, with technology foundations and cyber security policies to deliver an innovative building. Technology is no longer an afterthought or a second day project, it has been woven into the construction process and is now as important as laying the physical foundation.


The following steps in our growth are to validate what I've called the bells and whistles of technology. We know that an enterprise-grade network is fundamental to the ongoing deployment of intelligent building technology. Having managed switches, routers, firewalls, etc., help provide a platform for the various system to connect and share their data. We must ensure that those devices we are layering on top to innovate operations are not creating potential pitfalls for our future. We should validate all equipment to confirm that we are delivering reliable, sustainable, and innovative buildings.


To learn more about cybersecurity best practices for the built environment, join us at Realcomm | IBcon's annual precon event, CRE Cybersecurity Forum, on June 12 in Las Vegas. Featured industry thought leaders, like Bayron Lopez, will address the most high-impact cyber threats and OT ransomware attacks building owners and operators face today. Register now!


Bayron Lopez, Director, Operational Technology, Kilroy Realty
Bayron Lopez is the Director, Operational Technology responsible for managing and innovating Kilroy Realty's smart buildings systems. He helps determine policies and processes from security to maintenance and growth to increase building efficiency and tenant experience. Kilroy is a leading West Coast landlord and developer globally recognized for sustainability, building operations, innovation and design.

This Week’s Sponsor

LightBox is the world’s leading real estate information and technology platform. Through operational excellence and a passion for innovation, the company facilitates transparency, efficiency, insight, and prediction for real estate investment and location analytics.