Cybersecurity Best Practices for Smart Building Technologies
Back in 1998, as I was transitioning into a new opportunity, something occurred that has never left me. I was moving to a consulting services organization that would require me to stretch my skills, and I was excited.
Early on at my new job I received a personal email from a colleague - what I presumed to be a forwarded joke. He worked in finance at my previous company and was well connected to our industry. While he and I had worked together on projects, I wouldn't say that we were close personally. I knew that he could connect me to many potential clients, so when I glanced at the subject line it was barely a split second thought, “Huh, that's strange.” Then I clicked.... Strange didn’t begin to describe what happened next.
Let's go back to that split-second, my inner voice was there in that moment, I just didn’t listen. I knew this individual to be very conservative, he worked in finance crunching numbers for our corporate investors. Why would he send me a joke? I was soon to find out it was anything but a joke. The virus that spread through my computer would cost me untold recovery hours and personal anguish, all due to that click. It was early on technology-wise so I didn’t have the huge digital footprint that I have now; it was devastating, nonetheless. Ask anyone who has experienced a virus, identity fraud or ransomware, and they will recount a similar tale of woe.
While the initial impact is distressing, the sense of loss becomes increasingly acute, growing into revulsion as the sense of personal violation really sets in. I was attacked. That click would haunt me for some time as I struggled to clean up the mess. A simple click … and I knew better. Obviously, I haven’t forgotten the lesson, and whenever I read or hear about a new phishing attack, I think back to my first malware incident. All it takes is a click. Let’s fast forward to today.
I have described at previous CRE industry events and in webinars that we at Wells Fargo started a dedicated building technology cybersecurity program in 2014. We expanded our focus and remediation to include both traditional IT assets (PCs, servers, routers), as well as Operation Technology (OT) assets. OT assets include devices that typically contain only firmware and are commonly known as IoT or Internet of Things. We consider building technologies as a combination of both the IT and OT assets. Some malware, for example WannaCry and NotPetya target traditional IT assets, while Mirai targeted OT devices like security cameras. As we assessed our building technology footprint and diligently addressed vulnerabilities, our work was made more difficult because of weaknesses in the overall supply chain.
Many products in the building technology space are not cyber secure. Scanning your OT network for vulnerabilities is not an option as many OT devices will “brick” when scanned. If you are unfamiliar with the term brick, it means that due to a patch or an upgrade the device was essentially made useless, something was corrupted, and the device is no longer functional. Consider this scenario occurring as a result of automated patching or vulnerability scanning on your building systems. What would you do if your building systems were “bricked?” Would your building be inhabitable if the HVAC failed in extreme weather, or your elevators were inoperative?
We began our assessment and our vendor discussions with a simple premise … as a device on our network, you are a guest and must abide by our rules. While we thought this was a basic tenet that everyone could support, not every manufacturer could address security deficiencies in either their products or support models. Some service providers could not abide by our security and contract stipulations. I discussed these issues with our internal control teams, explaining that products and services in the building technology industry were immature when compared to traditional Information Technology.
The building technology industry was not founded on a strong security model. The early products were designed to automate mechanical functions for building engineers. The products were designed to be easy to use, and security wasn’t an early consideration. During these conversations, I found myself emphasizing again and again the fact that this industry needed to change if we wanted to see more secure products and services in the future. Our goal is to get the disparate motivations in the supply chain better aligned, as everyone will have a role in improving security. Symantec measures Supply Chain attacks up 78% in 2019: The need for better collaboration and improved products is clearly needed now more than ever.
We knew that we were not alone in seeking supply chain improvements. The 2016 Realcomm | IBcon event in Silicon Valley gave us a perfect opportunity. We asked Realcomm to help convene a Cybersecurity Roundtable after the conference. Representatives from Corporate, Commercial and Governmental property organizations gathered to discuss building cybersecurity challenges. In 2017, we came together to form the Real Estate Cybersecurity Consortium (RECC) with the purpose to help elevate awareness, and to partner with manufacturers and service companies to share best practices and information that will improve the supply chain and the building technology industry. Below are the member companies that form our RECC Leadership Board and the contributing member organizations supporting our mission.
In 2019, the RECC came together to produce the following three best practices and guidelines to help improve the industry.
- (1) IT Security for OT Systems: Providing a best practices framework for the OT lifecycle starting with identification of a solution through maintenance/support and product end-of-life.
(2) IT Security Assessment for OT Systems: A series of questions used to assess the technology, process, and people of your OT systems using an IT-based focus.
(3) Guiding Principles to Improve Vendor Cyber Security Contract Requirements: Highlighting contract areas to provide better accountability from your vendors, and your vendor’s vendors.
While we enhance our membership model, you can find us and our best practices on LinkedIn at: Real Estate Cybersecurity Consortium. Connect with us, join the LinkedIn group and download our best practices. Apply them to your building technologies and your product/service contracts. You have nothing to lose and everything to gain. To come full circle, you may be one click away from an employee or vendor inviting malware in the door. One last item if you are not convinced, the FBI recently stated that cybercrime during the COVID-19 pandemic has increased 400%. That means a 400% increase on your pre-COVID risk which was already at a new high. So click join, not joke, and help protect us all.
This Week’s Sponsor
BrainBox AI aims to redefine building automation through artificial intelligence to be at the forefront of a green building revolution. Headquartered in Montreal, BrainBox AI employs over 55 people and supports commercial real estate clients in numerous sectors. BrainBox AI works in collaboration with research partners including the US Department of Energy, the Institute for Data Valorization (IVADO) as well as educational institutions such as McGill University.
The MSG Sphere Las Vegas: The Immersive Experience, Transformed The city of Las Vegas is known for its world-class entertainment, gaming, and hospitality industry. However, the latest buzz in the city is about the upcoming Sphere development...
Sterling Bay | 311 West Monroe: Verifying Performance-Based Design with Post-Occupancy Analytics The IBcon Smart Building Best Practice Showcase is an annual event held at the Realcomm | IBcon conference where real estate leaders present their most innovative, technology driven commercial and corporate real estate projects.
Real Estate Cyber Consortium (RECC): Creating a Path to Cyber Harmony – Challenging CRE’s Supply Chain The origins of Real Estate Cyber Consortium (RECC) date back to June 23rd, 2016 when a very informal, very private meeting of concerned leaders met at Realcomm 2016 in San Jose.
IP Edge Controllers: An Integral Part of a Building's Operational Strategy Over the last five years, we have seen a continued rise in edge computing and the use of Internet Protocol (IP) within the built environment.