Weekly Briefing

article sponsor image

Cybersecurity Best Practices for Smart Building Technologies

5 min read
listen to article Listen to this article

Back in 1998, as I was transitioning into a new opportunity, something occurred that has never left me. I was moving to a consulting services organization that would require me to stretch my skills, and I was excited.

Early on at my new job I received a personal email from a colleague - what I presumed to be a forwarded joke. He worked in finance at my previous company and was well connected to our industry. While he and I had worked together on projects, I wouldn't say that we were close personally. I knew that he could connect me to many potential clients, so when I glanced at the subject line it was barely a split second thought, “Huh, that's strange.” Then I clicked.... Strange didn’t begin to describe what happened next.

Let's go back to that split-second, my inner voice was there in that moment, I just didn’t listen. I knew this individual to be very conservative, he worked in finance crunching numbers for our corporate investors. Why would he send me a joke? I was soon to find out it was anything but a joke. The virus that spread through my computer would cost me untold recovery hours and personal anguish, all due to that click. It was early on technology-wise so I didn’t have the huge digital footprint that I have now; it was devastating, nonetheless. Ask anyone who has experienced a virus, identity fraud or ransomware, and they will recount a similar tale of woe.

While the initial impact is distressing, the sense of loss becomes increasingly acute, growing into revulsion as the sense of personal violation really sets in. I was attacked. That click would haunt me for some time as I struggled to clean up the mess. A simple click … and I knew better. Obviously, I haven’t forgotten the lesson, and whenever I read or hear about a new phishing attack, I think back to my first malware incident. All it takes is a click. Let’s fast forward to today.

I have described at previous CRE industry events and in webinars that we at Wells Fargo started a dedicated building technology cybersecurity program in 2014. We expanded our focus and remediation to include both traditional IT assets (PCs, servers, routers), as well as Operation Technology (OT) assets. OT assets include devices that typically contain only firmware and are commonly known as IoT or Internet of Things. We consider building technologies as a combination of both the IT and OT assets. Some malware, for example WannaCry and NotPetya target traditional IT assets, while Mirai targeted OT devices like security cameras. As we assessed our building technology footprint and diligently addressed vulnerabilities, our work was made more difficult because of weaknesses in the overall supply chain.

Many products in the building technology space are not cyber secure. Scanning your OT network for vulnerabilities is not an option as many OT devices will “brick” when scanned. If you are unfamiliar with the term brick, it means that due to a patch or an upgrade the device was essentially made useless, something was corrupted, and the device is no longer functional. Consider this scenario occurring as a result of automated patching or vulnerability scanning on your building systems. What would you do if your building systems were “bricked?” Would your building be inhabitable if the HVAC failed in extreme weather, or your elevators were inoperative?

We began our assessment and our vendor discussions with a simple premise … as a device on our network, you are a guest and must abide by our rules. While we thought this was a basic tenet that everyone could support, not every manufacturer could address security deficiencies in either their products or support models. Some service providers could not abide by our security and contract stipulations. I discussed these issues with our internal control teams, explaining that products and services in the building technology industry were immature when compared to traditional Information Technology.

The building technology industry was not founded on a strong security model. The early products were designed to automate mechanical functions for building engineers. The products were designed to be easy to use, and security wasn’t an early consideration. During these conversations, I found myself emphasizing again and again the fact that this industry needed to change if we wanted to see more secure products and services in the future. Our goal is to get the disparate motivations in the supply chain better aligned, as everyone will have a role in improving security. Symantec measures Supply Chain attacks up 78% in 2019: The need for better collaboration and improved products is clearly needed now more than ever.

We knew that we were not alone in seeking supply chain improvements. The 2016 Realcomm | IBcon event in Silicon Valley gave us a perfect opportunity. We asked Realcomm to help convene a Cybersecurity Roundtable after the conference. Representatives from Corporate, Commercial and Governmental property organizations gathered to discuss building cybersecurity challenges. In 2017, we came together to form the Real Estate Cybersecurity Consortium (RECC) with the purpose to help elevate awareness, and to partner with manufacturers and service companies to share best practices and information that will improve the supply chain and the building technology industry. Below are the member companies that form our RECC Leadership Board and the contributing member organizations supporting our mission.

In 2019, the RECC came together to produce the following three best practices and guidelines to help improve the industry.

    (1) IT Security for OT Systems: Providing a best practices framework for the OT lifecycle starting with identification of a solution through maintenance/support and product end-of-life.

    (2) IT Security Assessment for OT Systems: A series of questions used to assess the technology, process, and people of your OT systems using an IT-based focus.

    (3) Guiding Principles to Improve Vendor Cyber Security Contract Requirements: Highlighting contract areas to provide better accountability from your vendors, and your vendor’s vendors.

While we enhance our membership model, you can find us and our best practices on LinkedIn at: Real Estate Cybersecurity Consortium. Connect with us, join the LinkedIn group and download our best practices. Apply them to your building technologies and your product/service contracts. You have nothing to lose and everything to gain. To come full circle, you may be one click away from an employee or vendor inviting malware in the door. One last item if you are not convinced, the FBI recently stated that cybercrime during the COVID-19 pandemic has increased 400%. That means a 400% increase on your pre-COVID risk which was already at a new high. So click join, not joke, and help protect us all.

Charles Meyers, SVP & Chief Technical Architect, Corporate Property Group, Wells Fargo
Charles Meyers is SVP & Chief Technical Architect, Corporate Property Group of Wells Fargo and responsible for emerging technologies that optimize the company's real estate portfolio. Currently, he is focused on mitigating the emerging threats and cybersecurity vulnerabilities around building operational and physical security technologies. Charles has 39 years of financial systems and technology experience. Since 2016, he also been spearheading the industry association, Real Estate Cyber Consortium (RECC), to elevate awareness across the real estate community to improve cybersecurity preparedness for buildings and facilities.

This Week’s Sponsor

BrainBox AI aims to redefine building automation through artificial intelligence to be at the forefront of a green building revolution. Headquartered in Montreal, BrainBox AI employs over 55 people and supports commercial real estate clients in numerous sectors. BrainBox AI works in collaboration with research partners including the US Department of Energy, the Institute for Data Valorization (IVADO) as well as educational institutions such as McGill University.