Red Alert on the Cyber-side of Your (Smart) Buildings
It’s not a question of how, it’s a question of when. Your office building will be hacked, assaulted, infiltrated or otherwise digitally compromised. Commercial property owners and managers are racing to get ahead of this burgeoning problem. All internet-connected systems have security vulnerabilities. Managing the emerging complexity of interconnected devices and systems will require vigilance, coordination and hard work. But to maintain continued asset value and return on investment, property professionals will respond.
The electronic and mechanized components of buildings are increasingly being connected as the Internet of Things (IoT). In the words of cybersecurity expert Bruce Schneier, “Everything is becoming a computer(1)” In the old days, a phone was a phone, and could only be used as a phone. Now, our phones are microprocessing powerhouses capable of hundreds of computational and communication functions. Similarly, previously analog but now digitally-controlled components of building mechanicals are linking together. Proprietary control systems for comfort or security are connecting and starting to share operating languages.
Over the past recent years, best-in-class building operators have embraced building management systems (BMS) to improve their efficiencies and service delivery. BMS integrate security, access, energy (HVAC and lighting), conveyances and other aspects of a building. Building operators are able to control electronic systems from improved dashboards and control rooms. This has saved on staffing costs, improved responsiveness to tenants and opened up new areas of management and value capture in commercial real estate.
However, each device, being able to connect with a digital platform, can now potentially be reached by an outside party. The vulnerability is real, and could range between $243 billion to $1 trillion in the US alone(2). Anything one person can control through the internet means some other person, perhaps less well-intentioned, could as well. Facilities operators have been accustomed to remote and obscure components; now, their responsibilities are integrated and pervasive.
In 2016, the Presbyterian Memorial Hospital in Hollywood, CA, was shut down(3) by ransomware which held hostage the facility’s management system such that they had to turn away ambulances at the ER. They wound up paying $17,000 in bitcoin. The culprit has never been caught.
Target’s 2016 massive credit card data breach was attained through an HVAC contractor system(4): a hacker found a vulnerability and pivoted into other systems beyond the building controls into the corporate IT core, stealing sensitive customer data.
What can we anticipate? If you think it’s annoying to have a fire-alarm interrupt your tenants’ activities, what about your building being locked until you provide a digital ransom to a hacker? What components are critical links in your facility service provision? What special components have you introduced to improve the tenant experience, such as distributed comfort level assessment or cleaning robots, do you not fully vet for cybersecurity?
What can be done? More devices means more problems. Older building operations components generally don’t have security features and are not updatable to respond to current levels of hacking. There are often little in the way of patching. People are unresponsive to requests to register products or update passwords. It is a mess.
Memoori Research estimate that global revenues for smart building cyber security will reach $8.65 billion by 2021, up from an estimated $ 4.26 billion in 2016. This is a lot of actors and a lot of contracts. It is the reality of integrating IT with OT (operations technology). You will be expected to redirect resources toward this nascent problem. What is your plan for technological resilience? Who will you partner with?
Some entities are offering paths forward, such as municipalities who see the need for an integrated digital infrastructure to link government services, anti-crime efforts, and smart buildings throughout their jurisdiction. Cities are faster-moving than state and federal governments and experience the effects of economic disruption more acutely. Organizations that link cities to their real estate sectors like the Urban Land Institute or A Better City (for example, in Boston, MA) could convene practitioners on this topic but have other priorities like economic development, congestion relief, and storm resilience. Some of the best cybersecurity practices of municipalities – for their own facilities – can have spillover effects for nearby institutional and private real estate holders if the parties work together.
Some will suggest that stronger government intervention will be necessary – this is similar to a public health situation and we have to minimize the potential of irresponsible facility gatekeepers to create threats to our society through open back doors and weak firewalls against antagonists. But increased regulations are unlikely to manifest in the US currently. Even in Europe, the de-facto leader on addressing cybersecurity and digital assets, the Global Data Protection Act will do little to improve security in buildings. A UN-chartered or OECD-backed project might begin to address cybersecurity of critical infrastructure and IT in general, but lowly brick-and-mortar buildings will be far down the list of priorities. Yet buildings and the real estate industry do respond to governmental frameworks like building codes and safety regulations.
Others say let the free hand of the market respond to cybersecurity threats: if people perceive risks, they will motivate to address the threats. Education, beyond newsworthy crises, could be enough to help actors understand the threat and seek corrective measures. While industry associations like the International Facilities Managers Association (IFMA) and Building Operators Managers Association (BOMA) are held in high esteem for providing trainings in property management, energy efficiency and leadership, neither have a robust program to address cybersecurity of buildings(6). It is a major gap in the marketplace.
Are there other ways to follow processes already in place in the building sector to voluntarily recognize and third-party-validate claims regarding cybersecurity in buildings? Real estate has long worked with the design professions to attain recognition for best architecture and best aesthetics through awards and prizes. More recently the LEED rating system (Leadership in Energy & Environmental Design) has created a market for the premium that users place on buildings that respond better to sustainability concerns and the health effects on their occupants (as does the WELL system). In a parallel fashion, the Wired Score has created a means to evaluate and recognize the interconnectedness of a building and how user-friendly it is to the wifi-demanding “nomadic workforce” who cannot get work done without ubiquitous, fast and uninterrupted internet connectivity.
Yet Wired Score (nor the others) offer any assurances on the security of the connectivity they purview. Will the building mechanical systems vendors such as Siemens, Cisco and Johnson Controls engage? Are there startups like Building Robotics which will expand their solutions (i.e. Comfy) toward security? The new Internet of Things Security Foundation (IotSF) has gathered thought leaders into working groups(7) on smart buildings, vulnerability disclosure and other areas, and is a brave & new, but tenuous, step toward improved cybersecurity protocols and policies in the building sector.
Yet, In the absence of regulations, market-based recognition or moral suasion, operators are literally left to their own devices. Best practices include assessing what you have that is interconnected and digital, designing a regular process to monitor malfunctions, and ongoing patching and updating of software in each location where that is possible. Designating members of your facility’s team to focus on cybersecurity is a start: they can become active in local professional associations or the IoTSF. For practical first steps, the US-CERT provides a weekly vulnerability bulletin that a facility manager can reference against the catalogued components of their building’s digital infrastructure. If you are not keen to promote government intervention, you can advocate for your industry partners and professional associations to beef up coordinated counter-threat measures to improve building operations security. Do you have a professional networking group that you can use to trade ideas? You can now add cybersecurity to your list of topics to focus on.
Threats to cybersecurity are not just an issue for the IT department of that hot new digital agency tenant: these are clear and present dangers to everyone in your building, and you have a duty & responsibility to ensure the peaceable & productive enjoyment of their occupied space.
- Bruce Schneier, personal communication (in lecture) 11/7/17
- Rob Freeman, “Cybersecurity and Green Buildings” Poplar 7/24/15 https://www.poplarnetwork.com/news/cybersecurity-and-green-buildings
- Richard Winton, “Hollywood hospital pays $17,000 in bitcoin to hackers; FBI investigating,” LA Times, Feb. 18, 2016 http://beta.latimes.com/business/technology/la-me-ln-hollywood-hospital-bitcoin-20160217-story.html
- “Target Hackers Broke In Via HVAC Company” Krebs On Security, February 14, 2014 https://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/
- “Cyber Security in Smart Commercial Buildings 2017-2021” Memoori Research, 4/1/17 https://www.memoori.com/portfolio/cyber-security-smart-commercial-buildings-2017-2021/
- Guy Compagnone, Executive Director Strategic Partnerships & Education, Chapman Construction & Design, personal communication 12/2/17
- Alan Mihalic, “Protecting Smart Buildings from Cyber Attack” Engineering.com August 21, 2017 https://www.engineering.com/BIM/ArticleID/15476/Protecting-Smart-Buildings-from-Cyber-Attacks.aspx