The Real Estate Cyber Consortium (RECC) – An Industry’s Effort to Address Cybersecurity for the Built Environment
IoT-enabled building control systems are a necessity of the 21st century smart building landscape. They allow buildings to create agile, responsive environments that provide critical services to optimize functional building operations, lower facility costs, while adapting to occupancy needs in real time.
To achieve optimal efficiency, internal building control systems are often connected to external networks to effectively monitor and adjust HVAC controls, lighting, etc. and analyze building data collected from a rising number of sensors. Many of these connections are ad hoc, or 'rogue' networks with little or no cyber hygiene and the installed building control systems, sensors and actuators often do not meet minimum reasonable security protocols. With the ever-increasing number of managed and unmanaged entry points to building data and operational systems, building owners and operators face unique challenges associated with securing smart buildings and facilities.
The influx of reports on massive data breaches at the hands of hackers is raising awareness of cybersecurity and the significance of securing IT systems is moving to the forefront for building control systems and facilities.
Innovative building systems that provide operational efficiencies - such as remotely accessible temperature controls or carbon-emission monitoring - can pose serious risks and potentially impact life-safety of building occupants. With real estate owners and operators responsible for hundreds, if not thousands of building occupants, cybersecurity threats that have the potential to compromise building systems need to be taken seriously. The industry supply chain has to address these risks and collaborate, share best practices and develop security standards.
With that goal in mind, the Real Estate Cyber Consortium (RECC) was launched.
The RECC journey started at Realcomm 2016 in San Jose. Following the Cybersecurity Forum at the conference, about 20 concerned real estate professionals expressed an interest in discussing the topic further and vowed to elevate awareness across the real estate community to improve cybersecurity preparedness for buildings and facilities.
One of the main hurdles the real estate industry faces is that responsibility for secure building systems is fragmented across the supply network: smart building technology solutions lack embedded security, integrators and service providers do not advocate awareness and best practices and cybersecurity accountability within real estate organizations is bifurcated and uncoordinated.
Since the initial meeting in 2016, there has been rising awareness that in order to address cybersecurity challenges associated with buildings and facilities, the entire supply chain needs to effectively partner and collaborate to address industry-wide threats. Aiming at aligning the development, deployment and ongoing support of building technology solutions with a core set of security principles and standards, RECC was officially formed in July 2018.
The 13 founding members of the Consortium - organizations that own, operate and/or manage real estate, as well as Realcomm as supporting entity - formed the RECC Leadership Board, which has since grown to include 19 companies. Leadership Board company representatives from facility management and IT, as well as additional contributing real estate members, join the efforts of the Consortium.
The Leadership Board meets once a month to share insight on best practices, policies and procedures and discuss the industry’s adoption of cybersecurity protocols. External cybersecurity experts from within and outside the industry are invited as guest lecturers to provide briefings on security related topics relevant to the built environment.
Industry Cybersecurity Best Practices and Guidelines
Since the formation of the RECC, three working groups have developed best practices and guidelines that were presented at the Cybersecurity Forum at Realcomm 2019 in Nashville:
(1) IT Security for OT Systems
Many IT-focused cybersecurity frameworks don’t work for next generation building operational technology. Unique aspects of OT building systems and devices demand modified approaches to minimizing the risk for the built environment. The IT Security for OT Systems working group takes best practices in the real estate industry to provide guidelines for: traditional IT staff who generally have little awareness of OT requirements; building operators, who may lack experience with IT lifecycle management; and industry service and solution providers, whose product and service offerings must be aligned with crucial cybersecurity requirements.
The best practices are grouped into three categories:
- Technical (device-specific and system-wide) considerations
- Policy and Process management reviews, and Employee
- Third-Party specific cybersecurity protocols
Effectively evaluating IT security in smart building technology solutions requires a comprehensive assessment of vendor practices. The IT Security Assessment for OT Systems working group identified elements of a vendor questionnaire based on industry best practices, covering the following categories:
- Solution Profile; Company Security Practices
- General Security Standards and Personal Identifiable Information/Data Privacy Security Standards
- On Premise Head End/Servers Appliances
- On Premise End Point (IoT) Devices and Cloud/SaaS solutions
- Implementation and Data Integrations
- Ongoing Support
(3) Guiding Principles to Improve Vendor Cybersecurity Contract Requirements
Beyond negative reputational and financial aftermaths, the risks associated with data breaches of OT building systems include serious impacts to life-safety of building occupants. With the advancements of technologies and the increasing interconnectedness of smart building solutions and devices, ensuring continuous availability, integrity and confidentiality of personal, business and building operating data must be a top priority when entering into third-party vendor contracts. The Vendor Contract Language working group identified contract element requirements for third-party vendors based on industry best practices. The developed guidelines cover data ownership, breach and vulnerability notifications, cybersecurity insurance, stress and penetration testing, and more, as well as business continuity and disaster recovery plans.
If you are interested in getting involved with the Consortium or want to receive updates on the work of the RECC, join our LinkedIn group. To receive a copy of the latest version of the RECC Best Practices and Guidelines (available to industry stakeholders), please contact firstname.lastname@example.org.
This Week’s Sponsor
MRI Software delivers innovative applications and hosted solutions that free real estate companies to elevate their business. Our flexible technology platform and open and connected ecosystem meet the unique needs of real estate businesses, from property-level management and accounting to investment modeling and analytics for the global commercial and residential markets. For more information, please visit www.mrisoftware.com.
UPCOMING REALCOMM WEBINARS
The 5G Future – Assessing the Landscape for IN-BUILDING COMMUNICATIONS - 2/20/2020
The next generation of wireless – 5G, CBRS, Wi-Fi 6 and BLE (Bluetooth Low Energy) – is on the horizon. Increased speeds, low latency, and reduced congestion on mobile networks will revolutionize the way we use an ever-increasing number of IoT devices and design in-building communication infrastructures. 5G and CBRS are technologies providing cellular service, WI-FI 6 is a short-range wireless access technology, and BLE is a wireless personal area network designed especially for short-range communication – all technologies are complementary and will each support different use cases in the built environment. This webinar will provide an overview of the different technologies and discuss how they will work together to provide enhanced mobility, capacity and data rates. First generation use cases in the real estate industry will be presented.
Nicholas Stello is the SVP of IT Infrastructure for New-York based Vornado Realty Trust. His responsibilities include leading the company's IT initiatives as they relate to in-building cellular, networking, cyber security and smart building connectivity. Vornado’s unique assets have enabled Mr. Stello to both differentiate and increase the value of its properties by structuring innovative agreements with national cellular carriers and other related technology providers.
Luke Lucas manages the Build Your Own Coverage (BYOC) program for T-Mobile USA. His focus is on enterprise and in-building coverage, furthering the role of wireless in buildings as a 5th utility-like service. In his role, Luke is involved with smart building and smart city technologies, 5G wireless and the relationship between enterprises installing infrastructure and the connection to T-Mobile signal source and backhaul.
Richard J. (“Dick”) Sherwin has been involved in wireless communications and radio frequency transmission for the past 30 years. Together with a number of telecommunications veterans, he founded and funded Spot On Networks, LLC, a provider of wireless telecommunications for the Multifamily Residential and Multitenant commercial building industry. Previously, he was CEO of Metromedia International Telecommunications Inc. and as a member of the Board of Directors of Metromedia International Group, Inc. since its inception. He was instrumental in establishing approximately 47 wireless and wired telecommunications ventures in Eastern Europe and the former Soviet Union Republics in wireless telecommunications including cellular telephony, cable television and radio paging.
Alan Ni is the Director of Smart Spaces and IoT for Aruba, a Hewlett Packard Enterprise company, with over 15 years of technology and financial expertise with mobile computing. Alan’s team is responsible for developing Aruba’s Smart Spaces and digital workplace strategy.
Jeff Hipchen is EVP of RF Connect where he oversees marketing, sales and services. He also serves as President of the Safer Buildings Coalition, an industry group focused on indoor public-safety communications. Prior to RF Connect, Jeff founded Digital Data Solutions, Inc., a Midwest Voice and Data Network solutions provider. Jeff has previously been an advisor to several start-up companies, assisting them with the development of their business plans, funding and sales execution.
John Dulin is a 30-year global telecom and enterprise executive and has held senior positions in product management, marketing and sales in the areas of fiber optics, wireless and new technology development. Currently with Corning, John is focused on introducing its fiber optic and wireless innovations to the commercial real estate market.