The Real Estate Cyber Consortium (RECC) – An Industry’s Effort to Address Cybersecurity for the Built Environment
IoT-enabled building control systems are a necessity of the 21st century smart building landscape. They allow buildings to create agile, responsive environments that provide critical services to optimize functional building operations, lower facility costs, while adapting to occupancy needs in real time.
To achieve optimal efficiency, internal building control systems are often connected to external networks to effectively monitor and adjust HVAC controls, lighting, etc. and analyze building data collected from a rising number of sensors. Many of these connections are ad hoc, or 'rogue' networks with little or no cyber hygiene and the installed building control systems, sensors and actuators often do not meet minimum reasonable security protocols. With the ever-increasing number of managed and unmanaged entry points to building data and operational systems, building owners and operators face unique challenges associated with securing smart buildings and facilities.
The influx of reports on massive data breaches at the hands of hackers is raising awareness of cybersecurity and the significance of securing IT systems is moving to the forefront for building control systems and facilities.
Innovative building systems that provide operational efficiencies - such as remotely accessible temperature controls or carbon-emission monitoring - can pose serious risks and potentially impact life-safety of building occupants. With real estate owners and operators responsible for hundreds, if not thousands of building occupants, cybersecurity threats that have the potential to compromise building systems need to be taken seriously. The industry supply chain has to address these risks and collaborate, share best practices and develop security standards.
With that goal in mind, the Real Estate Cyber Consortium (RECC) was launched.
The RECC journey started at Realcomm 2016 in San Jose. Following the Cybersecurity Forum at the conference, about 20 concerned real estate professionals expressed an interest in discussing the topic further and vowed to elevate awareness across the real estate community to improve cybersecurity preparedness for buildings and facilities.
One of the main hurdles the real estate industry faces is that responsibility for secure building systems is fragmented across the supply network: smart building technology solutions lack embedded security, integrators and service providers do not advocate awareness and best practices and cybersecurity accountability within real estate organizations is bifurcated and uncoordinated.
Since the initial meeting in 2016, there has been rising awareness that in order to address cybersecurity challenges associated with buildings and facilities, the entire supply chain needs to effectively partner and collaborate to address industry-wide threats. Aiming at aligning the development, deployment and ongoing support of building technology solutions with a core set of security principles and standards, RECC was officially formed in July 2018.
The 13 founding members of the Consortium - organizations that own, operate and/or manage real estate, as well as Realcomm as supporting entity - formed the RECC Leadership Board, which has since grown to include 19 companies. Leadership Board company representatives from facility management and IT, as well as additional contributing real estate members, join the efforts of the Consortium.
The Leadership Board meets once a month to share insight on best practices, policies and procedures and discuss the industry’s adoption of cybersecurity protocols. External cybersecurity experts from within and outside the industry are invited as guest lecturers to provide briefings on security related topics relevant to the built environment.
Industry Cybersecurity Best Practices and Guidelines
Since the formation of the RECC, three working groups have developed best practices and guidelines that were presented at the Cybersecurity Forum at Realcomm 2019 in Nashville:
(1) IT Security for OT Systems
Many IT-focused cybersecurity frameworks don’t work for next generation building operational technology. Unique aspects of OT building systems and devices demand modified approaches to minimizing the risk for the built environment. The IT Security for OT Systems working group takes best practices in the real estate industry to provide guidelines for: traditional IT staff who generally have little awareness of OT requirements; building operators, who may lack experience with IT lifecycle management; and industry service and solution providers, whose product and service offerings must be aligned with crucial cybersecurity requirements.
The best practices are grouped into three categories:
- Technical (device-specific and system-wide) considerations
- Policy and Process management reviews, and Employee
- Third-Party specific cybersecurity protocols
Effectively evaluating IT security in smart building technology solutions requires a comprehensive assessment of vendor practices. The IT Security Assessment for OT Systems working group identified elements of a vendor questionnaire based on industry best practices, covering the following categories:
- Solution Profile; Company Security Practices
- General Security Standards and Personal Identifiable Information/Data Privacy Security Standards
- On Premise Head End/Servers Appliances
- On Premise End Point (IoT) Devices and Cloud/SaaS solutions
- Implementation and Data Integrations
- Ongoing Support
(3) Guiding Principles to Improve Vendor Cybersecurity Contract Requirements
Beyond negative reputational and financial aftermaths, the risks associated with data breaches of OT building systems include serious impacts to life-safety of building occupants. With the advancements of technologies and the increasing interconnectedness of smart building solutions and devices, ensuring continuous availability, integrity and confidentiality of personal, business and building operating data must be a top priority when entering into third-party vendor contracts. The Vendor Contract Language working group identified contract element requirements for third-party vendors based on industry best practices. The developed guidelines cover data ownership, breach and vulnerability notifications, cybersecurity insurance, stress and penetration testing, and more, as well as business continuity and disaster recovery plans.
If you are interested in getting involved with the Consortium or want to receive updates on the work of the RECC, join our LinkedIn group. To receive a copy of the latest version of the RECC Best Practices and Guidelines (available to industry stakeholders), please contact firstname.lastname@example.org.
This Week’s Sponsor
MRI Software delivers innovative applications and hosted solutions that free real estate companies to elevate their business. Our flexible technology platform and open and connected ecosystem meet the unique needs of real estate businesses, from property-level management and accounting to investment modeling and analytics for the global commercial and residential markets. For more information, please visit www.mrisoftware.com.
UPCOMING REALCOMM WEBINARS
REAL ESTATE INFORMATION MANAGEMENT - Insight, Analytics, Artificial Intelligence and More - 2/4/2020
Data runs almost every aspect of our lives. Making good business decisions as a real estate organization, whether on a small scale or for an enterprise-wide initiative, requires an ever-deeper understanding of individual assets, portfolios and shifting markets. In order to gain this level of information insight in today's complex, connected world, a sound data strategy based on a high-performance blend of business intelligence, analytics and data science, must be set. This webinar will review best practices on developing a comprehensive data architecture, the integration of internal and external data sources, advanced analytics, and how Artificial Intelligence and Machine Learning can be applied to these processes. Case studies of Real Estate Companies who leverage data successfully to gain actionable insights will be presented.
Chuck Niswonger has over 30 years of successful leadership experience in technology-related roles that range from operating his own consulting company (www.nicenets.com) to directing the IT strategy of a real estate investment management firm to manufacturing and technology-enabled education. Chuck has also been the chair of the Realcomm Investment Management (IM) Advisory Council for the last ten years, managing content selection for the conference educational sessions, IM forums, workshops and webinars.
Julien Ragbeer is a Data Scientist/Engineer in the IT group of Oxford Properties. He is responsible for some of the machine learning based applications in production, analysis of data workflows and pipelines and proposing the use of scalable and innovative solutions that align with business needs. Julien is a proponent of open source software and initiatives.
Rudy Reagin is the Global Programme Lead for Deutsche Bank's Corporate Services. With more than thirty years of experience in IT, Rudy is currently responsible for the application architecture that supports lease administration, facilities management, space management, security operations, and a wide range of business services. In recent years, Rudy has driven a data warehousing and BI project that successfully integrates information from a range of sources to facilitate performance monitoring and decision support.
Kevin is the Chief Operating Officer of NavigatorCRE and oversees global enterprise engagement.Prior to joining Navigator, Kevin’s 16-year career includes positions at Deloitte, EY, and Morgan Stanley. Most recently he served as a Global Technology Strategy Lead at Deloitte, advising real estate developers, operators, and investors, with clients across 4 continents. Kevin is recognized as one of the leading commercial real estate tech executives in the industry and a noted speaker, author and blogger within the growing Proptech sector. He has spoken at conferences around the world on next generation real estate technologies like Machine Learning, Cognitive Automation, and Blockchain.
Andy Birch is an experienced business software professional with a unique blend of marketing, technical, industry, product and sales expertise. Proven success in delivering sales and marketing programs that achieve game-changing results. Particularly strong at taking complex issues and turning them into understandable value propositions for customers and partners.
With over 25 years industry experience, Brett Sample joined Tango in 2014 and has led the effort to design and create the company’s cutting-edge Space Management application. Prior to joining Tango, Brett worked for many of the major IWMS, CAFM and CMMS providers in the market and started SpacePlanFM. At SpacePlanFM Brett provided consulting, implementation and support to clients in over 40 countries and implemented over 200M Square Feet of Space, Facilities and Lease Management.