Weekly Briefing

article sponsor image
Partner Content

The Bright Side of Cybersecurity

4 min read
listen to article Listen to this article

Cybersecurity risks are rightly top of mind for all of us, but there is a bright side to the intensity of focus and concern. If we can properly and thoroughly deal with this issue in commercial real estate (CRE), we can more freely and confidently pursue all the benefits of smart and sustainable buildings.

When it comes to operational continuity, there is no bigger issue around the world than cybersecurity, whether your organization is a government, business, institutional, not-for-profit, or another type. This is no different for the facilities associated with all those organization types, and building-level cybersecurity must be paramount to any portfolio. CRE has also been identified as critical infrastructure for national security and targeted by nation-states and for-profit ransomware organizations. We have documented in this series how CRE is a completely different animal from traditional enterprise IT cybersecurity in that CRE is where cybersecurity gets physical, literally. Your thermal comfort, the lighting levels, if and where you can park, the quality of the air you breathe, and water you drink - all can be affected by CRE cybersecurity.

While trying to determine how to imbue your portfolio with even the most basic IT principles, you must get into a new level of vendor risk management (VRM) due to the fragmentation of contractors, technicians, geographies, and ownership structures. Dealing with the HVAC, elevators, lighting, metering, parking, and access control systems and contractors is not at all like securing your HR database. We highlighted three areas of concern and remediation that are pillars of CRE cybersecurity:

  1. Networking & Remote Access Management: Building systems are Internet-accessible and operate on local area networks. As a result, there needs to be “zero trust” remote access management.
  2. Building System Backup & Configuration: While defending against hacking, we must recognize that the building systems themselves are the “Alamo” and must be properly configured and backed up.
  3. People Policy Management: Policy management includes communicating the policy to all technicians and staff, auditing the policy, and augmenting the audits with tailored phishing campaigns and automated training.

The final point to summarize the risks and the path forward is the very significant insurance gaps and exclusions in Property & Casualty, General Liability, Cyber Riders, and Directors and Officers policies that must be acknowledged and addressed. We have been blending the CRE and insurance issue by becoming a global assessment partner of and advisor to buildingcybersecurity.org, which will be the first insurance-recognized framework for CRE cybersecurity.

With those three points and the insurance issue assumed, we can all ask, “Now what?” We can get back to the momentum the industry was building before our current cybersecurity era. In the early 20-teens, building analytics, operational dashboards, and integration-based use cases were increasing rapidly. However, when the industry realized how much connectivity and data exposure was occurring, a pall was cast over the movement. We had a front-row seat as one of the leading consultants in the analytics space and saw customer activity and interest wain. Our requests for building cybersecurity site assessments shot up into the thousands and has continued. We knew at that point the industry was practicing the Hippocratic Oath to “first do no harm.” In other words, being a little more energy efficient was not as important as keeping the building open for business. The big problem was not that building system cybersecurity couldn’t be dealt with. Building owners and managers didn’t know what systems, contractors, and connections were in their buildings and thus couldn’t start authorizing connections and data flow that were building on a house of cards. Add sensors, IoT, and AI to the mix, and the cyber-anxiety increased and the pace of innovation stalled.

This has caused pent-up demand to leverage technology for operational efficiency, hybrid work, occupant experience, and the drive to net zero and carbon neutrality. All these things require technology to achieve and maintain the outcomes and continue innovating.

Ever since we committed our company and customers to a strong cybersecurity foundation for any PropTech strategy or solution, we have seen this theory of “the bright side of cybersecurity” move into reality. Those owners and operators that used our cybersecurity managed services that all vendors and solution providers must use can comply with are adding more and more services “on top of” that foundation. After the base offering of secure, zero-trust remote access and threat detection, we saw demand for automated system and device inventory, then centralized system backup, then energy fault detection and diagnostics, and then sustainability monitoring. The list includes various forms of IoT and sensors - and those secure customers can confidently and continually evaluate new solutions and outcomes.

The latest iteration of cybersecurity enablement is a full net-zero approach based on all meter, carbon calculations, energy conservation measures (ECM), measure and verification (M&V) coming through a single, secure connection, and secure data distribution. This is analogous to a trusted train switcher that fully empowers the owner/operator and not the solution providers. Additional benefits of this new way include insulating owners from turnover involving property management, facility managers, maintenance vendors, and solutions that come and go.

So, there is a bright side to CRE cybersecurity, and we should all embrace this concept from the board room to the boiler room so the industry can continue its important work leveraging technology to help support changing work patterns, sustainability, productivity, the economy and national security.

Rob Murchison, Co-Founder, Intelligent Buildings
Rob Murchison has over 20 years experience in strategy consulting, sales and design of technology to real estate developers and commercial businesses with expertise in networking, and software and data base applications. He is currently a Principal and Co-Founder of Intelligent Buildings, LLC, founded in 2004 to help customers manage risk, enhance occupant wellbeing, and improve performance.

Tom Shircliff, Co-Founder, Intelligent Buildings
Tom Shircliff is a co-founder and principal of Intelligent Buildings. Intelligent Buildings was founded in 2004 and provides managed services and advisory services that reduce operational risk and lower cost structure in commercial real estate. Their services support smart building design development, contractor cybersecurity and facility public health solutions.

This Week’s Sponsor

Intelligent Buildings® offers portfolio-wide cybersecurity site assessments and ongoing managed services including secure remote access, system backup and policy audits. We are the only company solely focused on real estate technology advisory, assessment, and managed services. Since 2004, we are the most trusted and experienced name in Smart Buildings. Find out more at www.intelligentbuildings.com.