Weekly Briefing

article sponsor image
Feature

The Real Estate Cyber Consortium (RECC) – An Industry’s Effort to Address Cybersecurity for the Built Environment

5 min read
listen to article Listen to this article

IoT-enabled building control systems are a necessity of the 21st century smart building landscape. They allow buildings to create agile, responsive environments that provide critical services to optimize functional building operations, lower facility costs, while adapting to occupancy needs in real time.

To achieve optimal efficiency, internal building control systems are often connected to external networks to effectively monitor and adjust HVAC controls, lighting, etc. and analyze building data collected from a rising number of sensors. Many of these connections are ad hoc, or 'rogue' networks with little or no cyber hygiene and the installed building control systems, sensors and actuators often do not meet minimum reasonable security protocols. With the ever-increasing number of managed and unmanaged entry points to building data and operational systems, building owners and operators face unique challenges associated with securing smart buildings and facilities.

The influx of reports on massive data breaches at the hands of hackers is raising awareness of cybersecurity and the significance of securing IT systems is moving to the forefront for building control systems and facilities.

Innovative building systems that provide operational efficiencies - such as remotely accessible temperature controls or carbon-emission monitoring - can pose serious risks and potentially impact life-safety of building occupants. With real estate owners and operators responsible for hundreds, if not thousands of building occupants, cybersecurity threats that have the potential to compromise building systems need to be taken seriously. The industry supply chain has to address these risks and collaborate, share best practices and develop security standards.

With that goal in mind, the Real Estate Cyber Consortium (RECC) was launched.

The RECC journey started at Realcomm 2016 in San Jose. Following the Cybersecurity Forum at the conference, about 20 concerned real estate professionals expressed an interest in discussing the topic further and vowed to elevate awareness across the real estate community to improve cybersecurity preparedness for buildings and facilities.

One of the main hurdles the real estate industry faces is that responsibility for secure building systems is fragmented across the supply network: smart building technology solutions lack embedded security, integrators and service providers do not advocate awareness and best practices and cybersecurity accountability within real estate organizations is bifurcated and uncoordinated.

Since the initial meeting in 2016, there has been rising awareness that in order to address cybersecurity challenges associated with buildings and facilities, the entire supply chain needs to effectively partner and collaborate to address industry-wide threats. Aiming at aligning the development, deployment and ongoing support of building technology solutions with a core set of security principles and standards, RECC was officially formed in July 2018.

The 13 founding members of the Consortium - organizations that own, operate and/or manage real estate, as well as Realcomm as supporting entity - formed the RECC Leadership Board, which has since grown to include 19 companies. Leadership Board company representatives from facility management and IT, as well as additional contributing real estate members, join the efforts of the Consortium.

The Leadership Board meets once a month to share insight on best practices, policies and procedures and discuss the industry’s adoption of cybersecurity protocols. External cybersecurity experts from within and outside the industry are invited as guest lecturers to provide briefings on security related topics relevant to the built environment.

Industry Cybersecurity Best Practices and Guidelines

Since the formation of the RECC, three working groups have developed best practices and guidelines that were presented at the Cybersecurity Forum at Realcomm 2019 in Nashville:

(1) IT Security for OT Systems

Many IT-focused cybersecurity frameworks don’t work for next generation building operational technology. Unique aspects of OT building systems and devices demand modified approaches to minimizing the risk for the built environment. The IT Security for OT Systems working group takes best practices in the real estate industry to provide guidelines for: traditional IT staff who generally have little awareness of OT requirements; building operators, who may lack experience with IT lifecycle management; and industry service and solution providers, whose product and service offerings must be aligned with crucial cybersecurity requirements.

The best practices are grouped into three categories:

  • Technical (device-specific and system-wide) considerations

  • Policy and Process management reviews, and Employee

  • Third-Party specific cybersecurity protocols
(2) IT Security Assessment for OT Systems

Effectively evaluating IT security in smart building technology solutions requires a comprehensive assessment of vendor practices. The IT Security Assessment for OT Systems working group identified elements of a vendor questionnaire based on industry best practices, covering the following categories:

  • Solution Profile; Company Security Practices

  • General Security Standards and Personal Identifiable Information/Data Privacy Security Standards

  • On Premise Head End/Servers Appliances

  • On Premise End Point (IoT) Devices and Cloud/SaaS solutions

  • Implementation and Data Integrations

  • Ongoing Support
For each category, a set of questions is provided to assess cybersecurity readiness of a third-party company, as well as their solution and processes.

(3) Guiding Principles to Improve Vendor Cybersecurity Contract Requirements

Beyond negative reputational and financial aftermaths, the risks associated with data breaches of OT building systems include serious impacts to life-safety of building occupants. With the advancements of technologies and the increasing interconnectedness of smart building solutions and devices, ensuring continuous availability, integrity and confidentiality of personal, business and building operating data must be a top priority when entering into third-party vendor contracts. The Vendor Contract Language working group identified contract element requirements for third-party vendors based on industry best practices. The developed guidelines cover data ownership, breach and vulnerability notifications, cybersecurity insurance, stress and penetration testing, and more, as well as business continuity and disaster recovery plans.

If you are interested in getting involved with the Consortium or want to receive updates on the work of the RECC, join our LinkedIn group. To receive a copy of the latest version of the RECC Best Practices and Guidelines (available to industry stakeholders), please contact recc@realcomm.com.

Sarah Bemporad, Webinars & Program Manager, Realcomm
As Webinars and Program Manager at Realcomm, Sarah Bemporad is responsible for conducting real estate tech webinars and managing the educational content for online seminars and conferences. Previously, Sarah managed investor and corporate relations at Paramount Group, a fully-integrated REIT headquartered in New York.

This Week’s Sponsor

MRI Software delivers innovative applications and hosted solutions that free real estate companies to elevate their business. Our flexible technology platform and open and connected ecosystem meet the unique needs of real estate businesses, from property-level management and accounting to investment modeling and analytics for the global commercial and residential markets. For more information, please visit www.mrisoftware.com.