Commercial property

It’s time CRE got serious about cybersecurity

Tom Shircliff

We all know about cybersecurity risks, either first-hand or from headlines that report high-profile incidents involving credit card statements, government records, corporate emails, and social media accounts. Add to that critical infrastructure incidents involving municipal water systems and gasoline pipelines, and other threats from nation states, including Iran and Russia.

Commercial real estate is another cybersecurity risk category that is part of our “critical infrastructure” and a wide variety of buildings such as office towers, shopping malls, banks, hotels and industrial facilities are highly vulnerable. . The US Energy Information Administration estimates the size of the US market alone at nearly six million buildings totaling 97 billion square feet. In addition to commercial buildings, the same vulnerabilities apply to hospitals, schools, government and military facilities, and almost any other non-single-family facility you can think of.

High threat

Commercial buildings are significantly affected by the systems within them, such as HVAC, elevators, lighting, parking, meters, physical access control, and many more. When these systems are shut down or tampered with, they can cause serious problems that go far beyond discomfort. Imagine if you could stop or control airflow, disable elevators, turn off lights, close parking lots, cause equipment to fail, or lock and unlock doors. Consequences include risk to life safety, unsafe environmental conditions, danger to public health, replacement of equipment, regulatory non-compliance, loss of productivity and financial, evaluation, performance deficiencies. insurance and brand damage.

It was recently revealed in secret Iranian documents that commercial real estate was specifically listed as a target and that Russia has been loudly threatening the West with cyberattacks. These are not unnecessary threats, as the US Cybersecurity and Infrastructure Security Agency has identified Russian malware recently discovered in US commercial office buildings. This malware often originates from emails sent to unsuspecting building personnel and technicians. In addition, the industry has also experienced significant operational disruption due to poor internal building system management leading to hidden costs, increasing risks and lack of awareness.

Many people naturally think of the risks in so-called smart buildings and the increased technological complexity of the Internet of Things (IoT), artificial intelligence (AI) and other soup-to-food buzz phrases. technological alphabet. These are legitimate areas of concern, but they currently represent only a very small part of the commercial real estate industry and nowhere near as big an issue as the inherited conditions of the existing housing stock.

How we got here

Since the 1980s, almost all building control systems such as the ones mentioned above have been installed as “digital” systems, meaning they use a computer for the main controls (which is not not surprising). For example, your nearby thermostat probably talks to the controller in an equipment room on your floor, and each of those controllers is wired to the main computer. Multiply that by six, eight or even a dozen such systems in a typical commercial building and you can imagine the many computers, networking equipment and cables that exist out of necessity.

What’s more surprising is that they’re almost always connected to the internet, not by your IT department, but rather by a disparate array of different contractors with little or no IT awareness or training. in cybersecurity. It’s not uncommon to see residential-grade DSL equipment or cellular modems hanging from the shelf with a flashing green light, indicating that this equipment is connected to incoming and outgoing traffic.

This technological furball is still not the worst part of the problem. CRE has perhaps the most fragmented organizational structure of any industry. Not only are there many different ownership arrangements, such as joint ventures, where it can be unclear who is ultimately responsible for risk and technology decision-making in each building, but the operating environment is made up of changing property management companies, changing facilities management personnel, and the silos of contractors who install and manage these many different building systems – not to mention the turnover in each of these respective organizations.

Imagine a portfolio of 100 buildings with a modest six building control systems (HVAC, elevator, lighting, parking, meters, access control) per building. This represents 600 systems with corresponding computers, cables, networks and Internet connections, 200 to 300 service companies and more than 3,000 individual technicians constantly accessing and configuring these systems.

find a cure

To create awareness and order, there are three things that must be done.

  1. Inventory and assessments: Most portfolio owners and investors rightly have no idea what’s in their buildings in terms of building control systems (HVAC, elevator, parking, access control, etc.) , how they’re connected, configured, and backed up, and who did or didn’t don’t do any of that. There must be a single source of truth residing with the owner and/or investor. Along with this, there should be a review of insurance gaps, including general liability, property and casualty, and directors and officers (D&O) liability.
  2. Policy development: Develop cybersecurity and supplier risk management (VRM) policy. It doesn’t have to be complex at first and can cover some basic best practices for passwords, backups, software updates, and internet exposure. This should also find its way into supplier contracts.
  3. Ongoing monitoring: This needs to be a proactive approach not only to exposure to the Internet, but also to configuring and backing up systems, as well as verifying contractor compliance. There are many things that can be done and can evolve over time, but the important point is that it is an ongoing process.

It’s time for senior commercial real estate executives, boards, administrators and heads of government to recognize cybersecurity risk as a systemic, industry-wide issue that has increased vulnerability and fragility for four decades. The issue requires organizational and property level assessment and resolution. With real risks of security, financial impact and liability of administrators and offices, it can no longer be someone else’s problem downstream.


Tom Shircliff is a member of The Counselors of Real Estate and is the co-founder and director of Intelligent Buildings LLC, which offers portfolio-wide cybersecurity site assessments and ongoing managed services, including remote access security, system backup and policy audits.