by Phil Mobley — Originally published in the March/April 2016 issue of BOMA Magazine—A few months ago, in an event that never made the news, hackers staged a cyberattack on a prominent office building in a major U.S. market. Their means of access was as easy as it was ironic—through the security camera system. Networked with each other over the Internet, the cameras also were connected to the building automation system. Once the hackers broke into the camera network, they simply followed the chain of connected systems until they gained control of the building owner’s online accounting platform.
Fortunately for the building owner, property management team and tenants, no damage was done and the breach never generated headlines. Furthermore, the building staff quickly identified the property’s weaknesses and put a plan in place to remediate them. This was because the hackers were friends, not foes. The cyberattack was carried out by Digital Boundary Group (DBG), an information technology (IT) security testing firm. DBG’s clients hire them to expose security gaps in their IT infrastructure, which the firm does through a variety of both high- and low-tech methods.
“We always start with the premise that if it is networked, it can be breached,” explains John Millar, president of DBG. “Any time anyone has access to any building technology from some other location, there is likely a way to breach the security.” This is a sobering thought for a commercial real estate industry that increasingly runs on interconnected software. Many building systems are now entirely web-based, and a rapidly growing number include mobile interfaces, leading directly to larger numbers of users from among the building staff and tenants.
Joseph Donovan is the Northern Virginia-based director of operational risk for real estate investment firm Beacon Capital Partners. He points out that any given commercial building may have several online solutions. When asked, he can quickly list nearly two dozen systems in Beacon’s office portfolio that routinely allow remote access over the Internet. Some are fairly obvious, such as accounting software, telecommunications backbones and maintenance request platforms. Others may not immediately come to mind: HVAC controls, energy monitors, digital signboards and pay-on-foot parking machines, for example. There is no discounting the increase in productivity these technologies provide. But with every new connection comes another potential entry point for nefarious parties.
CYBERSECURITY “MUST PRACTICES” FOR COMMERCIAL BUILDINGS
To better ensure a secure property, implement the following basic guidelines:
How they do it
The methods of cybercriminals are the stuff of Hollywood blockbusters. They range from the glitzy gadgets of Mission: Impossible to the classic personal scamming of Catch Me If You Can. “A couple of years ago, our company first noticed the trend of identity thieves using mobile devices to steal credit card numbers right out of people’s wallets,” says Alan Stein, vice president of Marketing and Product Development at AlliedBarton Security Services. He also has seen cyberattacks come in through spoofed emails with attached malware and on portable disk drives that activate spyware as soon as they are plugged into computers.
In many cases, though, the weak point is not so much digital technology as the protocol for using it. “As we continue to tie all these systems into the so-called ‘Internet of Things,’ we need to be cognizant of everyone who has access,” shares Stein. “It only takes one person with malicious intent to breach security.” DBG’s Millar agrees that getting past human security is a key step in much—if not most—cybercrime. Because of this, his firm always includes what he calls a “social engineering” component in its security tests. “In most places, if you look, act and talk like you belong, you can probably play the people and get through,” he claims. “This is true even in places like police headquarters.” The antidote is consistent enforcement of protocols at every access point, even when it feels unnecessary.
Asking the right questions is a good start to proper access control. Donovan provides a few for Beacon Capital’s property management teams. “For starters,” he asks, “who manages the process to grant access to building systems in the first place? Are maintenance workers visible on closed-circuit monitors while they work? Have software vendors provided documentation of their own security procedures to the building staff?” Donovan’s questions go beyond basic credentialing. “Accountability is very important,” he explains. “Are vendors required to notify building management when there is suspicious activity or a change in personnel?” If service contracts do not explicitly spell out answers to these questions, then Donovan insists that managers find them.
Cyberattacks can cost companies millions of dollars, and buildings often provide the easiest way in for hackers. The high-profile breach of discount retailer Target’s customer database started with unauthorized access of a building’s HVAC system. Protecting a building is not just a matter of customer service, but also liability. Government agencies, financial institutions and healthcare providers are just some examples of tenants that make for popular hacker targets. The more sensitive their line of work, the more likely tenants are to need assurances that the buildings they occupy are taking appropriate security measures.
Of course, this also applies in the other direction. For instance, criminals can try to get into a building’s systems via a tenant that offers free Wi-Fi to its customers. Interconnectivity means inherent risk. “We have been hired to try to gain access to a server room and see how far throughout a building we can go,” says Millar. “There is potential liability for the building owner, both upstream and downstream.”
The most sobering news is that not knowing the risks—or not asking the questions in the first place— is not turning out to be an effective defense against liability claims. Public places have been named in lawsuits over data breaches for failing to provide secure networks. “The recent Target and Sony cases have raised cybersecurity to the level of the CEO and the board,” Millar notes. “This issue needs to be on the table.”
And, confidential data isn’t the only potential target of a cyberattack—so, too, is the property itself. From a vulnerable access point, hackers can go so far as to surreptitiously change HVAC system settings, which can affect both tenant life safety and the functionality of sensitive high-tech equipment in a building.
Hardening the Target
If protecting a property’s information security and vital building systems in the face of such liability seems daunting, then property owners and managers should know there also is reason to take heart. According to Millar, the technical solutions are not necessarily expensive. In fact, they may already be in place. “In all likelihood, the necessary technology is already there,” he says. “If existing systems are hardened, security goes up significantly.” The term “hardened” may imply something out of an action movie, but when Millar uses it, he means something much more mundane. Hardening a system simply means using it as intended.
The work of hardening may not be glamorous, but it is necessary. Beacon Capital’s Donovan recommends performing a cybersecurity audit each year to help keep systems hardened. “An audit is an opportunity to document any updates to the digital security processes at a building,” he says. It also is a good time to measure compliance with existing protocols. For example, have maintenance and visitor logs been scrupulously maintained? Have the latest security patches been installed on critical software packages? Are users logging in with their own credentials every time? And, what about password security? Those strength requirements may be annoying, but they work. “People get frustrated, but a strong password—say, a phrase with spaces that’s easy to remember—takes almost forever to crack,” Millar says. “Weak passwords suggest that people are naïve, lazy or ignorant of the risks.” (For more on “hardening,” see Cybersecurity “Must Practices” for Commercial Buildings sidebar.)
Consistency is the key to a properly hardened target, and that includes both a building and its occupants. “Have a zero-tolerance policy on the use of non-approved, nonencrypted USB drives,” suggests AlliedBarton’s Stein. “And, make sure public Wi-Fi networks are password-protected. They are easy targets.” The minor inconvenience of this kind of vigilance is worth it. When basic building systems are used appropriately, all but the most sophisticated and motivated hackers are easily thwarted.
With such a wide variety of legitimate system users at a given commercial building, coordinating security efforts can seem incredibly complex. Here again, though, Millar points out that the basic principles of cooperation are already in place. “The lease probably identifies most of what has to happen,” he says. “It sets out who has access to what and lays out the terms of that access.”
In this sense, digital security is no different than physical security. Buildings have doors, tenants have keys or keycards and there are rules in place for using them. Using this simple analogy, building managers can set up checklists around building systems: Who owns this? What service providers use it? What tenants use it? What else does it connect to? Asking a few simplifying questions is a good way for managers and tenants to get on the same page.
Documenting and communicating security protocols also contribute to a larger culture of information security at a property. When people see security guards at building entrances, it communicates that physical security is important. Similarly, clear messaging about the importance of digital security helps foster compliance with stated policy. “We focus a lot on the culture of security,” Stein explains. When AlliedBarton learned of the identity theft threat posed by mobile devices, the company’s staff handed out protective sleeves to tenants in building lobbies. These devices defeated attempts to steal credit card information electronically; equally important, however, was the way this simple act reinforced a culture of prudence. “Our overriding mission is arming our customers and their stakeholders with information to protect themselves.”
Cyberthreats are getting more complex, but the essential rules of security are tried and true. As buildings engage more and more users with increasingly linked systems, the risks will only increase, requiring building owners and managers to lead the conversation on cybersecurity. But with a proactive mindset and a well-documented set of protocols, the industry is in a solid position to provide a strong digital defense.