Cyber Security for Smart Real Estate: Getting Ahead of the Hackers

A serious cyber attack could cause major physical, financial, and reputational damage to smart properties – let’s implement cyber security for smart real estate before it’s too late.

Blackpoint Cyber spent three days last week promoting cyber security at the Institute of Real Estate Management (IREM) Global Summit in San Francisco. With over a thousand attendees, the conference covers all aspects of real estate management, from digital transformation to financial planning to community management and more. Blackpoint attended the conference specifically to talk to the IREM community about the growing need for cyber security for smart real estate.

Why is Cyber Security for Smart Real Estate so Crucial?

Traditionally, when people think of commercial property infrastructure, they do not think networking, firewalls, routers, switches, and servers. Instead, they think plumbing, electricity, and HVAC. Today, however, most commercial properties employ one, if not many, IT-based management systems. These systems might control heating and cooling, lightning, camera surveillance, access control, fire suppression, tenant management, etc. These management systems control important or critical components that allow the property to function properly and ensure tenant satisfaction, safety, and productivity. 

While these digital systems provide numerous benefits, they also expose the real estate industry to many of the same risks found in traditional IT networks. These risks include system vulnerabilities, bad network segmentation, outdated software, poor password policies, misunderstanding of technology, risky user behavior, etc.

Hackers in particular will attack smart real estate with the same types of attacks effectively used against organizations running traditional IT, including: ransomware (software that holds files or systems ransom until the victim pays the hacker), malware (malicious software that may be used to steal data or take control of systems), and wiper ware (attacks that destroy or degrade equipment often requiring complete re-purchase and installation).

IoT malware attacks jumped 215.7% to 32.7 million in 2018

https://securityboulevard.com/2019/09/20-surprising-iot-statistics-you-dont-already-know/

The number of these systems continues to grow as buildings are renovated, infrastructure is updated, and digital transformation continues. In addition, developers across the world are building new “smart” properties and cities where much of the traditional physical infrastructure and systems utilize IT networks and technology, especially in environmentally friendly designs.  

Unfortunately, most real estate professionals are not focusing on identifying, monitoring, and protecting their portfolios from a serious cyber attack. Many do not understand the attack surface their properties expose, why a cyber criminal would target their property, and how difficult or challenging it would be to recover from an attack. Sadly, it is only a matter of time before cyber criminals capitalize on the situation. 

Why Would Hackers Target the Real Estate Industry?

  • Hacker motivations vary greatly. Some cyberattacks are carried out for financial reasons while others are motivated by political, national, or belief-based reasons. Environmental hacktivists may target buildings engaged in fossil-fuel operations (not just factories, but corporate headquarters as well), while nation states may target buildings that house key government functions such as command centers, decision makers, and engineers/scientists. Medical facilities are a desirable target for those seeking financial gains as human safety is a top tenant priority and the medical industry is known to have cyber insurance and high revenue (which increases the likelihood of a quick ransom payout). 
  • Numerous attack surfaces. Unlike traditional IT infrastructures, real estate IT infrastructure exposes a larger attack surface, or all the ways by which an unauthorized user can enter the environment. This attack surface in real estate includes Internet-of-Things (IoT) devices, operational technology (OT) systems, building management systems (BMS), traditional IT assets, mobile devices, IP-connected sensors, surveillance equipment, access control panels, third-party vendors, maintenance companies, and building staff themselves (who may have limited IT security hygiene). 
  • Real estate is an easy target. Traditional IT communities have had to deal with cybercrime and attacks for decades. Those communities have learned first-hand the risks and dangers of an effective cyberattack. They spend billions of dollars a year on prevention, detection, and response capabilities and have teams and budgets dedicated exclusively to IT. For example, resources are often allocated to train staff in proper IT system use, how to help keep their accounts secure, and how to identify suspicious activity or threats. When this environment is compared to real estate management, it becomes evident that the real estate industry is ill-prepared for attacks. Many real estate properties continue to rely on outdated and vulnerable computer servers to run critical infrastructure. Most of these systems do not have adequate, up-to-date endpoint protection software or any meaningful backup. Most buildings have no cyber incident response plan or governing structure. Most on-site building technicians do not have extensive cyber security training or education. Offsite technicians are usually not as familiar with the onsite technology as the local staff and may be limited in their capability to remotely help. Third party vendors have a different set of priorities and often themselves lack good IT security hygiene. Finally, few properties have any means to detect let alone respond to a real-time cyber attack. 
Smart buildings are becoming more connected to the outside world as well as to each other. With no cyber security for smart real estate, hackers have a big opportunity for attack.

Steps to Securing Your Smart Properties Effectively

1. Assessing Your Maturity

Many organizations search for solutions before they fully understand the issue. The first step in understanding the susceptibility of a real estate portfolio to a cyberattack is to identify the current cyber security maturity of each property. To aid organizations, Blackpoint has developed a Real Estate Cyber Security Maturity Model. Like most maturity models, the intent is not to create a one-side-fits-all model that handles every situation. Instead, the model’s purpose is to help real estate professionals estimate their cyber security poster and then measure improvements.

To aid organizations, Blackpoint has developed a Real Estate Cyber Security Maturity Model. Like most maturity models, the intent is not to create a one-side-fits-all model that handles every situation. Instead, the model's purpose is to help real estate professionals estimate their cyber security poster and then measure improvements.
Blackpoint Cyber Security Maturity Model

The five tiers are:

TIER 1

  • No firewall
  • No endpoint security technology
  • No onsite or remote backup
  • No incident response plan
  • No or poor network segmentation
  • No vulnerability awareness

TIER 2

  • Basic firewall
  • Outdated or basic endpoint security technology
  • No onsite or remote backup
  • No incident response plan
  • No or limited network segmentation
  • No vulnerability awareness

TIER 3

  • Basic or next-gen firewall
  • Updated endpoint security technology
  • No onsite or remote backup
  • No or basic incident response plan
  • Basic network segmentation
  • Limited vulnerability awareness

TIER 4

  • Next-gen firewall
  • Updated next-gen endpoint security technology with ransomware protection
  • At least onsite backup
  • Basic incident response plan
  • Basic or advanced network segmentation
  • Vulnerability awareness

TIER 5

  • Next-gen firewall
  • Updated next-gen endpoint security technology with ransomware protection
  • Onsite and remote backup
  • Incident response plan
  • Advanced network segmentation
  • Vulnerability management
  • Advanced threat detection (remote vendor access, network, endpoint, hacker tradecraft)
  • Intrusion Detection System (IDS)
  • 24/7 monitoring and response
  • Employee awareness and training

2. Identifying a Plan of Action

Once the cyber security maturity of a real estate portfolio is determined, real estate management can take simple, yet effective, steps to increase their maturity or sustain their high tier. Many of the strategies and technologies applied in traditional IT adapt well to commercial real estate IT infrastructure. This reduces the burden of research, proof-of-concepts, and expensive product testing. Furthermore, most real estate properties have a limited number of staff and well-defined network and user behavior which makes it easy to engineer and then monitor for unexpected behavior. Real estate management organizations with a large portfolio can use buying power to reduce the cost of securing individual properties. Cyber security for most real estate properties does not require exorbitant costs or human resources.

3. Implementing Advanced Capability Rapidly

Blackpoint recognizes that many real estate organizations are not cyber security experts, and we understand the complex, challenging, and cost-competitive nature of commercial real estate and management. To provide an effective solution to the industry’s challenges, we spent months developing the first comprehensive cyber security offering for real estate. To quickly move companies from Tier 1, 2, 3, and event 4 up to Tier 5, Blackpoint combines state-of-the-art technology and world-class service into a comprehensive solution that addresses many of the aspects listed in the maturity model. As a result, Blackpoint reduces a property’s attack surface, increases a property’s cybersecurity defenses, and provides properties with advanced threat detection and response capabilities including 24/7 monitoring. Most importantly, Blackpoint provides this solution very cost-effectively, using a pricing model based on real estate industry standards.

Learning from the Past

Real estate property managers and asset owners spend thousands of dollars a year protecting their investments from physical, financial, and reputational risks. Unfortunately, a serious cyberattack can cause damage across all these areas, including the potential for human loss of life. Unfortunately, the real estate industry spends significantly less than many other industries on cyber security.  

The real estate industry has a unique opportunity. It can leverage many of the tough lessons that the traditional IT community learned the hard way when it comes to cyber security and implement cyber security for smart real estate before its too late. It can begin implementing best-practice security techniques, technologies, and services before hackers aggressively target the domain. The industry can include security as a core component of its digital transformation, updating old infrastructure and designing security into new infrastructure; it can be proactive and get ahead of the inevitable wave of cyberattacks. Or, it can squander the decades of lessons learned and find itself in a reactionary stance and fighting to recover from attacks by cybercriminals.

BlackPoint Cyber

Add comment