Breaking Down Building System Threats and Cybersecurity for CRE: Connectivity Lost to Over 100 Buildings

March 21, 2022 | By: Fred Gordy, Intelligent Buildings, LLC

Building cybersecurity is a major issue affecting thousands of commercial properties. Understanding the importance of cybersecurity is integral to preparing for cyber-attacks, and these examples give an idea of the consequences a cyber-attack can have. In this article, Fred Gordy, Director of Cybersecurity with Intelligent Buildings LLC, gives real-world examples of incidents that his company has experienced. These stories are based on actual events with modifications to mask the identity of those affected.

Event Type: No Policy/Lack of IT Understanding

A company embarked on a nationwide initiative to aggressively improve the cybersecurity of all its facilities. Information Technology (IT) began the process and spent two years and several million dollars trying to understand how systems were set up; what systems were and were not connected if there were any policies and procedures in place; who was responsible for what; how to manage systems; and inventory all the devices in all the facilities. IT learned the basics of managing users but not the full extent or implications of doing such.

In general, the organization did not have internal resources with a broad understanding of the various systems and what it took to manage them. However, in one region, there was an employee that was the go-to guy. This individual was responsible for the most significant number of sites. He had been instrumental in creating a regional system that centralized command and control of over 200 sites. This employee was given free rein to implement and change as he saw fit to create a unified and standardized system across all the sites within his realm of responsibility. His work appeared to be a model that all other regions could follow. However, due to the trust and control he was given, the organization did not exercise oversite of this individual. The work this individual did was not documented, nor were the details of how the systems were configured.

This individual had to be let go. IT was notified, as is policy, to remove the employee from all system access. As mentioned earlier, IT had learned the basics of account management of control system devices. Still, IT had not learned or understood the implications of removing users without understanding the roles and underlying functions of what the user account influenced.

Unexpected Consequences

IT began removing his user profile from the controllers and the application server. Unbeknownst to anyone, his user was also the user that created the machine-to-machine connection between the controllers and the application server for command and control. Before anyone was aware, over 100 sites lost communication to the central application server. Because no one knew this employee’s password and for very valid legal reasons, the employee could not be contacted. Simply putting another user in place of him would not fix the issue.

What was required was to work with the manufacturer of the controller to recover communication between the application server and the hundreds of controllers affected. There were hundreds because for every site, there could be anywhere from one to 20 controllers at each location. This meant there were easily over 500 controllers that needed to be “touched.”

The manufacturer was able to reestablish communication to all the controllers after 6,000 manhours of work. This did not include the hours of work required by facility staff to manually control the 100-plus site until centralized control was restored. This number has yet to be determined but could easily be in the thousands of hours.


Building cybersecurity is a “real thing,” and a serious issue for many properties. A lack of proper policy or IT understanding of these issues can cause enormous problems. Understanding the specific issues that commercial real estate faces in cybersecurity can help protect properties and make sure devices are properly maintained and implemented. Join me next week as I conclude this series and discuss the effects a single scan can have and what a compromised printer can do.


Want to learn more about cybersecurity? Other case studies on scans and compromised printers and recovering from a hack are available on CRE Insight Journal.  You can also watch experts Fred Gordy and Michael MacMahon present about the cybersecurity framework developed by Building Cyber Security (BCS). Watch now on CRE Insight 365!

 To stay up to date on news and resources such as this and other topics of importance to the real estate industry, subscribe to the free CRE Insight Journal Newsletter using this link.