Through a combination of Building Automation Systems (BAS), variable frequency drives, automated HVAC systems, lighting controls, and so many other technologies, smart buildings have enabled more control and opportunities for optimization to building owners, operators and managers than ever before. Smart buildings enable incredible potential, but also allow for unprecedented access to building systems. With these incredibly interconnected systems in place, cybersecurity is more important than ever. A great way to protect your properties from unwanted intrusion and cyber criminals is cyber hygiene.
When you wash your hands, you practice good hygiene and protect yourself from germs and bacteria. Cyber hygiene is about checking the access points that may normally be overlooked. Have you changed the passwords of your BAS from the default? This is one of the easiest aspects of cybersecurity to enforce, and one that is often overlooked.
Cyber hygiene is the process of monitoring and controlling access to devices, systems, and networks. Essentially, it’s about controlling and tracking who has access to your systems and devices through access management tools.
“Attend to the basics, such as an awareness of the threats, and changing default passwords. Cyber hygiene for CRE professionals really revolves around being aware that there are certain threats in the industry.” Explains Michael MacMahon, Senior Association with Newcomb & Boyd. “A lot of it has to do with social engineering and those are the types of cybersecurity threats people are starting to be aware of, such as phishing.”
Phishing can often be seen in emails sent from addresses that appear to be correct, or even email address that have been compromised through successful phishing attempts. These emails will typically ask the recipient to do something, such as clicking on a link or downloading a file, or even going to a local store to retrieve gift cards to transfer to another party. There is typically some sort of haste in these requests, but all of them are attempts to infiltrate, gain access, or defraud you of something, be it information, access, or even money.
“As commercial real estate grows, and data becomes more important, systems that were not originally computerized, such as HVAC, lighting control, etc. are being computerized. They have been that way for a little while, but it was primarily maintained in command and control.” MacMahon explains.
“CRE professionals are seeing the value of trending data from [these systems], and you’ll have more and more interaction between computerized systems, increasing the threat of cyber-attacks on those systems.”
More often than not, building automation systems are connected to the internet so that building maintenance professionals and owners can access and monitor them from anywhere. This access enables further efficiencies to be built, such as allowing mobile and remote maintenance of properties, but it also gives an avenue for cyber criminals to attack.
Cyber Hygiene is not just about protecting the security of your networks and devices, but also the privacy of your users: how they access the systems and how they use them. It’s about controlling what data your users can access and how they use it. But what can happen when you cyber security is lax?
MacMahon explains this risk. “A lot of time, default passwords go unchanged. If [someone] knows what kind of system you use, they can quickly find the default password and access your system. An HVAC system with VFDs can be accessed and the speed of them can be fluctuated up and down until they self-destruct.”
Burning out an HVAC’s VFDs would render it both inoperable and would force a costly repair or replacement. During the downtime, tenants would be severely affected and forced to vacate the property if it is too hot or cold inside. Property managers and maintenance professionals would have to quickly solve these issues, taking important time away from other tasks around the property. All this could come from poor cyber hygiene, and by leaving default passwords in place.
Cyber Hygiene needs to be a core part of any organization’s operations. It is not an add-on to your current security program, but an integral component.
“There are many drivers to adopt and create cybersecurity programs in operations.” Says MacMahon. “From global portfolios down to single buildings, the technology going into these buildings is being driven by ESG, by environmental and sustainability goals. There are a lot of stipulations around the development that that require investments into technology to attain these goals, and those technologies open up more cyber risk.”
Basic cyber hygiene is easiest to implement from the start, but can be corrected later as well, and failure to provide it can have dire consequences. Creating a strong cyber hygiene program is a great and low-cost way to protect your property from some of the most basic and easiest to attempt cyberattacks. Default passwords leave you vulnerable, and a good first step is to catalogue all the avenues of entry. Find all the users on each connected device, from your VFDs down to your lights, and find out when they have accessed these systems, and from where. Disable any users who no longer need access and change any compromised passwords and accounts. And make sure to change any default passwords that still exist.
From there, you can develop and update your cyber hygiene program regularly. Numerous third-party organizations exist to assist with the development of this program, and those organizations can review and evaluate your systems to let you know the risks your property may face. A good cyber hygiene program can lower the risk of intrusion provide clear policies to protect information and access and decrease possible avenue of attack on your network.
The rise of the Internet of Things, and the increasing adoption of automation, has provided opportunities for both risk mitigation and cost savings that were simply not possible before. But with those opportunities come new challenges.
Social engineering, phishing attacks, and default passwords all put IoT connected devices at risk. Good Cyber Hygiene program can decrease the risk of intrusion on your network. This is why it’s so important to implement a Cyber Hygiene program. With a solid Cyber Hygiene program in place, your organization can protect its assets and reduce the likelihood of experiencing a security incident.
To stay up to date on news and resources such as this and other topics of importance to the real estate industry, subscribe to the free CRE Insight Journal Newsletter using this link.