Building systems are becoming increasingly connected to the Internet through new technologies that help property managers better serve and protect their tenants. But at the same time, despite creating more functional assets, smarter components, from HVAC and lighting control systems to fire alarm and automated building management systems, also increase the chance of harming tenants. More connected buildings and shared networks create easier access for cyberattacks and privacy invasion, as unauthorized users, anywhere in the world at any time, could find gaps and abuse the Internet of Things (IoT)—physical objects connected to the Internet.
The era of IoT is well underway. Cisco estimates that there will be around 50 billion connected devices worldwide by 2020. Such innovation, specifically within building operations, cannot truly enhance customer service if it doesn’t also prioritize the security of both occupants and real estate providers.
Luciano Cedrone, vice-president of national security at Brookfield Properties, recently mediated the Property Management VIP Roundtable: Cybersecurity Vulnerabilities of Today’s Buildings, which took place at The Buildings Show, in December 2016. He said property management companies can no longer take chances and hope for the best.
“Unfortunately, cybersecurity has been downplayed, undervalued, even kept at arms-length; the perception has always been that it costs a lot of money, slows down services and puts obstacles in your way,” he added. “Only in recent years, has a real understanding started to come into the industry in terms of the real cost of not properly protecting your systems.”
Speakers on the panel helped elaborate on these ramifications, from liability and financial damage to marring the reputation of a brand. The discussion also orbited around lesser known areas related to cybersecurity and free strategies to mitigate cyber intrusions.
Cybersecurity risks
A new Accenture security survey, “Building Confidence: Facing the Cybersecurity Conundrum,” indicates that overconfidence may be putting organizations at higher risk for attacks. Two-thirds of Canadians surveyed were confident in their ability to protect their enterprises, but findings show that in the past twelve months the average Canadian company has experienced three effective attacks per month.
While the financial services industry has been an early-adopter of cybersecurity due diligence, the issue is still not taken as seriously within property management. Kevvie Fowler, partner and national cyber response leader at KPMG, has spent many years overseeing the execution of security strategies, assessments and compliance activities for finance sector organizations. He said sensitive information, such as financial data and customer information, like personal health data, are all at risk.
This personal information can be duplicated and stolen, leading to issues like health fraud. In a country with universal health care, this type of fraud has been tagged as a high threat and could cause liability if the breach is traced back to a property management company. Fowler said there are certain sources related to cybersecurity that are not considered enough.
“The number one source for criminals looking to extort money from organizations is emails,” he said. “Cyber criminals are breaking into organizations and stealing gigs and gigs of email messages and running data analytics on it, identifying instances of sexism, discrimination, comments about senior staff or executives within the organization and sending messages with their findings, asking for a ransom.”
Secondly, physical security must also be in place. A primary way individuals are breaking through security is via drones, where cell phones with blue tooth technology can be attached to drones and flown to a top floor of an organization. Property managers might want to consider an anti-drone policy, something Fowler says should stipulate what tenants can and cannot do, and how an organization will respond to flying drones. The future of property management could see security extending to air waves, with cameras facing upwards to monitor drones, as opposed to just downwards to monitor a lobby or entrance.
Mobile applications are another problematic area. Such apps that review invoices and contracts and make payments must be checked and vetted. Such sensitive information associated with these apps must be identified and protected with a predatory legislative contract in place, in case of an intrusion.
Jim Trak, Vice President and Regional General Manager for Brookfield Property Partners, responsible for Brookfield Place and Bay Adelaide Centre, reports Brookfield is now looking to separate building automated systems so that each building would have its own network to prevent the scenario of a hacker getting access to multiple properties. He also flags parking garages controlled by a third party manager as vulnerable because they collect a lot of data from credit cards to bank records.
Organizations can and have been dragged through the court system just because people were inconvenienced, even if there was no identity theft.
Three Free Strategies to Mitigate Cyber Intrusions
For better protection against cyberattacks, there are many common sense strategies that organizations can implement without having to purchase products, said Joseph Lau, a manager in the Cyber Security Partnerships Branch at the Communications Security Establishment, the Canadian equivalent to the National Security Agency in the United States.
These include application whitelisting, which allows an organization to identify what programs should be running on its computers and helps prevent malicious software and unapproved programs from running. Another strategy is patching applications and operating system vulnerabilities. An organization should get its IT staff to roll out new patches and software updates. Unfortunately, Lau notices very old and effective vulnerabilities being used and, in some cases, five years after the information about the vulnerabilities has been made public.
The third strategy includes restricting administrative privileges on operating systems and applications to those who really need the access. IT staff should look into critical systems that are not internet accessible and allow connectivity to certain users. Building a defendable environment is key and could include redesigning a network to make it more secure from the ground up.
In conclusion, Lau said strong cybersecurity requires a process of continuous improvement and should have three elements: strong IT security, strong operational technology security and strong physical security.
Compliance and Implications of Failure
Discussion naturally turned to compliance on the part of property management and ramifications of failure to protect due diligence. Brian Rosenbaum, national director of Legal & Research Practice at AON Risk Solutions, said the legal and regulatory community, along with governance, is just beginning to try and sort out what laws apply to the IoT. In what Rosenbaum calls “this borderless situation,” sensors, users and providers could be different jurisdictions with different consumer protection, privacy and competition laws, and, as it stands, the country is moving at a “snail’s pace” in terms of what the law can offer with liability.
“As far as I’m aware, and I’ve looked into this very comprehensively, there is no overarching Internet of things law in any country in the world,” he said. “So, you’re going to be looking at fragmented laws in different jurisdictions all over the place.”
If a building operating system is hacked into and functions are disabled, there is no telling where liability rests. In theory, he added, an IoT security breach could include a landlord or owner in Canada, the hacked device manufacturer in China, the sensor designer in Japan, the software programmer in Germany and the company that hosts the user data in the U.S., with a local Canadian service provider.
“Any and all of these parties could be directly or indirectly liable for that breach.”
Contracts
There is pressure on governments to regulate cybersecurity issues, but without any specific IoT law, it is difficult to determine where vulnerability lies and who is responsible. Rosenbaum noted that contracts currently determine much of that liability.
“In speaking with IT lawyers, in a lot of cases, companies haven’t properly addressed these exposures in their contracts with each other,” he said, adding that this poses a challenge for property managers who are often end users of these products and may not know how liability is allocated between these parties.
With respect to building automation systems, there could be a number of parties within the IoT supply chain that need to be vetted into the actual contract. Some may not be apparent due to being invisible in the whole process. Tenants should also understand what a property management company is responsible for versus what they are responsible for and how compliance would occur in the wake of an incident.
Property managers should insist suppliers of IoT keep in touch about security issues, updates and patches. As a best practice, carefully review contracts in the supply chain to determine where each party stands. End users should be asked if they have reviewed the contracts of the person who precedes them. Rosenbaum encourages managers to try and “unravel the contractual web.” If there is a liability issue, responsibility will be easier to determine, as a lawsuit could become very expensive with many parties involved.
Insurance
With regards to insurance, Brookfield’s Trak investigated what is available for cyberattacks and found that organizations don’t seem to be covered for anything. Claims could be made about business interruption, but there is no pre-set plan of what insurance looks like with respect to an attack.
“The insurance community is desperately trying to figure out how to cover this stuff,” noted Rosenbaum. “I can tell you, there are gaps in many of your commercial general liability and property policies. Even if you buy cyber policies, there are issues there. If you haven’t had a talk with insurance companies about specific coverage enhancements to deal with this stuff, you are likely not covered for any of it.”
Best Practices
- Educate yourself on potential security implications and consider conducting security risk assessments or threat impact assessments on a regular basis.
- Be proactive in reducing and mitigating risks by isolating building automated system devices from systems containing highly confidential or sensitive information. Move them off a public network.
- Vet developers and distributors to ensure they have building security in the design of their products.
- Get a commitment from developers and suppliers that you’ll be advised of security patches and updates that will be regularly available.
- Carefully review contracts in the supply chain to determine where each party stands. End users should be asked if they have reviewed the contracts of the person who precedes them.
- Ensure you have auditing and analytical tools to monitor for breaches and to know that vulnerabilities are patched in a timely manner.
- Conduct a privacy impact assessment and review products, policies and procedures to determine if updates are appropriate.