Colonial Pipeline. JBS. CNA Financial Corp. Kaseya. The Houston Rockets.
What do these five organizations have in common? All of them—along with hundreds of other large- and small-scale companies in the U.S. and abroad—have been the target of ransomware attacks. Overnight, networks were locked down or sensitive data was stolen, and in most cases, operations either ceased completely or were severely hampered.
As a commercial facility executive, if you think your organization is immune, too small or unlikely to be targeted, read on.
The Threat Is Real
A security firm that tracks data breaches estimated that there were nearly 65,000 successful ransomware attacks in 2020, according to an Intelligencer article. Additionally, Homeland Security Secretary Alejandro Mayorkas said at the time of the Colonial Pipeline attack that nearly $350 million in ransom payments were made to hackers last year.
While the headlines are alarming, what’s noteworthy isn’t simply the number of attacks but the visibility of critical infrastructure and markets that have been impacted, said Mike Garcia, chief security officer for Red Trident, which provides IT services specializing in cyber security and automation for Industrial Control Systems (ICS) and critical infrastructure.
“In some cases, those are targeted attacks and in some cases they’re not,” he observed. “But what that tells me is that the threat actors are becoming more bold in terms of who they’re attacking and who they’re impacting.”
The threats commercial real estate businesses face might be similar to other industries, but the aftereffects of an attack can be unique in some ways, according to Scott Hellberg, director of information security governance, risk and compliance at Sentry Insurance. One cyberattack could risk tenant data, their business’s data and even the physical safety of those reliant on the property, he explained.
“Each of these serve as a reminder to building owners and facility managers that if your property or tenants depend on technology in any fashion, their business is vulnerable to cyber breaches,” Hellberg said. “Recent cyberattacks underscore one crucial message—the need for better, more proactive cybersecurity measures.”
Tareq Ayub, CTO at Cloud5 Communications, pointed out that the commercial real estate industry is particularly appealing to hackers because of the nature of the information transmitted or stored; sensitive resident information like social security numbers, credit cards and bank accounts are key data points stolen in cyberattacks.
“This risk therefore isn’t just relative to general building or portfolio information but can expose commercial real estate firms and owners to increased liability in the event that sensitive resident information is stolen,” he said.
Smart buildings, for example, connect IoT systems like environmental controls, security cameras and facility management solutions to a building’s Wi-Fi or network. However, the nature of enhanced connectivity provides opportunities for cyberattacks that would have previously been hidden, Ayub explained.
“If a hacker discovers a weakness in the environmental control system, he can then route himself through a series of intelligent physical access control systems (PACs) and deliver AI-driven hacks to channels that are inaccessible from outside the system,” he said. “This is becoming a popular method of data hacking, and it is a massive security issue.”
As a result, many facility executives are now shifting to a protection mindset focusing on ransomware, which is important, but their focus must be broader, according to Garcia.
“When we think about impacts and potential attack vectors in the future towards the commercial building space, ransomware is obviously one area to be concerned about, but so is attacks targeting building automation controls for those environments,” he said. “It can’t be a one-layer approach. There has to be a defense in depth towards protection.”
Assessing Your Exposure
Some facility executives may feel their organization or portfolio is too small or insignificant to be targeted. They would be wrong, however.
“Cyberattacks are becoming less of an ‘if’ and more of a ‘when’ as businesses of all sizes connect more of their services, equipment and operations online,” Hellberg said. In fact, small- to mid-sized companies make up a large portion of businesses targeted by cyberthreats, he pointed out. “If your business has data, money or technology, it’s at risk of a cyber threat.”
As a result, Garcia said it’s crucial to get an accurate picture of an organization’s level of exposure to the outside world, whether it’s done internally or externally by bringing in a third-party security expert. This is the first step toward closing the doors to the outside, he said, because “the perimeter is obviously what an attacker can see right off the cuff. A lot of these quote-unquote low hanging fruit that they’re able to identify vulnerabilities on are based on what they can see from the Internet running simple queries or writing really small scripts that can enumerate or gather that information,” he explained. “If your front door isn’t open, that just reduces the likelihood [of an attack]. It doesn’t eliminate it, but it definitely reduces it.”
“The reality is building automation systems weren’t designed to be secure,” said Emmett Moore, CEO of Red Trident. “So, anybody that thinks their elevators and building automation systems inside their environment are highly secure, and it’s more than 10 years old, I can guarantee it wasn’t designed to be secure.”
[Related: Top 10 Considerations for Assessing Cybersecurity Risks (GSX+ 2020)]
Moore explained how, over time, engineers and technicians realized they could achieve operational efficiencies by integrating their elevator and HVAC control systems so they can be managed remotely. The problem, he said, isn’t the efficiency but the lack of security in the design of these systems.
“The bad guys started to take advantage of those connections and saying, ‘Hey, I can piggyback on that too. Let me look at this controller, that system,’” and gain access to a building’s operational systems., Moore said.
If you suspect exposure, Hellberg said the first step is understanding how to identify gaps in your security system.
“Look for areas where your business collects and stores employee, employer and customer information. Then evaluate which technology platforms might compromise your network or information if they’re breached. Look at areas such as commercial building systems, employee mobile devices and the technology your tenants rely on,” he suggested.
He also recommended asking a series of critical questions, such as: Have you established standards among employees and vendors who use your property? Who is responsible for your property’s cyber security? Do you have a data disposal timeline and policy?
“Each of these questions and more will tell you where to look for gaps,” Hellberg said. “By knowing where to look, your commercial building team can take steps to bridge any gaps that exist.”
Protecting Your Assets
“Cybersecurity is not a one-time investment, but an ongoing process,” Ayub noted. He said every building owner needs to do a periodic assessment of their scatter systems to evaluate their degree of connectivity, the data that is going in and out of those systems, and who has access to that data.
He also suggested that building owners should also develop a security program that includes routine training and the updating of response protocols.
Garcia agrees. “People are always considered the weakest point in a security chain or in a security program, and there’s a reason for that,” he said, noting that phishing campaigns and targeted ransomware attacks can often be traced back to a malicious email received and opened within an organization. “So, training and education are huge,” Garcia said.
Hellberg said facility executives need to take a layered, year-round approach to security. “This means ensuring your sensitive data and devices are backed up, encrypted and have strong authorization protocols. Once you secure your technology, focus on education and awareness, which can decrease the odds of a hacker succeeding,” he added.
He also recommends considering cyber liability insurance as part of an organization’s strategy, which can help provide financial support if a business faces cyber extortion or extended downtime. “Depending on your coverage, your policy may also help with first-party data re-creation, public relations expenses and legal costs,” he said.
Hellberg outlined six key steps in the defense against cyber threats:
- Assess your vulnerability risk to a cyberattack
- Identify and protect sensitive business and personal information
- Establish a secure backup system
- Monitor for and have a plan to react to security incidents
- Provide security training
- Consider obtaining cyber insurance
At the end of the day, Moore reiterated that every organization is vulnerable and that no amount of spending is ultimately going to reduce the risk of a cyber or ransomware attack to zero. However, he concluded by saying, “The better you understand the environment, the more you can have an impact defensively—so, proactively and also reactively. If you do get attacked, at least you understand how to mitigate it, or start that containment in your environment where you can start responding and getting back operations, if you can.”
Read next: AI Concepts for Security (GSX+ 2020)