Owners and property managers are vulnerable to cyber risk stemming from operational technology (OT) systems, according to panelists participating in a webinar presented in July called “Cybersecurity in the News: What It Means for Commercial Real Estate.” The webinar accompanied the release of a report from cybersecurity firm Kaspersky.
Although the media have widely covered ransomware attacks related to IT, smart buildings are also at risk for OT attacks. An OT system is any system that tenants touch or that functions to make them comfortable or uncomfortable, says panelist John M. Hester, owner of Hester Consulting LLC and a specialist in energy management and smart building applications. That includes “air-conditioning, mechanical systems, water supply systems, and lighting control. Even soft services related to food or cleaning systems are part of OT.” An interruption to any of these areas can create a major problem for a building owner or a property manager.
In one instance, a 30-story building had to be evacuated after a message came through a building occupant’s printer saying a bomb was in the building, says panelist Fred Gordy, who develops and implements secure control systems. “The message came through an OT system—a parking system. I pointed out to the building owner that even though [the attack] came through the parking system—a third-party contractor—the owner’s name was on the building.” That meant the owner was subject to a brand image problem.
Other OT systems include access control, metering, and security cameras, says panelist Tom Shircliff, co-founder and principal of Intelligent Buildings. “Fire suppression systems that can be activated through a cybercommand can be prematurely released and cause all kinds of property damage.”
Contractors Complicate Security
These problems are complicated by the fact that so many contractors work in a commercial building, Hester adds. “You have not only the systems themselves but also the people who come and work on the building and penetrate those OT systems. Building owners have to manage the exposure their system has on a day-by-day basis, and the way to do that is to acknowledge the number of people coming in and make sure they’re doing the right thing.”
The government and private sector have made efforts to develop OT standards, but the standards haven’t been widely adopted and aren’t widely known, says panelist Lucian Niemeyer, chairman and CEO of Building Cyber Security, a nonprofit organization advancing physical security and safety. Internal protections “should start with the chief information officer asking, ‘What do you have on the network? What has been installed that I’m not aware of?’” The goal is to combine that information and put it in a framework “where you get the IT and OT people communicating and then collaborating on how much protection there needs to be.”
Convincing CEOs and CFOs to invest in cyber protection, including OT, can be challenging, Niemeyer says. “It’s hard to balance investments in cyber protections against investments to grow revenue or enhance the brand.” One option is to develop a viable framework and partner with insurance companies so that companies that invest in the framework could get lower rates for their cybersecurity, property, and casualty insurance.
“OT has the potential to change our life for the better,” Niemeyer says. “We want users to have protections in place to make sure those smart technologies are not in any way exploited.”