No matter what business you are in, it’s almost surely conducted inside of four walls of commercial real estate including office, industrial, mixed use, healthcare etc. This means, like or not you are exposed to significant operational interruption because of the many digital systems that are required to allow occupancy. To make it worse, those contractors that manage and mismanage those systems don’t work for you and are several layers away from a risk manager, CIO or other accountable roles.
Those of us in the commercial real estate community know that it has a very different operating environment and culture from other industries especially when it comes to “front of house” technology such as building systems (e.g., HVAC, elevator, lighting, parking, access control etc.).
Cybersecurity risks originate with the contractors that install and maintain those building systems. Because these risks are almost completely associated with the contractors, we must say that cybersecurity alone is not enough to secure buildings and is better approached as vendor risk management (VRM). Gartner defines VRM as: “Theprocess of ensuring that the use of service providers and suppliers does not create an unacceptable potential for business disruption or a negative impact on business performance.” This is a broader view than just cybersecurity.
Why is VRM so important in real estate? One word: fragmentation. To state the obvious, the HVAC contractor doesn’t manage the parking control system, the access control contractor does not manage the elevator or conveyance systems and so on. Additionally, each contractor may or may not manage those systems in multiple buildings of a portfolio. Add to that broader geography separation, joint ventures, term contracts and technician turnover and it’s hard to imagine how leadership can communicate and manage policy across the portfolio with consistency much less deploy technology solutions.
The other aspect of fragmentation is that the technicians generally do not work directly for the building owner or the major tenant; so it’s unlike a typical industry organization where the CIO can dictate technology tools and practices throughout all personnel in the company. In a study we performed on a 100-building portfolio we found more than 300 contractor service companies, 600 separate monitor and control systems, 2,000 network connections and over 3,000 technicians that can or do service the systems.
Yes, it’s still important to deal with IT aspects such as the networking and Internet access that has been in our buildings since the 1980s, but even the firewall from hell won’t stop some types of ransomware. One of your technicians might click on a malicious link in an email that could affect a system that was not backed up and you may then be faced with the choice of bitcoin payments or total rebuild of the system. In another study we performed on 500 million square feet of commercial real estate office space we found ransomware attacks were up 700% during 2020 and contractor technicians were opening phishing emails at 7 times the rate of the general public. These results were staggering, and a big part of the problem is building owners, managers and major tenants failing to create and enforce policy for cybersecurity, system configuration, back up and other important practices.
Having said all of that, its important to understand what can go wrong. Its not as simple as being uncomfortable or inconvenienced but much more serious consequences have and do occur including: Network hopping, legal and regulatory issues, life safety events, major equipment replacement or rebuild, insurance gaps, and brand damage. Insurance has become a particularly thorny issue all around but particularly in real estate where the answer from the largest carriers and aggregators was “probably litigation” since its not covered in property and casualty (P&C), general liability (first party) and cyber riders. As of Q1 2022, we are not seeing cybersecurity for building systems specifically called out as excluded from P&C,
This all begs the question of how to deal with VRM in such a fragmented industry. After 18 years in the smart building advisory business and conducting over 5,000 cybersecurity site assessments, we developed a managed services monitoring approach that deals with VRM in three critical areas:
- Networking and Remote Access Management: Building systems are Internet-accessible and operate on local area networks. As a result, there needs to be proper server management and backup as well as “zerotrust” remote access management. Zero-trust makes the systems invisible to the Internet and only allows one-to-one connections. Additionally, we determined that this solution had to be so simple that it could be “plug and play” including drop ship with a telephone call setup.
- Building System Backup and Configuration: While defending against hacking, we need to recognize that the building systems themselves are the “Alamo” and must be properly configured and backed up. Even if there is a network breach, a system with proper password protection, updated software and disciplined credential management along with a backup, will have far less risk of downtime or damage and can quickly recover by restoring the system.
- People Policy Management: Policy management includes communicating the policy to all technicians and staff, auditing the policy, and augmenting the audits with tailored phishing campaigns and automated training. The policy should be basic and quickly understandable, the audits should be fast and easy with a series of yes/no compliance questions, and the phishing messages should be tailored to the facility contractor industry segment.
We suggest an immediate inventory and assessment of your portfolio which should serve as a catalyst for ongoing policy compliance and monitoring. We have provocatively as three introduction questions to any investor, owner, of large user of real estate:
- Who is accountable for any cyber or contractor system mismanagement that causes operational interruption or financial consequences?
- Are there any cybersecurity policies or requirements communicated and managed by asset or property managers?
- Has anyone reviewed insurance policies for gaps relating to cybersecurity issues in our building systems (HVAC, elevator, lighting, parking, access control etc.)?
You can learn more at www.buildingcybersecurity.com and see a comprehensive video outlining the issues that create risk and some of the consequences including insurance gaps, downtime, equipment replacement, network hopping and brand damage.

