FM’s modern risk: Cybersecurity in the era of the smart building

The drive to make office buildings smarter has made it easier to do everything from controlling the temperature to reserving a conference room with a few taps on a smartphone. But these efficiencies have increased cyber risks.

by Jason Lund — This article originally appeared in the May/June 2023 issue of FMJ

Image courtesy of FMJ

Property owners and facility managers must be aware that all smart buildings are innately vulnerable to cyberattacks. While informational technology and telecom are well developed within the cybersecurity realm, the same cannot be said for much of the operating technology found in smart buildings.

Within a typical office building, there could be 20 independent networks vulnerable to hacking. On average, only five or six are highly secured.

Once a system is hacked, cybercriminals could manipulate heating, ventilation and air conditioning (HVAC) systems; infiltrate sprinkler systems; and exploit smart access technology, such as intelligent credentials and contactless building access. Data hacking is another area of concern. Passwords and personal information can become compromised, leading to identity or intellectual theft. There is also the real possibility of a cyberthief holding the systems or data hostage until a ransom is paid.

The repercussions can last for years.

Key steps building owners and managers can take to bolster an asset’s cybersecurity profile include:

  • Building infrastructure such as internal routers, hardwired cables and closed-circuit lot devices to secure the building automation systems,
  • Segregating BAS and subsystems on different systems to reduce vulnerabilities,
  • Consulting with a cybersecurity company specializing in installing systems that make cyberattacks more challenging,
  • Investing in advanced identification and access management systems to flag vulnerabilities,
  • Securing the access chain by requiring anyone with access to the BAS systems – third-party vendors, remote security monitors or life safety systems technicians – to follow the asset’s internal cybersecurity measures,
  • Educating building tenants and property managers on what they can do to prevent cyberattacks, and
  • Understanding and monitoring any changes to the asset’s cybercrime insurance coverage.

Many building owners may be surprised to learn they are not sufficiently covered by insurance if a cyberattack were to occur. In addition, owners and FMs might have a limited understanding about the risk of information technology (IT) and operational technology (OT) threats, insurance coverage, and what accountability they bear if a cyber incident were to occur.

The unfortunate truth, however, is that blanket property insurance policies likely do not provide the necessary scale of coverage. As insurers have limited visibility into a building’s IT/OT infrastructure, they more often prefer to rely upon the expertise within their cyber underwriting teams to assess risks and provide coverage based on those findings. This has resulted in traditional property and casualty insurers removing cyber inclusion from their product lines.

These exclusions may not be widely known or understood until it is too late.

By removing cybersecurity coverage from the blanket property insurance policies, FMs must explore cyber-specific coverage, a stand-alone marketplace that is rapidly growing and can be difficult to navigate.

As part of vetting what level of protection a property or campus holds, building owners should begin by asking basic policy questions, including:

  • What cyber coverage is currently included or excluded?
  • What is the appropriate level of coverage for each property in a portfolio?
  • Does the current policy provide coverage for in-building OT, as well as IT assets?
  • What is the expected down time impacting both the physical asset’s damage from a cyber event, as well as business interruption exposure/loss of rents and extra expenses?

However, simply identifying coverage gaps and seeking to fill them is sometimes easier
said than done.

The main challenge for securing standalone cyber insurance is that this type of policy is coming out of a hard market cycle — one marked by a rise in cyber claims that continues to develop in terms of frequency and severity. In this environment, insurers are forced to reevaluate their underwriting results and are keenly focused on identifying and evaluating the adequacy of individual cybersecurity profiles. This investigation work can result in insufficient coverage capacity for a buyer if sufficient cybersecurity protocols are not in place as well as rising premiums.

The good news is that insurance brokers with financial risk specialists have resources to better adapt to new threats and gauge the risk of exposure in advance of a market submission. To  accomplish this, however, a careful evaluation of a property’s existing security posture must be analyzed to see if it qualifies for more comprehensive cyber insurance.

Underwriters will evaluate several key security controls before being able to offer cybersecurity insurance policies that match appropriate levels of risk between the insurer and property owner. All systems must be vetted to ensure the property is appropriately secured to avoid painful issues down the road.

These controls include:

  • Multi-factor authentication (MFA)
  • Endpoint detection and response (EDR)
  • Patch management
  • Secure remote access
  • Incident response plans
  • Disaster recovery plans
  • Backups and email filtering
  • Properly architected user management and service accounts
  • Phishing and cyber awareness training for all employees

Properly securing a building begins with the right network platform to serve a secure foundation. Taking a security-first approach to an in-building network helps cover all cybersecurity requirements, not just some of them. A modern approach to this problem is to adopt zero trust network access (ZTNA) models and solutions that not only help secure operations for IT/OT functions but also collect management and reporting information needed to make sound security decisions. This solution must be adaptive and provide proactive security that meets the challenges of an ever-changing threat landscape.

It is also critically important to select an intelligent building management platform offering a single screen view to gain important visibility into all security systems, networks and endpoints. This ensures that the entire infrastructure is monitored from end to end, and the architecture provides the necessary intelligence to easily manage and ensure compliance according to government regulations for cyber insurance qualification purposes. Finally, understand that cybersecurity measures should be deployed and managed to not impact the usability or manageability of IT/OT systems. The goal should be to integrate security tools and processes that are completely transparent from an end-user perspective to ensure users and devices efficiently function on the network.

Smart building solutions for both IT and OT use cases help produce impactful economic and intrinsic value when cybersecurity is placed at the forefront. Not only does this line of thinking help prevent cyberattacks, but it also offers a better path toward rapid recovery.

According to a recent report from Cybersecurity Ventures, cybercrime is expected to account for a loss of US$10.5 trillion globally by 2025 — a staggering number. Having a cyber insurance policy in place will help lessen the impact that an attack/breach may have on the digital operations of building owners and operators. To achieve this goal, it is important to consult with an expert that understands the unique needs of commercial real estate and how to most effectively mitigate risks that exist within building and campus digital infrastructures.

Jason Lund has served as the leader of technology infrastructure in the U.S. for JLL since 2021. With more than 30 years of experience in commercial real estate, Lund has held the position of executive managing director at a global commercial real estate fi rm and has been integral in international business development and launching national platforms for valuation advisory. After overseeing engineering, technology and environmental consulting groups, Lund focused on technology consulting for both national and international commercial real estate. He obtained the MAI Designation from the Appraisal Institute and the MRICS designation from the Royal Institute of Chartered Surveyors and earned a bachelor’s degree in finance from the University of Southern California.

FMJ, the official magazine of the International Facility Management Association (IFMA), is written by and for workplace professionals and is published six times a year. FMJ is the only magazine that draws on the collective knowledge of IFMA’s global network of thought leaders to provide insights on current and upcoming FM trends. For more information on FMJ, visit www.ifma.org/publications/fmj-magazine.

Articles in FMJ are the exclusive property of IFMA and are subject to all applicable copyright provisions. To view abstracts and articles not shown here, subscribe or order individual issues at www.ifma.org/publications/fmj-magazine/subscribe. Direct questions on contributing, as well as on permission to reprint, reproduce or use FMJ materials, to Editor-in-Chief Bobby Vasquez at Bobby.Vasquez@ifma.org.

IFMA, founded in 1980, is the world’s largest and most widely recognized association for facility management professionals, supporting 24,000 members in more than 100 countries. IFMA advances collective knowledge, value and growth for Facility Management professionals. IFMA certifies professionals in facility management, conducts research, provides educational programs, content and resources, and produces World Workplace, the largest series of facility management conferences and expositions. To join and follow IFMA’s social media outlets online, visit the association’s LinkedIn, Facebook, YouTube and Twitter pages. For more information, visit www.ifma.org.