7 minute read
Cybersecurity – A survey of needs and examples.
from ABODE April 2022
By PAUL BERGERON
The online hacking attempt in February 2021 to poison the water supply of Oldsmar, Fla., highlighted the risks to internet-connected operational technology. And December 2020’s penetration of cybersecurity defense firm FireEye by nation-state actors clearly puts more tools in the hands of hackers, and decreases the ability to defensively respond.
Lucian Niemeyer, Chairman and CEO of non-profit BuildingSecurity.org, spoke to the Multifamily Innovation Conference – Atlanta (MICA) and provided an overview of the threats of operational technology as well as what can be done to de-risk the convenience these connected technologies deliver. Fortunately, it’s not all risks - there are mitigations that a company can put in place.
Many operators are searching for answers when it comes to a response plan for a ransomware attack on smart elevators, connected HVAC or connected garage doors?
Session moderator Steve Lefkovits of Joshua Tree Media estimated that just 15% of multifamily operators have their arms around this topic. “That systems many of us aren’t paying attention to can be hacked is chilling,” Lefkovits said.
As Assistant Secretary of Defense for Energy, Installations and Environment (2017-2019), Niemeyer may have had one of the biggest real estate asset management portfolios in the world – 28 million acres, 500 installations and 500,000 buildings. He graduated from that position to a role as a cybersecurity advisor to the Secretary of Defense focusing on real-world operational energy and cybersecurity resilience policy development.
BuildingSecurity.org represents a collaboration of experts from 300 technology, insurance, bonding, investor and property management companies with a common goal to find solutions. Health care, transportation, automated robotics and utilities – along with 5G and machine learning – are among its areas of concentration. It’s looking to add more companies in these areas to help with the cause.
His group is part of the PropTech solution industry, wanting to be a part of the amazing prospects there are for the future – and does not exist to suppress those innovators. “This is opening markets for innovation within the smart-home technology to help with this,” Niemeyer said.
‘What Do I Do?’
The recent Solar Winds hack proved to what level the crisis currently sits. The more technology dependent and smarter the building, the greater the chance of that system being hacked, Niemeyer said.
“If your PC is hacked, it’s hard enough to deal with it on a personal basis. Imagine if the hack is building-wide? What do you do first when you receive a ransom note? Owners and managers have to ask: What is the impact to my residents? What does this do to the value of the asset? Do I go public with the information? Who do I call? What do I do?”
“You can contact the police, but they don’t know what to do,” Niemeyer said. “It’s hard to get the FBI on the phone. You’d hope to have the silver bullet, but there is no silver bullet.”
He said the world no longer is just dealing with nation states doing the hacking, but with cyber criminals. Hacks could be done on entrances to gated communities, lighting, thermostats, fire alarms, sprinkler systems and energy management systems. “This all opens things up to additional vectors for attack,” he said.
Gartner has examined insurance claims to measure the economic impact of cybersecurity. It suggests that 75% of CEOs will be held liable for such intrusions by 2024.
Unfortunately, Niemeyer said there is no national framework that real estate operators or property renovators can use to prevent or responds to hacking. “There’s nothing the industry can rally around,” he said.
“[Our group is] looking at the various standards that exist – whether created by the government or private industry – and translating them for the benefit of today’s operators,” he said.
“You should be using these standards now, not later. If you wait, it’s too late because the hack has already happened.”
Niemeyer said he would like to see a certification of national framework be developed, whereby an operator who has it would receive a favorable insurance policy if they adopt the safety standards ahead of time.
“Our goal is to see how quickly we can get theses owners rewarded for the steps that they take,” he said.
Caution: Disgruntled Residents or Employees
In its efforts, BuildingSecurity.org brought in red teams and blue teams and had them try to “get in” and seize an elevator, a boiler or other apartment community systems. He said he’s going to see operational technology be hacked at the lowest levels – by disgruntled residents or employees.
“I’m worried about the guys who are bored with just hacking into one laptop one time to seize data,” Niemeyer said. “They are the ones who might want to do things that threaten lives, like breaking into water lines or utility grids or worse. What about the disgruntled resident who decides he wants to try to break into the apartment community’s system? There is a bigger payoff when you start threatening lives and people.
“We rely on common software applications, so there’s not a data anomaly to look at for your cameras or elevators,” he said. “With apartment buildings, we need to map into the building systems through the access that so many people have. There’s been stories [where nefarious characters] gained access to look at hallways, etc., it can get pretty dangerous pretty quickly.”
When things such as water, locks, cameras or other utilities are controlled remotely, there’s greater chance they could be hacked, Niemeyer said. It will take years of litigation to determine who’s responsible for that. For example, water sprinklers could be set off, which results in damage, which results in higher insurance premiums.
Today, cybersecurity policies “are the wild, wild west for insurance companies,” Niemeyer said.
Property & Casualty coverage is the most important aspect for owners here, he said. “We want something that protects occupants and owners without having premiums that go through the ceiling.”
On the other hand, “Ransomware attacks are exploding,” he said. “The underwriters are trying to get around the ‘act of war’ exemption. In truth, they’d rather have the standard framework of cyberattack protection. This way, they can say: If you have this standard, you get this more favorable policy. Insurers like Aon and Chubb are with us and are helping us to drive these standards.”
Having commercial real estate risk managers contributing to the framework is ideal, he said, because there are unique situations in multifamily to solve, he said.
Private (not Public) Industry Solutions
BuildingSecurity.org is hoping any ultimate cybersecurity framework does not fall to federal or state legislation or building codes.
“Better would be to build a private standard that the public sector can adopt,” he said, “as opposed to watching codes emerge all over the country and creating chaos. It would become too bloated. We don’t want mandates and government over-regulation [as we’ve seen in the past]. In those cases, building codes become outdated and take too long to be updated and approved. We want aspirational efforts by our industry to create and adopt codes ahead of time.”
With privately developed standards, “as new threats emerge, we can immediately get those updates out to our members; the policy becomes a dynamic, living [and effective] policy document,” Niemeyer said.
Paul Bergeron is a freelance reporter who covers the apartment industry. You can reach him at pbergeron333@gmail.com or 703-434-0280.
