cybersecurity for real estate & construction

www.aronsonllc.com/blogs/PLACE BLOG HERE

Tim Cummins and Payal VadhaniCybersecurity for Real Estate & Construction

2© 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs |

Our Agenda

1Trends in the Real Estate & Construction (REC) Industry2

3

4

5

Cybersecurity Implications

for Technology

Industry Frameworks

Scalable Cybersecurity

StrategyOperational Considerations

3

Trends in the Real Estate & Construction

(REC) Industry


REC TechnologiesA building management system (BMS) is

a control system capable of monitoring & managing mechanical, electrical, and electromechanical facility services (TechTarget). Services can include the following:

• Heating, Ventilation, & Air Conditioning (HVAC)

• Utilities (e.g., lighting)• Elevators• Physical Access ControlIntelligent buildings have a suite of IT systems which provide a productive and cost-effective environment through optimization of its four basic elements, i.e., structure, systems, services, and management (Intelligent Building Institute USA).


Expanded REC Interconnected Networks

Communication Infrastructure

Tenant’s Systems

Vendor’s Systems


BMS Market Forecast

Commercial buildings sector forecasted to have largest share of BMS market

Asia-Pacific (APAC) region companies expected to grow rapidly

Security & access control systems are BMS market leaders

Source: Building Automation System Market – Global Forecasts to 2022 by Markets and Markets


BMS Market Forecast (Cont.)

$49.37 B

$100.60 B

2015 2022

Source: Building Automation System Market – Global Forecasts to 2022 by Markets and Markets

8

Cybersecurity Implications


Horror Stories

Credentials provided access to a Target-hosted web application for vendors

Target - HVAC vendor credentials were compromised

HVAC system was a key stepping stone to executing the data breach

Real Estate Investment Trust (REIT) - discovered in September 2014 that systems containing Personally Identifiable Information (PII) and sensitive corporate information were compromisedBreach occurred prior to April 2014

$2.8 million spent on incident management, which included:

• investigative fees and• identity protection services

1

2


Technology & Risks

Business & Technology Drivers RiskBuilding management systems (BMS) are integrated into IT networks and are Internet accessible

• Unauthorized access• Data compromise and integrity

BMS continue to be designed for functionality and innovation to enhance convenience

• Appropriate security architecture may not be incorporated into the BMS

• Security controls and considerations are not included in the design process

BMS are not managed by traditional IT Teams

• Personnel who manage the BMS may not have the required IT & Security skills


Threats & Impacts

Threats Impacts

Ransomware • FBI reported $209M USD monetary losses from January – March 2016 1

• Average ransom demanded: $679 1

• # of new ransomware families detected in June 2016 (in one month) 1 : 50

Phishing • 30% of phishing messages were opened and 12% of targets subsequently clicked on the malicious link/attachment based on 8M+ phishing test results in 2015 2

• Spear Phishing incident costs a company an average of $1.6M 2

Distributed Denial of Service (DDOS)

• 73% of companies worldwide experienced a DDOS attack 3

• 82% of corporations incurred repeat attacks with 43% hit 6+ times 3

• 8 out of 10 companies with Internet of Things (IoT) devices were attacked and 43% of them experienced some form of theft 3

Data Breach • 725 breaches exposed 29M+ records in 2016 as of 10/4/16 4

• 89% of breaches had a financial or espionage motive in 2016 2 3 - Neustar 2016 DDOS Attacks and Protections Report4 – Identity Theft Resource Center 2016 Data Breach Category Summary

1 - (Symantec Ransomware & Businesses Special Report 2016)2 – Verizon Data Breach Investigations Report


Potential Consequences

Incidents• Unauthorized access

to BMS & other network locations

• Compromised HVAC settings

• Ransomware encrypted files and data

Consequences• Data

loss/modification/theft• Inappropriate

environmental conditions & functionality

Impacts• Jeopardized personnel safety• Data breach notification &

investigation• Extensive remediation efforts• Reputational damages

13

Industry Frameworks


REC Specific Industry Framework

Mechanical SystemsElectric SystemsEnterprise Applications

The Open Building Information Exchange (OBIX) Technical Committee aims to create standard web services guidelines to facilitate the exchange of information between intelligent buildings and enterprise applications.

•Simplify data transfer•Enhance data security•Optimize data availability & awareness


Other Industry Frameworks

International Organization for Standardization (ISO) 2700X

ISO 27001 contains 114 controls that can be used to reduce security risk through management of assets and data. ISO 27002 defines guidelines for implementing controls in 27001.

National Institute of Standards & Technology (NIST) Special Publication 800-53

NIST 800-53 is a catalog of security and privacy controls designed to protect entities from a variety of threats to public and private sector information. It includes the process for selecting and customizing controls as part of an enterprise-wide security and privacy risk management program.

Framework for Improving Critical Infrastructure Cybersecurity

The framework is designed to provide detailed guidance on managing cybersecurity risks for critical infrastructure (CI) services. The nation relies upon CI, which means operational requirements must be met and security safeguards must be in place. It provides principles and leading practices to facilitate enhanced CI security and resilience.

Unified Compliance Framework

An integration of all IT control requirements in a efficient and effective manner.

Framework Description

16

Scalable Cybersecurity

Strategy


Principles & Objectives

Security Principles

Integrity

AvailabilityConfidentiality

It’s not a matter of IF, but WHEN a significant security breach / incident

will occur

Cybersecurity Program Objectives

• Protect confidential data• Limit financial losses• Avoid reputational

damage• Ensure resiliency of the

business & IT environment


Scalable Strategy

SecureVigilant Resilient

1. Security Risk Assessment

2. Penetration Tests & Vulnerability Scans

3. Network Segmentation

4. Security Monitoring 5. Data Loss Prevention6. Mobile Device Security

1. Information Classification, Data Analysis and Cleanup

2. Business Continuity Plan

3. Disaster Recovery Testing

1. Policies & Standards2. Operating Procedures3. Security Awareness

Training4. Cyber Insurance5. Controls

Implementation


Cybersecurity Controls1. Understand your risks and threats landscape (P)2. Assess, classify, and build extra protection around critical data (P)3. Update policies, processes and procedures to address point in time and

forward-looking risks and embed cybersecurity culture (P)4. Assess/obtain cyber insurance coverage (P)5. Conduct penetration tests and vulnerability scans (internal and external) on a

reasonable frequency (D); remediate highest risk areas6. Get up to date on patches and subscribe to security advisory mailing lists (P)7. Set up an Insider Threat Program, even bare bones will do as a starting place

(P)8. Conduct security awareness and training on a regular frequency (once a

quarter) (P)9. Manage vendor security through policies and processes (P)10.Have contingency and incident response plans in place that include law

enforcement, forensics (digital, human and physical), client, investor, legal, media and PR responses (P)

11.Implement technologies that complement your processes (P)Legend: P – Preventive controlsD – Detective Controls

20

Operational Considerations


Roles & Responsibilities

Role ResponsibilitiesBoard of Directors • Be well-informed regarding IT strategic plans, cyber risks, and IT initiatives

• Continuously monitor risks and ensure alignment with business strategy through timely reporting

Risk Management Committee

• Meet on a periodic basis to discuss and manage enterprise risks, which include IT and cyber risks

• Oversee risk management solutions and remediation efforts

Chief Information Officer (CIO) / Chief Information Security Officer (CISO)

• Oversee the strategic and operational aspects of the cybersecurity program• Develop and discuss status reporting with leadership & stakeholders• Coordinate with the Board, Risk Management Committee, and CFO to involve IT in

strategic and risk management plans• Coordinate with the CFO on joint interest compliance programs and initiatives

Chief Financial Officer (CFO) • Coordinate with the Board, Risk Management Committee, and CIO/CISO to allocate sufficient current and future funds to support IT initiatives including cybersecurity

• Identify, manage, and report operational risksAuditors • Include cyber in the IT audits

• Engage in board level discussion on various risks including IT and cyber


Culture, Governance & Compliance

• The Board of Directors must get involved to set the tone at the top

• A well-defined governance structure provides a good relationship and communication between the board, management, and employees

• The governance structure must reasonably balance security with business needs while remaining vigilant

• Cyber hygiene should be intrinsically woven into the culture of the organization

• Cybersecurity policies shouldn’t become paperweights• Compliance activities should be carried out to ensure

alignment with industry leading practices

No matter how large or small, every organization has to have a process in place to govern policies and practices, measure risk

and compliance, and instill a cyber-aware culture.


In Summary

Trends indicate building management systems will increase in prevalence in the coming years

REC companies must make cybersecurity a priority

Implement a scalable cybersecurity strategy that matures over time

Ensure key roles recognize the importance of cybersecurity and drive a cyber-aware culture

Consider cyber insurance coverage

Ensure cyber hygiene is practiced across all levels of the organization

24

THANKS!Any

Questions?