Views

How do you make a building cybersecure?

Hackers could be eyeing your sprinklers, HVAC, elevators and electronic locks

November 17, 2021

You’ve seen it in movies: A group of underdogs uses their cyber knowhow to take down an oppressive corporation—using the company’s own computers. But in reality, hacking is far less romantic and incredibly costly. The average cyberattack costs the impacted business more than $4 million, according to a recent IBM report. 

But it’s not just computers that are vulnerable to attack. Did you know that a company’s buildings can be hacked too? Cybercriminals can take control of a building’s systems to activate sprinklers, lock employees inside and even stop an elevator between floors. So how can a business know if the buildings it occupies are truly cybersecure? 

Find out the answer to that question in this episode of Building Places, where James Cook interviews Jason Lund, the head of JLL’s technology infrastructure group. 

James Cook: [00:00:00]: So you know how your computer can get hacked? Well, it can actually happen to a building too, but when you look at a building, how do you even tell if it's protected from hackers? Well, my guest today is going to tell us how buildings are made cyber secure. today I'm catching up with Jason Lund.

This is building places where we look at the world of commercial real estate through the eyes of the experts that study it every day.

My name is James Cook and I research real estate for J L L.

Jason Lund: [00:00:41]: my name is Jason Lund, and right now I lead the technology infrastructure group here at JLL

James Cook: So if I'm an office tenant, why do I care if a building is cyber secure or not?

Jason Lund: [00:00:54]: cybersecurity inside of a tenant. Inside of an enterprise has actually been on the radar for quite a while.for at least 10, 20 years and the protocols are fairly well-developed actually, so you can lay out and see how to do it and how it's done and how it's been done. Whereas the buildings themselves are starting to become more technological. So where elevators used to just be machinery in a building. Now elevators are machinery in a building, but there's a box that's attached to that, that beams all of the results and the activity, et cetera, to that elevator manufacturers, headquarter.

Jason Lund: [00:01:28]: And that element Vader manufacturer actually has alerts or things that will pop up on their screen. And if they need to stop that elevator in mid rise or fall, they can, if they need to speed it up, slow it down. They can, they can do whatever they want and control it remotely, which is good.

We want that kind of monitoring and, and oversight. However, if they can do it remotely, then it's possible that someone that hacks into the system could do it remotely as well. So there's kind of a dual good and bad, the smarter something gets and the more it can be handled remotely the better, but you also have to in parallel be saying, okay, we also need to make it very cyberspace.

Because it's not just elevators. It's our HPAC units. It's our fire life safety. It's our sprinklers. Usually it's all smart conference rooms, anything and everything that we would throw into buildings that can be remotely controlled or controlled automatically is subject to cyber. And the more we do that, the more vulnerable we can.

James Cook: Okay. what do you put in place to protect against those hackers?

Jason Lund: The easiest way for hackers to obtain access and control over systems is by stealing people's user IDs and passwords. all of us in large companies, we get these, fishing expedition trainings to learn how to not get tricked into giving our protocols and our credentials. the next aspect though of it is the physical. I really am thinking about mission impossible and thinking about, some of those movies where you see these hackers get in there and they can physically insert. some kind of a, device into a larger device that can give them access to monitor it, to clone it, to pretend there's someone else in it.

Jason Lund: [00:03:04]: And it gives them the ability to take that device over. And it can be very, small something you would hold in your hand, So physical access to the actual, boxes that would control these things on site is very important as well. And that's where management companies come in, frankly.

And I've had a lot of clients. Look at me and say, we're planning on making cyber security part of JLLs responsibility, And so like, okay. let's think that through, I think those are the two biggest, and then the lastly it would just be maintaining good clean hygiene of your systems. So if you're someone that controls a lot of equipment and buildings and you do it through a mirror network operations, Are those employees when they leave your employ, are we closing down their user IDs and their passwords? Are we making sure that they can't reaccess the system, if they're former employees, et cetera, there's a lot of that that has to be done.

Jason Lund: [00:03:52]: So it sounds like some of the more sophisticated property owners are thinking about this, is it on everybody's radar It's on everybody's radar, but nobody's really sure what to do about it. And this is really where rating systems come in, you can have a rating system. And there are a lot of them out there.

Actually, NIST has one. CSO has one Eissa. These are all, you know, alphabet soup agencies out there, but they haven't been adopted. And that's the big move. you can have a rating system. But if the ecosystem as a whole, hasn't adopted that rating system and then started moving in a business way towards that rating system, it doesn't matter. So there's a, organization that I'm part of. It's a nonprofit, it's called building cyber security.org, and they're developing a rating system. And then hopefully going to promulgate it to the ecosystem and real estate. And we're looking at a bronze, silver gold levels of

James Cook: [00:04:46]: Sounds familiar.

Jason Lund: [00:04:47]: Yeah. Not, not too much difficulty there, but the idea though, if you look at the board of advisors, I'm on the advisory board and several others, but we've also got, Folks like Jim trainer, who is with a, on one of the biggest insurance brokerage groups out there.

And Jim was also with the FBI in their cybersecurity division. He used to run it years ago. Uh, we've got several folks from the department of defense. We've got Admiral bill Owens, Admiral John Richardson, who just retired as XO of the Navy. We've got Admiral Mike Rogers. He used to be the head of the NSA.

 So department of defense obviously has been a leader in cybersecurity, worldwide,and they're aware of foreign actors as well. We've also got lots of rules stay clients like Michael Kirby with Invesco. Oh, Nate pain with Clarion and others. And then we've got large occupier clients like Michael Ford who heads up real estate for Microsoft, and others like that.

Jason Lund: [00:05:38]: So occupier and investor does it. But the idea is once we get this framework created and there's a physical side, there's a system side and a automated systems side. We have to get adoption. And the way that we're going to try to tackle adoption is, is basically first through insurance, because everybody is hitting insurance companies for payments.

If they get hacked and the insurance company. If they even have a cyber policy on the property. And a lot of them haven't been asked to put one on the property, they're sitting there trying to figure out, well, what is my liability? How do I limit my liability? What is it that I'm insuring exactly, et cetera. So we're trying to provide a protocol that would allow an insurance company to say, okay, this building is cyber secure. By the way, cyber secure. As a definition doesn't exist yet you can't point to a building and say that one is cyber secure and the other one is. So, what we're trying to do is create that ability and then have the insurers be able to say, okay, you are now a gold rated cyber secure building.

Therefore we will insure you at this and you across the street, do you haven't even started, so you get the highest level of insurance and the same thing for a platform like a JLL. If we're going to take on the responsibility of sales. For a building, we have to be able to define what it is precisely.

And then we have to have the ability to control that piece and put it under our cyber insurance policy and then police it, maintain it and review it and do all those types of.

James Cook: So how is that governed and determined and how do you like certify people are actually following all these rules?

Jason Lund: We are working with groups, companies, that will actually. And do these assessments, engineering firms, basically it was partners, engineering and sciences, and others that have huge, platforms where they inspect properties for environmental, for structural, for civil issues, et cetera.

Jason Lund: [00:07:28]: ADA compliance is a big one that they do. And so now we're trying to give them the protocols and things that they would inspect toward for sale.

James Cook: [00:07:36]: Also another thing, when I think about hacking, I think about how there's always new exploits that are being discovered. Like, does that mean your certification process is going to be evolving very quickly?

Jason Lund: [00:07:48]: Yes. And no, You're absolutely right. It is dynamic. so the technology piece, the different levels of firewalling and other portions of security yes. that will be moving. And that piece is actually moving us as a trend towards more software as a service. And equipment as a service, basically where equipment would be regularly updated, maintained, you know, things pulled out new things pulled in in order to meet the latest and greatest. But then the parts that don't change are really the human being side. human being side is still the weakest part of the link, getting people's user IDs and passwords, cloning people's phones, stealing their computers, breaking in all of those parts are the same five years ago as they are now.

And there'll be the same five and 10 years from now. it's the end points basically. Because no matter how tight your system is and how well it's been set up, there's a human being that set up that system and has the ability to change it or modify it or whatever. That's the person's protocols you need to go find

James Cook: I just went through the, our annual cyber security training and a lot of it's

Jason Lund: [00:08:51]: I did too.

James Cook: [00:08:52]: a lot of it's common sense?when you swipe into a building, don't let the person in behind you come in, but there's so many employees in a building, you know, you just find the right one who's vulnerable and you can get in.

Jason Lund: [00:09:04]: Well, then you can find that if you have a, an owner, that's got a portfolio of buildings, the person that wants to hack into the larger system would probably go to the building. That's maybe three stories tall in a suburban location owned by that owner rather than, than the New York times.

James Cook: [00:09:18]: because it's all part of the same network, but it's not quote unquote as well. Defended.

Jason Lund: [00:09:23]: exactly the awareness is a little bit lower.

James Cook: So Jason, so much to think about here. Let's say I own a building. How do I even approach that?

Jason Lund: [00:09:33]: the first thing I think you do is you approach it from a proactive way. And I, I consult and help our clients do all of this is you've got to approach technology. I think first through the infrastructure is through the hardware that actually enables you to use all this tech. And that is also the future proof portion of technology that will last for years going forward. So I moved my clients into those strategies, but I, I'm also aware that I'm also creating the problem of cyber security. The more infrastructure that these properties have, the more technologically advanced they are, the more they need cyber.

So from the other side, I work on them with a full cyber plan, the physical, the user ID password, the regular maintenance, the oversight, et cetera, that needs to go with. The tech that we're putting into buildings.

[00:10:15] James Cook: so, Jason, let me ask you a fun question. So we're talking about all this stuff, and of course my mind goes to mission impossible. War games is one of my favorite movies. There's a lot of hacking in that. If you ever seen hacking in a movie in a building that looked at all realistic or is it all just Hollywood made up stuff? Believe it or not, it's fairly realistic. and you can actually YouTube some really fun things like, they've been able to take over, the control systems in cars and driving. Through hacking and you can actually blow up engines and do all kinds of stuff. If you surf around on YouTube, it's actually quite entertaining, but a little bit frightening.

James Cook: [00:10:52]: Yeah. Well, I'm jumping on YouTube, right? Whenwe get done with this conversation, um, well, Jason, thank you so much. This has been a fascinating conversation and I really appreciate your time. Oh, my pleasure.

James Cook: [00:11:04]: If you enjoyed our conversation today, you should probably be a subscriber to building places it's super easy and it's free. Just go to any podcast app that you like search for building places and hit subscribe.

This episode of building places was produced by Randy Hofbauer. Our theme music was written and performed by Joel Caracci.