Cybersecurity Threats to the Real Estate Industry
The conversation around real estate data has always differed slightly between Europe and the rest of the world. The value of data and the extractable, usable building insights was more cautiously approached by the industry within the EU given the extensive campaign introducing GDPR legislation and the threat of severely punitive measures for non-compliance. Data was viewed as a liability to be managed rather than a valuable asset to be leveraged. This approach has started to shift in recent years, which is welcome, but the conversation has yet to move to the protection of data.
‘Smart’ in the context of the built environment simply means connected. Looking at other sectors further along the digital transformation journey, particularly the financial services sector and successful fintech, there is clearly another measure of ‘smartness’ emerging, one of safety. We need the transmission of data emanating from buildings and smart city applications to be predictably, boringly safe and smarter than an opportunistic hacker.
Research carried out by BAE shows a surge in hacking attacks in the UK since the COVID-19 outbreak in 2020. BAE’s research also indicated that ransomware has become the modern hacker’s tool of choice. Hackers use ransomware to shut down commercial systems to elicit a ransom, as seen in the Colonial Pipeline hack. Financial institutions and global corporations have been hackers’ usual targets, until now. Increased automation and connectivity across the built environment has made the real estate industry a new target for hackers. The risk of attack increases in line with the level of ‘smartness’ of connectivity of the smart building. A so-called ‘smart building’ is any building or space that relies on internet-based systems, like a building automation system (BAS). These smart buildings are made up of a collection of individual smart devices. These devices connect to the internet and are part of the Internet of Things, or IoT. Connected ‘things’ or devices are predicted to exceed 40 billion by 2025. Anyone with the device login details can access the system from anywhere with an internet connection.
Smart devices have a wide range of valuable uses. For example, smart locks can grant time-restricted access to shared spaces, which underpins the flexible space model of coliving and cowork. While smart buildings are the route to improved user experience and environmental performance of the building, the ad hoc installation of IoT devices presents some unique risks and opens up points of potential vulnerability if the right master systems or smart building operating system is not expertly in place. Building managers usually access smart building systems through an online web portal. The entire system must have permanent internet connectivity to work. When multiple different dashboards are added into the mix, the points of potential risk grow. Smart buildings are particularly vulnerable to a relatively new type of ransomware, Siegeware. Siegeware is designed to shut down smart buildings. It gives hackers control of access, life safety systems, and critical HVAC systems, which incorporate power and lights. In a commercial building, the business will suffer downtime and lose money as a result (best case scenario). If the building is residential, tenants can be left stranded outside of their homes until a ransom is paid. Perhaps a more terrifying possibility involves residents being locked into their homes. Any of these scenarios can result in building owners facing legal action and heavy fines. Misusing web portals is the most common cause of building managers losing control of their smart buildings. Web portals are convenient because they allow for constant remote access, however, this convenience must be compensated for by way of additional security that is specialist to the built environment.
It is interesting to see venture capital firms start to shift their focus from experience to ESG, the next step will surely be to ensure the safe transmission of data through all of these ESG tech measures to counter the inevitable growth and sophistication of real estate security risks.