cybersecurity for real estate & construction
TRANSCRIPT
www.aronsonllc.com/blogs/PLACE BLOG HERE
Tim Cummins and Payal VadhaniCybersecurity for Real Estate & Construction
2© 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs |
Our Agenda
1Trends in the Real Estate & Construction (REC) Industry2
3
4
5
Cybersecurity Implications
for Technology
Industry Frameworks
Scalable Cybersecurity
StrategyOperational Considerations
3
Trends in the Real Estate & Construction
(REC) Industry
4© 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs |
REC TechnologiesA building management system (BMS) is
a control system capable of monitoring & managing mechanical, electrical, and electromechanical facility services (TechTarget). Services can include the following:
• Heating, Ventilation, & Air Conditioning (HVAC)
• Utilities (e.g., lighting)• Elevators• Physical Access ControlIntelligent buildings have a suite of IT systems which provide a productive and cost-effective environment through optimization of its four basic elements, i.e., structure, systems, services, and management (Intelligent Building Institute USA).
5© 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs |
Expanded REC Interconnected Networks
Communication Infrastructure
Tenant’s Systems
Vendor’s Systems
6© 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs |
BMS Market Forecast
Commercial buildings sector forecasted to have largest share of BMS market
Asia-Pacific (APAC) region companies expected to grow rapidly
Security & access control systems are BMS market leaders
Source: Building Automation System Market – Global Forecasts to 2022 by Markets and Markets
7© 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs |
BMS Market Forecast (Cont.)
$49.37 B
$100.60 B
2015 2022
Source: Building Automation System Market – Global Forecasts to 2022 by Markets and Markets
8
Cybersecurity Implications
9© 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs |
Horror Stories
Credentials provided access to a Target-hosted web application for vendors
Target - HVAC vendor credentials were compromised
HVAC system was a key stepping stone to executing the data breach
Real Estate Investment Trust (REIT) - discovered in September 2014 that systems containing Personally Identifiable Information (PII) and sensitive corporate information were compromisedBreach occurred prior to April 2014
$2.8 million spent on incident management, which included:
• investigative fees and• identity protection services
1
2
10© 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs |
Technology & Risks
Business & Technology Drivers RiskBuilding management systems (BMS) are integrated into IT networks and are Internet accessible
• Unauthorized access• Data compromise and integrity
BMS continue to be designed for functionality and innovation to enhance convenience
• Appropriate security architecture may not be incorporated into the BMS
• Security controls and considerations are not included in the design process
BMS are not managed by traditional IT Teams
• Personnel who manage the BMS may not have the required IT & Security skills
11© 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs |
Threats & Impacts
Threats Impacts
Ransomware • FBI reported $209M USD monetary losses from January – March 2016 1
• Average ransom demanded: $679 1
• # of new ransomware families detected in June 2016 (in one month) 1 : 50
Phishing • 30% of phishing messages were opened and 12% of targets subsequently clicked on the malicious link/attachment based on 8M+ phishing test results in 2015 2
• Spear Phishing incident costs a company an average of $1.6M 2
Distributed Denial of Service (DDOS)
• 73% of companies worldwide experienced a DDOS attack 3
• 82% of corporations incurred repeat attacks with 43% hit 6+ times 3
• 8 out of 10 companies with Internet of Things (IoT) devices were attacked and 43% of them experienced some form of theft 3
Data Breach • 725 breaches exposed 29M+ records in 2016 as of 10/4/16 4
• 89% of breaches had a financial or espionage motive in 2016 2 3 - Neustar 2016 DDOS Attacks and Protections Report4 – Identity Theft Resource Center 2016 Data Breach Category Summary
1 - (Symantec Ransomware & Businesses Special Report 2016)2 – Verizon Data Breach Investigations Report
12© 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs |
Potential Consequences
Incidents• Unauthorized access
to BMS & other network locations
• Compromised HVAC settings
• Ransomware encrypted files and data
Consequences• Data
loss/modification/theft• Inappropriate
environmental conditions & functionality
Impacts• Jeopardized personnel safety• Data breach notification &
investigation• Extensive remediation efforts• Reputational damages
13
Industry Frameworks
14© 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs |
REC Specific Industry Framework
Mechanical SystemsElectric SystemsEnterprise Applications
The Open Building Information Exchange (OBIX) Technical Committee aims to create standard web services guidelines to facilitate the exchange of information between intelligent buildings and enterprise applications.
•Simplify data transfer•Enhance data security•Optimize data availability & awareness
15© 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs |
Other Industry Frameworks
International Organization for Standardization (ISO) 2700X
ISO 27001 contains 114 controls that can be used to reduce security risk through management of assets and data. ISO 27002 defines guidelines for implementing controls in 27001.
National Institute of Standards & Technology (NIST) Special Publication 800-53
NIST 800-53 is a catalog of security and privacy controls designed to protect entities from a variety of threats to public and private sector information. It includes the process for selecting and customizing controls as part of an enterprise-wide security and privacy risk management program.
Framework for Improving Critical Infrastructure Cybersecurity
The framework is designed to provide detailed guidance on managing cybersecurity risks for critical infrastructure (CI) services. The nation relies upon CI, which means operational requirements must be met and security safeguards must be in place. It provides principles and leading practices to facilitate enhanced CI security and resilience.
Unified Compliance Framework
An integration of all IT control requirements in a efficient and effective manner.
Framework Description
16
Scalable Cybersecurity
Strategy
17© 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs |
Principles & Objectives
Security Principles
Integrity
AvailabilityConfidentiality
It’s not a matter of IF, but WHEN a significant security breach / incident
will occur
Cybersecurity Program Objectives
• Protect confidential data• Limit financial losses• Avoid reputational
damage• Ensure resiliency of the
business & IT environment
18© 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs |
Scalable Strategy
SecureVigilant Resilient
1. Security Risk Assessment
2. Penetration Tests & Vulnerability Scans
3. Network Segmentation
4. Security Monitoring 5. Data Loss Prevention6. Mobile Device Security
1. Information Classification, Data Analysis and Cleanup
2. Business Continuity Plan
3. Disaster Recovery Testing
1. Policies & Standards2. Operating Procedures3. Security Awareness
Training4. Cyber Insurance5. Controls
Implementation
19© 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs |
Cybersecurity Controls1. Understand your risks and threats landscape (P)2. Assess, classify, and build extra protection around critical data (P)3. Update policies, processes and procedures to address point in time and
forward-looking risks and embed cybersecurity culture (P)4. Assess/obtain cyber insurance coverage (P)5. Conduct penetration tests and vulnerability scans (internal and external) on a
reasonable frequency (D); remediate highest risk areas6. Get up to date on patches and subscribe to security advisory mailing lists (P)7. Set up an Insider Threat Program, even bare bones will do as a starting place
(P)8. Conduct security awareness and training on a regular frequency (once a
quarter) (P)9. Manage vendor security through policies and processes (P)10.Have contingency and incident response plans in place that include law
enforcement, forensics (digital, human and physical), client, investor, legal, media and PR responses (P)
11.Implement technologies that complement your processes (P)Legend: P – Preventive controlsD – Detective Controls
20
Operational Considerations
21© 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs |
Roles & Responsibilities
Role ResponsibilitiesBoard of Directors • Be well-informed regarding IT strategic plans, cyber risks, and IT initiatives
• Continuously monitor risks and ensure alignment with business strategy through timely reporting
Risk Management Committee
• Meet on a periodic basis to discuss and manage enterprise risks, which include IT and cyber risks
• Oversee risk management solutions and remediation efforts
Chief Information Officer (CIO) / Chief Information Security Officer (CISO)
• Oversee the strategic and operational aspects of the cybersecurity program• Develop and discuss status reporting with leadership & stakeholders• Coordinate with the Board, Risk Management Committee, and CFO to involve IT in
strategic and risk management plans• Coordinate with the CFO on joint interest compliance programs and initiatives
Chief Financial Officer (CFO) • Coordinate with the Board, Risk Management Committee, and CIO/CISO to allocate sufficient current and future funds to support IT initiatives including cybersecurity
• Identify, manage, and report operational risksAuditors • Include cyber in the IT audits
• Engage in board level discussion on various risks including IT and cyber
22© 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs |
Culture, Governance & Compliance
• The Board of Directors must get involved to set the tone at the top
• A well-defined governance structure provides a good relationship and communication between the board, management, and employees
• The governance structure must reasonably balance security with business needs while remaining vigilant
• Cyber hygiene should be intrinsically woven into the culture of the organization
• Cybersecurity policies shouldn’t become paperweights• Compliance activities should be carried out to ensure
alignment with industry leading practices
No matter how large or small, every organization has to have a process in place to govern policies and practices, measure risk
and compliance, and instill a cyber-aware culture.
23© 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs |
In Summary
Trends indicate building management systems will increase in prevalence in the coming years
REC companies must make cybersecurity a priority
Implement a scalable cybersecurity strategy that matures over time
Ensure key roles recognize the importance of cybersecurity and drive a cyber-aware culture
Consider cyber insurance coverage
Ensure cyber hygiene is practiced across all levels of the organization
24
THANKS!Any
Questions?
25