More Related Content Similar to Cybersecurity for Real Estate & Construction (20) More from Aronson LLC (8) Cybersecurity for Real Estate & Construction2. © 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs |
Our Agenda
1
Trends in the Real Estate
& Construction (REC)
Industry
2
3
4
5
Cybersecurity
Implications for
Technology
Industry
Frameworks
Scalable Cybersecurity
Strategy
Operational
Considerations
2
4. © 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs |
RECTechnologies
A building management system (BMS) is a control
system capable of monitoring & managing
mechanical, electrical, and electromechanical
facility services (TechTarget). Services can include
the following:
• Heating,Ventilation, &Air Conditioning (HVAC)
• Utilities (e.g., lighting)
• Elevators
• PhysicalAccess Control
Intelligent buildings have a suite of IT systems
which provide a productive and cost-effective
environment through optimization of its four
basic elements, i.e., structure, systems, services,
and management (Intelligent Building Institute
USA).
4
5. © 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs |
Expanded REC Interconnected Networks
Communication
Infrastructure
Tenant’s
Systems
Vendor’s
Systems
5
6. © 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs |
BMS Market Forecast
Commercial buildings sector forecasted to
have largest share of BMS market
Asia-Pacific (APAC) region companies
expected to grow rapidly
Security & access control systems are BMS
market leaders
6
Source: Building Automation System Market – Global Forecasts to 2022 by Markets and Markets
7. © 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs |
BMS Market Forecast (Cont.)
$49.37 B
$100.60 B
2015 2022
Source: Building Automation System Market – Global Forecasts to 2022 by Markets and Markets
7
9. © 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs |
Horror Stories
Credentials provided access to aTarget-hosted web
application for vendors
Target - HVAC vendor credentials were compromised
HVAC system was a key stepping stone to executing the
data breach
Real Estate InvestmentTrust (REIT) - discovered in
September 2014 that systems containing Personally
Identifiable Information (PII) and sensitive corporate
information were compromised
Breach occurred prior to April 2014
$2.8 million spent on incident management, which
included:
• investigative fees and
• identity protection services
1
2
9
10. © 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs |
Technology & Risks
Business &Technology Drivers Risk
Building management systems (BMS) are
integrated into IT networks and are Internet
accessible
• Unauthorized access
• Data compromise and integrity
BMS continue to be designed for functionality
and innovation to enhance convenience
• Appropriate security architecture may not be
incorporated into the BMS
• Security controls and considerations are not
included in the design process
BMS are not managed by traditional ITTeams • Personnel who manage the BMS may not
have the required IT & Security skills
10
11. © 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs |
Threats & Impacts
Threats Impacts
Ransomware • FBI reported $209M USD monetary losses from January – March 2016 1
• Average ransom demanded: $679 1
• # of new ransomware families detected in June 2016 (in one month)1 : 50
Phishing • 30% of phishing messages were opened and 12% of targets subsequently
clicked on the malicious link/attachment based on 8M+ phishing test results in
2015 2
• Spear Phishing incident costs a company an averageof $1.6M 2
Distributed
Denial of Service
Service (DDOS)
• 73% of companies worldwide experienced a DDOS attack 3
• 82% of corporations incurred repeat attacks with 43% hit 6+ times 3
• 8 out of 10 companies with Internet ofThings (IoT) devices were attacked and
43% of them experienced some form of theft 3
Data Breach • 725 breaches exposed 29M+ records in 2016 as of 10/4/16 4
• 89% of breaches had a financial or espionage motive in 2016 2
3 - Neustar 2016 DDOS Attacks and Protections Report
4 – Identity Theft Resource Center 2016 Data Breach Category Summary 11
1 - (Symantec Ransomware & Businesses Special Report 2016)
2 – Verizon Data Breach Investigations Report
12. © 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs |
Potential Consequences
Incidents
• Unauthorized access to
BMS & other network
locations
• Compromised HVAC
settings
• Ransomware encrypted
files and data
Consequences
• Data loss/modification/theft
• Inappropriate environmental
conditions & functionality
Impacts
• Jeopardized personnel safety
• Data breach notification &
investigation
• Extensive remediation efforts
• Reputational damages
12
14. © 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs |
REC Specific Industry Framework
Mechanical
Systems
Electric Systems
Enterprise
Applications
The Open Building Information Exchange (OBIX)
TechnicalCommittee aims to create standard
web services guidelines to facilitate the
exchange of information between intelligent
buildings and enterprise applications.
• Simplify data transfer
• Enhance data security
• Optimize data availability & awareness
14
15. © 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs |
Other Industry Frameworks
International
Organization for
Standardization (ISO)
2700X
ISO 27001 contains 114 controls that can be used to reduce security risk through
management of assets and data. ISO 27002 defines guidelines for implementing controls
in 27001.
National Institute of
Standards &Technology
(NIST) Special Publication
800-53
NIST 800-53 is a catalog of security and privacy controls designed to protect entities
from a variety of threats to public and private sector information. It includes the process
for selecting and customizing controls as part of an enterprise-wide security and privacy
risk management program.
Framework for Improving
Critical Infrastructure
Cybersecurity
The framework is designed to provide detailed guidance on managing cybersecurity risks
for critical infrastructure (CI) services. The nation relies upon CI, which means operational
requirements must be met and security safeguards must be in place. It provides
principles and leading practices to facilitate enhanced CI security and resilience.
Unified Compliance
Framework
An integration of all IT control requirements in a efficient and effective manner.
Framework Description
15
17. © 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs |
Principles &
Objectives
Security
Principles
Integrity
AvailabilityConfidentiality
It’s not a matter of IF, but WHEN
a significant security breach / incident will occur
Cybersecurity Program
Objectives
• Protect confidential data
• Limit financial losses
• Avoid reputational damage
• Ensure resiliency of the
business & IT environment
17
18. © 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs |
Scalable Strategy
SecureVigilant Resilient
1. Security Risk Assessment
2. Penetration Tests &
Vulnerability Scans
3. Network Segmentation
4. Security Monitoring
5. Data Loss Prevention
6. Mobile Device Security
1. Information Classification,
Data Analysis and Cleanup
2. Business Continuity Plan
3. Disaster Recovery Testing
1. Policies & Standards
2. Operating Procedures
3. Security Awareness
Training
4. Cyber Insurance
5. Controls Implementation
18
19. © 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs |
Cybersecurity Controls
1. Understand your risks and threats landscape (P)
2. Assess, classify, and build extra protection around critical data (P)
3. Update policies, processes and procedures to address point in time and forward-looking risks
and embed cybersecurity culture (P)
4. Assess/obtain cyber insurance coverage (P)
5. Conduct penetration tests and vulnerability scans (internal and external) on a reasonable
frequency (D); remediate highest risk areas
6. Get up to date on patches and subscribe to security advisory mailing lists (P)
7. Set up an InsiderThreat Program, even bare bones will do as a starting place (P)
8. Conduct security awareness and training on a regular frequency (once a quarter) (P)
9. Manage vendor security through policies and processes (P)
10.Have contingency and incident response plans in place that include law enforcement,
forensics (digital, human and physical), client, investor, legal, media and PR responses (P)
11. Implement technologies that complement your processes (P)
Legend: P – Preventive controls
D – DetectiveControls
19
21. © 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs |
Roles & Responsibilities
Role Responsibilities
Board of Directors • Be well-informed regarding IT strategic plans, cyber risks, and IT initiatives
• Continuously monitor risks and ensure alignment with business strategy through timely reporting
Risk ManagementCommittee • Meet on a periodic basis to discuss and manage enterprise risks, which include IT and cyber risks
• Oversee risk management solutions and remediation efforts
Chief Information Officer (CIO) /
Chief Information Security Officer
(CISO)
• Oversee the strategic and operational aspects of the cybersecurity program
• Develop and discuss status reporting with leadership & stakeholders
• Coordinate with the Board, Risk ManagementCommittee, andCFO to involve IT in strategic and risk
management plans
• Coordinate with the CFO on joint interest compliance programs and initiatives
Chief Financial Officer (CFO) • Coordinate with the Board, Risk ManagementCommittee, andCIO/CISO to allocate sufficient current
and future funds to support IT initiatives including cybersecurity
• Identify, manage, and report operational risks
Auditors • Include cyber in the IT audits
• Engage in board level discussion on various risks including IT and cyber
21
22. © 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs |
Culture, Governance & Compliance
• The Board of Directors must get involved to set the tone at the top
• A well-defined governance structure provides a good relationship and
communication between the board, management, and employees
• The governance structure must reasonably balance security with business
needs while remaining vigilant
• Cyber hygiene should be intrinsically woven into the culture of the
organization
• Cybersecurity policies shouldn’t become paperweights
• Compliance activities should be carried out to ensure alignment with industry
leading practices
No matter how large or small, every organization has to have a process in place
to govern policies and practices, measure risk and compliance, and instill a
cyber-aware culture.
22
23. © 2016 | www.aronsonllc.com | www.aronsonllc.com/blogs |
In Summary
Trends indicate building management systems will increase
in prevalence in the coming years
REC companies must make cybersecurity a
priority
Implement a scalable cybersecurity strategy that matures over time
Ensure key roles recognize the importance of
cybersecurity and drive a cyber-aware culture
Consider cyber insurance coverage
Ensure cyber hygiene is practiced across all levels of the organization
23