The Colonial Pipeline hack and the broader epidemic of ransomware and other cyberattacks targeting businesses in various industries should remind us that cybersecurity is necessary not only to protect data and communications, but also physical property. The state-of-the-art building management systems that commercial and multi-family property owners invested in years ago to integrate facility lighting, HVAC, fire protection systems, elevators, parking sensors, and surveillance cameras, may be vulnerable to a cyberattack. Property owners need to be vigilant and continually assess and upgrade their smart building management systems to safeguard against a potential cyberattack that could not only compromise sensitive personal information, but, for example, could shut down a building’s heat or electricity or wreak havoc with the elevators in an office tower.
In 2013, a hacker used credentials from an HVAC maintenance contractor to hack Target’s network. This is an early example of how the interconnection of building systems can lead to security vulnerabilities. In December 2020, the Maryland Innovation & Security Institute (“MISI”) and DreamPort held a U.S. Cyber Command-inspired “Hack the Building” event where remote and on-site teams tried to break into a fully equipped 150,000 square foot “smart” building. The unsuccessful teams focused their attacks directly on the building’s IT systems; the successful teams targeted interconnected devices—recognizing that penetrating one vulnerable system affords access to all of the systems it is connected to. It’s not surprising, then, that in a recent survey by Deloitte, commercial property owners and managers identified third-party vendors and service providers as presenting the biggest cybersecurity threat.
The federal government recognized the importance of securing interconnected devices by the passage of the Internet of Things Cybersecurity Improvement Act (the “Act”) in 2020, which tasked the National Institute of Standards and Technology (“NIST”) with creating cybersecurity standards for IoT devices purchased by federal agencies. The public comment phase of the NIST’s comprehensive guidelines was recently completed, and they are being prepared for final release. While developed for IoT devices being sold to the U.S. government, the NIST standards will provide guidance for all IoT device manufacturers who may seek to apply the same standards to consumer products in order to avoid having a second production line. Manufacturers of small inexpensive devices that connect to a network used by many buildings, such as temperature controls and smart locks, however, may find it challenging to comply with the new standards while managing costs. Therefore, property owners must take the initiative to ensure their IoT devices and building management systems are updated and remain state of the art.