Fortifying commercial real estate: safeguarding operational technology against cyber threats

Co-authors: Sergey Buryachenko, Manager, Cybersecurity, EY Canada

Ashish Soni, Manager, Technology Consulting, Cybersecurity, EY Canada

In today’s complex cybersecurity environment, a property management company’s best offence is a strong, sophisticated defense.

In brief

• Operational technology is critically important to commercial real estate properties, but significantly lacking in cybersecurity defences.
• Doubling down to better protect these assets now can go a long way towards fending off cyberthreats and heading hackers off at the turn.

Operational technology (OT) fuels efficiency and changes the way commercial buildings serve clients. What’s the downside? Hackers are increasingly interested in finding — and exploiting — any possible crack in that system. In today’s complex cybersecurity environment, a property management company’s best offence is a strong, sophisticated defence. Nothing less will do.

Twenty years ago, an internal auditor questioning the need to protect internal networks or the information it stores would find the same answer: visibility is critical. That could’ve spanned anything from visibility into hardware or software, configuration and vulnerabilities, users and data.

Fast forward, and clear visibility continues to be a struggle for many organizations. Of course, IT departments have made huge leaps in hardware and software asset management. But when it comes to OT, the picture looks very different.

New EY teams research finds that while an ecosystem-led approach to business — think cloud computing at scale and the Internet of Things — helps drive value, it also presents a significant cybersecurity challenge. All told, 53% of cyber leaders agree there is no such thing as a secure perimeter in today’s digital ecosystem. In fact, “too many attack surfaces” was the most cited internal challenge to an organization’s cybersecurity strategy. 

For example:

• Poor decision-making and siloed OT governance
• Uncontrolled or unmanaged OT asset lifecycles and change management
• Weakened understanding of OT risks and the broader threat landscape
• Slow incident response when crises arise
• Inability to support regulatory compliance requirements
• Lack of asset ownership, causing confusion, delayed responses and business continuity challenges

Operational technology asset visibility is critical to strengthening cybersecurity.

If your business is taken hostage by hackers in today’s digital era, your entire operation could be impacted. What’s more, attacks create lasting reputational harm that can be difficult, and costly, to mitigate. Making use of leading technology while making sure to strengthen cybersecurity really comes down to asset visibility. Why?

You can’t protect what you can’t see. Real estate organizations need an accurate inventory of assets to spot vulnerabilities, identify anomalies, create effective change management processes, respond effectively to cyber events and apply security controls based on asset criticality. Asset management is the first and foremost phase among IT and OT standards.

How can real estate companies strengthen cybersecurity?

You don’t have to boil the ocean to effectively strengthen cybersecurity across commercial real estate properties. Start with critical sites first. Prioritizing your list in this way helps target your efforts on the properties where cyberthreats could create the broadest and most significant negative impacts.

Within that list of critical sites, focus first on mission-critical processes for each of those properties. The mission impact analysis or inventory of OT assets that support those key processes reflects your “crown jewels.” These OT assets requires the greatest cybersecurity investment right now.

This initial phase tees you up to perform similar exercises across all remaining properties and processes, based on their priority level in the business and its operations. How?

Focus on these core leading practices to build up cybersecurity across critical sites and processes:

1. Get clear on roles and responsibilities. Organizations need a definitive matrix of all roles in OT asset management. This is foundational to mitigating cyber risk and navigating breaches when they do occur. You don’t want to be establishing who’s who in the middle of a crisis. Instead, define asset owners and custodians proactively and create accountability around these roles.

2. Document processes that everyone can follow. Armed with clarity around roles and responsibilities, people must also be able to sing off the same proverbial cybersecurity song sheet. Developing and documenting the steps to take in given scenarios helps teams continuously defend OT assets across sites in regular times and move quickly when something goes wrong. That documentation should establish asset criticality evaluation criteria, asset attributes to be captured and asset discovery/management tools for automation.

You’ll want to include processes for managing hardware and software OT assets across their lifecycle and define the process for auditing inventory at a fixed-frequency basis, as well as outline change management plans to support those efforts. Don’t forget to think remote in this context. Documenting baselined network architectures and data flow diagrams can help you secure remote access for third parties — or potentially disgruntled employees.

3. Consider recovery time and point objectives. At a minimum, you’ll want to map out recovery time and recovery point objectives for crown jewel OT assets at critical sites. Of course, all of these steps can — in fact, should — eventually be applied across non-critical sites as well. Start by outlining what the goals and steps should be around the most valuable OT assets to minimize the negative impacts that a cyber incident would mean for those who use the property and for the business itself.