Area Development
The world of real estate is making significant strides toward adopting the latest and most innovative technologies. But with more tech comes heightened risk. One of the latest ransomware attacks this year impacted up to 1,500 businesses globally by targeting U.S. IT company, Kaseya. Brazilian meatpacking company, JBS, also experienced a cybersecurity attack that forced the company to shut down operations, which could have been detrimental to its supply chain and to the U.S. food supply. In January 2021, a hacker was able to break into a water treatment plant system (by stealing an employee’s username and password) in an attempt to modify the chemical components that were treating drinking water. This could have impacted hundreds of households’ drinking water.

{{RELATEDLINKS}} Risks for Industrial Properties
On the surface, industrial might appear to be relatively safe in comparison to other property types. We tend to think of four concrete walls and a rooftop with a lot of space inside for tenants to do their business. With such low complexity, how much could a cyber actor do? Well, not all industrial is created equal. A summary review of different types of industrial quickly shows potential vulnerabilities: Crossover Between IT and OT
You might ask, don’t these vulnerabilities reside with the tenant, not the industrial property owner? That is largely correct; however, why would the large distribution companies completely restrict access to their buildings from all vendors unless they are vetted? It is because of the crossover between IT and OT.

Logistics companies don’t typically allow any type of vendor to access their critical logistics sites without scrutiny and background validation. IT stands for Information Technology. This is the type of technology just mentioned for the large logistics companies — the information about packages and how they track them — where they came from and where they are going — and bill them. This is the tenant’s technology in running its business.

OT stands for Operational Technology. This is technology that runs from a computer but can make physical things happen in the real world, i.e., using your cell phone to turn on the lights in your home, lock your doors, turn on your electric car, etc. Within real estate, this would include HVAC units, elevators, door locks, fire/life/safety alarms and equipment, etc.

The reason logistics companies don’t permit third-party vendors to enter their buildings is because of the crossover between IT and OT. Vendors that are responsible for OT systems in a building will maintain their systems physically through inspection and upkeep. However, they will typically log their maintenance and bill and receive payments through IT systems. In 2014, Home Depot was hacked and Target had already been hacked through the theft of credentials from a third-party vendor on their buildings. In the case of Target, the username and passwords of a HVAC contractor were stolen.

You might think that this was a long time ago and has been fixed by now. Surprisingly, although large retailers and logistics companies are very much on top of this, most of industrial real estate still is not. These vulnerabilities and crossovers still exist and are actually worse today than they were in 2014. Industrial buildings and all types of buildings are smarter and more computerized (more hackable) than they were then, but cyber awareness and security has not kept pace.

Better Understanding Cybersecurity
As our high-tech world advances, more risks will be created. We don’t want to go backward or stop our progress, but it’s imperative companies get proactive about their cybersecurity risks and establish a plan. So, what’s the solution to prevent hackers from breaking into our IT and OT systems? A better understanding of cybersecurity and its philosophy is a great place to start. Public networks are often cyber threat environments, and employees using them can infect your systems. Strategies to Aid in Cybersecurity
Professional real estate investors or owners of real estate do not have the time to learn cybersecurity fully nor should they. However, what steps could be considered to improve an overall cybersecurity profile in existing real estate and existing real estate portfolios? The Way Forward
How can industrial facilities move forward with a better cybersecurity plan? First things first: bring the conversation to the table if it’s not already part of greater discussions. Industrial real estate, more so than any other type of real estate, houses a very wide range of potential users. Industrial assets need cybersecurity and, in some ways, more so than most property types. The varied uses within industrial facilities are wide open to cyber threat, and with crossovers from IT to OT, significant damage can be done.

Although there are strategies to aid in improving your cybersecurity and also fruitful conversations to be had, most important would be to begin a relationship with consultants in this industry that can guide you based on your particular needs and on the characteristics of your business model. As noted, cybersecurity is about prevention, response, and recovery. As with all things, the details to make this happen are what is next.