Risks for Industrial Properties
On the surface, industrial might appear to be relatively safe in comparison to other property types. We tend to think of four concrete walls and a rooftop with a lot of space inside for tenants to do their business. With such low complexity, how much could a cyber actor do? Well, not all industrial is created equal. A summary review of different types of industrial quickly shows potential vulnerabilities:
- Manufacturing/Fabrication:
These types of industrial properties rely heavily on “up-time,” meaning all systems up and running as products are produced. Cyber threats to this business would include any action that could disrupt production and throw off timelines and schedules. Additionally, for products manufactured robotically, machines are calibrated by computer to cut, stamp, score, heat, and cool to certain parameters and specifications to create the desired product. These parameters are set by computer and can be altered slightly by bad actors.
Pipes and screws, parts for cars, parts for home appliances, electrical equipment to be used in homes, cars, and home electronics are all made with very precise measured specifications. If these specifications are altered in any way (much like the cyber terrorist that attempted to alter the drinking water purification chemicals in San Francisco), the product is at best ruined and thrown away, at worst utilized in some larger project only to have the defects revealed in some type of failure.
Cyber threats to manufacturing would include any action that could disrupt production and throw off timelines and schedules.
- Food Processing:
Thinking again of vulnerabilities, freezer space and refrigerated spaces are critical for prevention of salmonella poisoning. These temperature-specific spaces are set at temperatures electronically and monitored electronically to ensure safety. Frozen food manufacturers of products including pies and cakes, fast-food dinners, processed meats all use chemicals for preservation of food, cleaning raw foods, and even for color enrichment. These types of chemicals and the measurements per pie/meal/product are handled robotically and through computers. Throwing these measurements off, mis-calibrating refrigeration and freezer spaces allowing food to spoil or become contaminated can cause major disruption and potentially dangerous food products. - Pharmaceutical, R&D:
These types of industrial are also heavily reliant on computerized robotics for production and fabrication of products. Alterations in the formulas of drugs, slight modifications in the processing of them, or modifications in a product in research can cause significant disruption. Temperature control for spaces is also very important to many of the businesses of this type, in addition to particle management in air systems of “clean rooms” of various levels. All of these are set and monitored using computers. - Shipping and Distribution:
This type of industrial also relies heavily on “up-time” and is extremely sophisticated in our current day and age of major distribution and shipping companies. So much so that these types of logistics companies don’t typically allow any type of vendor to access their critical logistics sites without scrutiny and background validation. What could go wrong with a package? Not much, but think of that package as one of millions handled every day (by computers) and the record-keeping of where it came from, where it is going, routing how to get it there, on what form of transportation, the labeling and coding, etc. All of the scanning and record-keeping of these millions of packages is handled through computers and bar codes and tracked continually.
You might ask, don’t these vulnerabilities reside with the tenant, not the industrial property owner? That is largely correct; however, why would the large distribution companies completely restrict access to their buildings from all vendors unless they are vetted? It is because of the crossover between IT and OT.
Logistics companies don’t typically allow any type of vendor to access their critical logistics sites without scrutiny and background validation. IT stands for Information Technology. This is the type of technology just mentioned for the large logistics companies — the information about packages and how they track them — where they came from and where they are going — and bill them. This is the tenant’s technology in running its business.
OT stands for Operational Technology. This is technology that runs from a computer but can make physical things happen in the real world, i.e., using your cell phone to turn on the lights in your home, lock your doors, turn on your electric car, etc. Within real estate, this would include HVAC units, elevators, door locks, fire/life/safety alarms and equipment, etc.
The reason logistics companies don’t permit third-party vendors to enter their buildings is because of the crossover between IT and OT. Vendors that are responsible for OT systems in a building will maintain their systems physically through inspection and upkeep. However, they will typically log their maintenance and bill and receive payments through IT systems. In 2014, Home Depot was hacked and Target had already been hacked through the theft of credentials from a third-party vendor on their buildings. In the case of Target, the username and passwords of a HVAC contractor were stolen.
You might think that this was a long time ago and has been fixed by now. Surprisingly, although large retailers and logistics companies are very much on top of this, most of industrial real estate still is not. These vulnerabilities and crossovers still exist and are actually worse today than they were in 2014. Industrial buildings and all types of buildings are smarter and more computerized (more hackable) than they were then, but cyber awareness and security has not kept pace.
Better Understanding Cybersecurity
As our high-tech world advances, more risks will be created. We don’t want to go backward or stop our progress, but it’s imperative companies get proactive about their cybersecurity risks and establish a plan. So, what’s the solution to prevent hackers from breaking into our IT and OT systems? A better understanding of cybersecurity and its philosophy is a great place to start.
- There is no one solution to buy or one thing to do to become cybersecure. Just as technological systems are in fact systems with many component parts, so to cybersecurity must be factored into all of the systems and pieces of the whole.
- Cybersecurity is not an “end point or finish line” goal; it is an ongoing process to be maintained and improved over time. Much like physical security, cybersecurity must be constantly present and maintained but also dynamic. As criminals invent new methods to penetrate and steal, cybersecurity must adapt and invent new countermeasures and protocols based on a dynamic environment.
- Cybersecurity is focused not just on preventing attacks but on response and recovery. The old saying “a criminal only has to be right one time” is very much in play. With all the prevention and security methods available, it still only takes one penetration to cause a significant disruption. From a cyber standpoint then, the very next questions are, “How fast can we shut down the attack?” and “How fast can we recover?” These aspects of cyber are the other keys to a full strategy — prevention, response, recovery.
Professional real estate investors or owners of real estate do not have the time to learn cybersecurity fully nor should they. However, what steps could be considered to improve an overall cybersecurity profile in existing real estate and existing real estate portfolios?
- Converging Networks:
Most real estate already has many operating networks within a single building installed by various vendors and tenants or occupants. Reducing the number of networks (systems that use the Internet to monitor and control physical aspects of a building remotely), converging these networks onto a single or a few larger networks that are professionally overseen and managed by an operator that is responsible for cybersecurity and full operations is a very positive step. - Virtual Private Networks (VPN):
A converged network is a secure environment for tenants on-site, but what happens in a hybrid work environment? More and more employees are working from the office a few days a week, and then from their homes or local coffee shops on alternate days. Public networks are often cyber threat environments, and employees using them can infect your systems. A good strategy (that can be facilitated by your converged network operator/provider) is a Virtual Private Network. This allows an employee or occupant to access your operations but through a “virtual tunnel” that would exclude much of the danger prevalent in public networks. It’s critical for employees to log into their company’s networks using a VPN system and use challenging passwords when working online and not in the physical office, which has the highest level of security when on a converged network. - Cybersecurity Consultation:
Real estate professionals employ many third-party consultants to oversee their real estate and operations. Recognizing cybersecurity as a critical need is another key component of a successful cybersecurity plan. A third-party resource can free up landlords’ and business owners’ time and allows trained industry professionals to monitor the property’s security 24/7. Working with the right partner can alleviate the stressors of cybersecurity threats, and just like property managers are hired to manage assets, they can also manage the resources in the fight against hackers and craft a plan to enforce a more strategic and safe technology infrastructure.
How can industrial facilities move forward with a better cybersecurity plan? First things first: bring the conversation to the table if it’s not already part of greater discussions. Industrial real estate, more so than any other type of real estate, houses a very wide range of potential users. Industrial assets need cybersecurity and, in some ways, more so than most property types. The varied uses within industrial facilities are wide open to cyber threat, and with crossovers from IT to OT, significant damage can be done.
Although there are strategies to aid in improving your cybersecurity and also fruitful conversations to be had, most important would be to begin a relationship with consultants in this industry that can guide you based on your particular needs and on the characteristics of your business model. As noted, cybersecurity is about prevention, response, and recovery. As with all things, the details to make this happen are what is next.