By Bayron Lopez, Director of Operational Technology at Kilroy Realty Corporation
(CS)²AI Fellow
September 22, 2022
With the growing landscape of intelligent building systems being deployed into commercial real estate, asset owners must develop a cyber-physical strategy to meet the ever-changing threats. As we continue integrating access controls, cameras, smart lighting, and even intelligent irrigation at scale, we must ensure that we do not sacrifice security for accessibility. With the addition of new technologies into the space, we must be able to vet a solution's software components and hardware integration. As the Director of Operational Technology, I work with all verticals of our organization to deploy technology that meets site requirements and protects them.
One of the biggest threats I see is the lack of seriousness surrounding these systems. Don't get me wrong, as an industry, we spend millions on the usage and development of technology to meet the needs of the properties. We have elevators that can track your phone and take you to the correct floor, a turnstile that can recognize your face and allow you into a building, and sensors that can tell you how busy the cafeteria is, so you don't miss that hot cup of coffee. The comforts are there, yet we still lack enough understanding of the hardware security that operates those systems. Many are still under the impression that because these are not your traditional "IT systems," they don't require as many security policies around them. Yet if someone hacks into the system that stores all the faces and names to that turnstile access control system, that would be a significant breach. We have seen threat actors expose camera vulnerabilities due to lax security policies. The industry keeps deploying technology to make the lives of both the occupants and operators easier, but it also opens the sites up to potential harm from others.
For years, individuals have been screaming at the top of their lungs regarding these threats, yet we decided to focus our attention elsewhere. The buzz words of digital twinning, fault detection, and many others that I call bells and whistles overtook the industry. We became infatuated with having more tech, more systems, and more shiny things that we hoped would distract threat actors from really looking under the hood. There was an explosion of solutions, and if you had an idea, there was a vendor that would promise you that it was possible. As the layers of systems and data became deeper and deeper, cracks began to show on the foundation.
We lacked the seriousness of deploying a cyber-physical foundation for these systems. Many believed that they were not as complex as the corporate side of the house and that there was no way that they could produce large amounts of data. Some deployed 4K cameras without thinking that those unmanaged 10/100 switches would never be able to handle the traffic. Some gave access to vendors to access their data via open internet connections, not understanding the potential threats they had created. Even I was unaware that we could produce more than 15,000 data points daily from a single occupancy system. It wasn't until someone got hacked that most of us started to pay attention to those individuals screaming for seriousness in control systems.
Fortunately, those individuals never gave up, and now we are starting to understand the foundational implementations they have been pushing. I've been fortunate to chat with my fellow CS2AI Fellows on some of these topics and have learned the importance of re-sealing our foundations.