Property Managers Guide to Building Systems and Cybersecurity

A Career Making Opportunity for Asset Managers of Commercial Properties

Article by Dr. Joel Rakow, Fortium Partners

Look here! Today’s cybersecurity concerns create a unique opportunity for Property and Asset Managers of commercial real estate: An increase in market value of almost any commercial property can be achieved by reducing

risk of cyber attack, complying with data privacy laws, especially if this also increases property revenue. Happily, these improvements require no new investment of funds. How can this happen for me, you might ask.

Both the Harvard Business Review and Microsoft report research that finds building systems are the single biggest contributor to cybersecurity vulnerability in corporate America. These systems include:

• Voice over IP telephone
• Video surveillance systems
• Business machines (think copiers, point-of-sale devices, etc.)
• HVAC systems
• Elevators, destination dispatch, etc.
• Building Automation Systems, Lighting Control Systems, Energy management, analytics, etc.
• Property and tenant management applications

Building automation systems were once secured by isolating them, physically and electrically, from the corporate IT network. As remote access technologies are added to these systems, vulnerability is increased dramatically. Building automation systems are targeted by hackers as points of entry to the network.

ASHRAE’s BACnet Committee (SSPC 135) addresses cybersecurity threats at the network layer with BACnet Secure Connect (BACnet SC). The BACnet International trade association actively encourages BAS manufacturers to adopt this new technology through the BACnet SC Acceleration Program.

However, building systems require hardening and security applied at the device level, because the devices reside outside the Ethernet band of traditional IT networks. They communicate with serial data streams. They rely on analog-to-digital converters. The have configuration requirements in the software that controls the building systems. Moreover, many building systems do not interoperate, or communicate, with IT’s tools for managing nodes on IT network. Even with ASHRAE and the BACnet committee’s proactive steps, building systems will remain vulnerable points of entry for cyber attacks, unless dedicated and unique attention and remediation are applied to building systems.

The reason Asset and Property Managers should care so much about this cybersecurity and building systems more than 50% of “successful” cyber attacks gain their initial point of entry via building systems. This little known fact is supported by the Harvard Business Review, Microsoft IoT Signals, Palo Alto Networks Unit 42 research group and IBM Security (See footnotes below).

Cyber Attacks Turn Physical

Building systems are the point of entry for multi-stage cyber attacks. These Intrusions lead to a second stage with aggressive attacks on IT systems, data and sometimes even building systems designed to provide comfort and safety can be turned into life and safety hazards. Even Moody’s, the insurance ratings organization, recently began assessing such risks for commercial real estate properties and discovered a database of 1,200 life safety incidents which may have been cyber attacks that turned physical.

Call to Action

To Increase property value Asset Managers have only to modify the behavior of the suppliers of building systems. The new behavior that we want from these suppliers is for them to deliver their systems using security practices that address today’s cybersecurity concerns. These suppliers include the ones that provide systems for both the building’s common areas as well as the suppliers that serve supplier tenants.

Property and Asset Managers have the market power to make this happen at no cost to the property. They simply notify the suppliers, using the template included here, that they will be expected to improve their security practices and increase related transparency. The notice provides general guidelines and refers them to Fortium Partners’ Cybersecurity Team, who can assist those suppliers that do not possess cybersecurity expertise. With this notice, Asset Managers shift much of the security and financial burden away from the property and to the supplier. Contact S4 for a sample one-page, friendly notice.

With this straightforward act, Asset Managers kickstart the hardening of the property against cyber attack and soon start witnessing a stream of new revenue from the property. You can expect this to develop over 5 stages:

Stage 1. Building Systems Suppliers

The building system supplier will respond to the notice within two to three weeks with substantially all of them declaring that they value their business with you and request more specific description of your expectations.
Some of these will choose to work with Fortium Partners as offered in the notice, or select another cyber team (which is also fine). Very few, maybe 10%, of the suppliers will attempt to conform using their internal personnel. Even fewer will ignore your notice or decline to participate.

Stage 2. Fortium's Cyber Team

The Cyber Team will reach out to each participating supplier individually, and engage each supplier as an important player in the property’s security. Fortium shares the big picture of cybersecurity, building systems and how each supplier plays an important role. Fortium will present the supplier with five tools that enable the supplier to satisfy most any customers cybersecurity concerns regarding the supplier’s services and equipment:

• A Cybersecurity Hygiene. This is a list of security controls hand selected for each supplier, based on supplier the systems sold by the supplier and the markets they serve. Each Hygiene identifies between forty and sixty security controls to be used to harden the system and reduce the threat of a cyber attack being successful. These controls conform to requirements of the U.S. government’s NIST Cybersecurity standards, GDPR, California Consumer Privacy and ISO 27002 framework. These mark a new consideration in establishing the market value of commercial properties.

• A 3-plus hour preparedness curriculum for each Hygiene and each supplier’s field technicians, engineers and project managers. The curriculum is delivered across 20 ten-minute sessions conducted as part of the supplier’s regularly scheduled conference calls and on-premise meetings.

• A standard and effective response to IT security questionnaires that is beneficial to both property managers and the suppliers.

• Recommended contract language that assures both the supplier and the property’s management about commitments and limitations on liability. This language is verified by five cybersecurity attorneys as a sound starting point for building system contracts.

• A dedicated Chief Information Security Officer (CISO) for the supplier, available for at least 4 hours per month, with the potential to extend the hours or expand to other branches.

Stage 3. Cyber Team and Supplier

A dedicated CISO engages with senior management and other key managers of the supplier for at least 4 hours per month for 4 to 6 months, subject to a project agreement between the supplier and the Cyber Team. The CISO prepares and submits a preliminary Cyber Hygiene and conducts a review-and-revision process to identify a version acceptable to the supplier. The CISO conducts the 20 ten-minutes sessions, while following a similar process with the contract language and other deliverables. The CISO also provides ad hoc guidance to supplier on general cybersecurity concerns and will accept extensions to the scope of work based on mutual agreement with the supplier.

Stage 4. Cyber Team and Property Asset Manager

The Cyber Team supports needs of the Property and Asset Manager (Asset Manager) in creating an initial stream of revenue. This support includes facilitating the supplier’s delivery of their enhanced cybersecurity practices, including working with IT and legal. In addition, the Cyber Team initiates the use of a Finder’s Fee Agreement with the Asset Manager, sharing the revenue received from the suppliers. This begins a transition plan whereby the Asset Manager’s personnel gradually assume a bigger role with the suppliers, tenants and tenants’ suppliers, and consequently, increased revenue. The Finder’s Fee Agreement will contain terms and conditions that govern the relationship between the property and the Cyber Team, such as transition of both services and revenue from the Cyber Team to property management, access to the facility, tenants, standards of care, insurance coverage, term and termination, etc. The Cyber Team is available for related cybersecurity services as mutually agreed.

Stage 5. Asset Manager and Suppliers

The Asset Manager will gradually acquire sufficient ability to take advantage of this new stream of growing revenue by providing services to existing suppliers for annual updates of their Cyber Hygiene, onboarding new suppliers, suppliers of new tenants, preparedness of suppliers’ new hires, etc. A property with 40 tenants is likely to have a sufficient number of suppliers to generate approximately $500,000 of potential annual revenue, based on suggested pricing of $7,800 per supplier for the initial NeverCry Cyber Defense and $700 for annual updates, fees for other services such as preparing new employees, expanding NeverCry to the supplier’s other branches. A property with a single, large corporate tenant creates somewhat different opportunity and should be discussed with Fortium.

Fortium's Cyber Team

The services provided by the Cyber Team referred to above, could be obtained from several cybersecurity firms. The supplier referenced in the notification to suppliers, is Fortium Partners, a national firm with approximately 100-plus CIOs and CISOs. In the case where an Asset Manager seeks a professional services firm, it should meet with the following standards:

•Experience working with integrators in the IT supply chain, cybersecurity, IoT devices including building controls
•Experience with the NIST Internal Report 8228 for securing IoT devices and protecting data privacy
•Understand the cybersecurity considerations of various building systems, which often operate outside of the Ethernet band
•CIO’s and CISO’s available on staff to serve as CISOs for suppliers of building systems
•Prepared contract language for either construction or IT projects
•Experience working with property management and facilities

Most properties have hundreds and, sometimes, thousands of devices connected to building systems, all creating back doors that enable cyber attacks on sensitive data, because building system suppliers frequently pay too little attention to securing the solutions they install and service. Cybersecurity is a growing concern that will continue for many years until we all recognize that cyber attacks are not always initiated against Ethernet systems and are not always in search of data. Cyber attacks often threaten human life and safety. This is a career opportunity for Asset Managers, to create a success story based on managing cybersecurity to increase a property’s revenue and earn bragging rights that can fuel dramatic career advancement.

For More Information, Contact The S4 Group

To discuss how we can work together to secure your assets, email Steve, or call 801-621-1970.

About Dr. Joel Rakow

Joel helps system integrators and their customers secure, buy, sell and implement solutions, making the IT supply chain stronger and able to conduct business more easily. It all starts with each party embracing its own cybersecurity hygiene.

Joel Rakow is a Partner with Fortium Partners, LP, a firm comprised of over 80 of the world's foremost CIOs and CISOs. Dr. Rakow's current thought leadership in cybersecurity, data protection, data privacy addresses IT suppliers and their customers, frequently as part of Ingram Micro's Professional Services Group, was recently awarded a contract for building control contractors serving 120 universities, colleges and school districts in New Jersey, and other Fortium clients. Dr. Rakow frequently serves as a part-time CISO for system integrators assisting them turn the cybersecurity challenge into one of their biggest assets. Rakow’s client experience he garnered with more than sixty Fortune 1000 and emerging, start-up companies.

Rakow is a former adviser to the Secret Service, the LA Electronic Crimes Task Force, a member of the FBI InfraGard, Adobe Software’s Advisory Council, and the Receivers Team for the Courts of CA. He has provided executive and technical leadership for more than 100 enterprise deployments of security systems and platforms. Included in this is work with SSP Litronics, a firm that secure communication between the White House and the DoD, and ICANN, arguably the most secure site in Southern California. He developed more than 40 commercially successful software programs and won numerous industry awards including Microsoft Partner of the Year, PC World Best Product of the Year (three consecutive years) and Microsoft's Implementation of the Year. He is a Harvard University Postdoctoral Fellow, National Science Foundation Fellow, Phi Beta Kappa award winner.

Rakow has extensive experience with security across health care systems, software development, identity management and smart card design, manufacturing, office systems, with deployments ranging from GDPR, NIST, CIS, HIPAA, FERPA, SOX, and others. He is the originator of the NeverCry Cyber Defense for the IT supply chain.

About Fortium Partners

Fortium is a national firm of 80-plus technology executives who have held the position of CISO or the CIO managing cybersecurity in a nationally prominent organization. These organizations include Harvard, Google, Apple, Western Digital, Campbells, Danone, Dunn and Bradstreet, Allstate Insurance, LA Department of Water and Power, and many others. Fortium Partners is the originator of the NeverCry Cyber Defense for Building Control Contractors and champions enhance security practices in the IT supply chain.

Footnotes:, July 10, 2018

IoT Signals report: IoT’s promise will be unlocked by addressing skills shortage, complexity and security, Jul 30, 2019

Palo Alto Networks, Unit 42, March 2020,

IBM Security, February 2020 (Attacks on Enterprise IoT,, Page 9

Other Note:

The NeverCry Cyber Defense for Building Controls embraces and is consistent with the NIST IR 8228 and 800-171. For more information on the details of the NeverCry Cyber Defense use the link below.