In our Podcast series “Sh*t You Wish Your Building Did!”, Memoori explores the intersection between technology and commercial real estate through interesting conversations.
We need to talk about Cyber Security for Commercial Buildings! Why? Because a growing number of insurers are excluding cyber events from their policies and many building owners could be self-insuring but don’t even know it. We talk to Rob Murchison, Co-Founder of Intelligent Buildings, who shares his in-depth knowledge.
Memoori: Hello everybody, welcome back to sh*t you wish your building did. This is the podcast where technology experts tell you how to make your building smarter. Today we are speaking to Rob Murchison co-founder of intelligent buildings a us-based real estate advisory firm. We need to talk about cyber security insurance for commercial buildings. Why? Because a growing number of insurers are excluding cyber events from their policies and many building owners could be self-insuring but don’t even know it. So stick around for this important conversation with Rob. If you’re serious about making your commercial building smarter then you are in the right place. Every episode we talk to an expert in the field and discuss practical business advice on how to implement technology in your buildings and if you like what you hear don’t forget to subscribe to the channel and like the episode. You’ll be notified when we publish new content so let’s go. Rob welcome to the podcast. Let’s kick it off and tell us a bit more about intelligent buildings.
Rob Murchison: well I I’m a principal and a co-founder of intelligent buildings and what what in what intelligent buildings does it at its core uh is we increase the availability of of of Building Systems within the built environment through a comprehensive set of managed services that we offer at anywhere in the globe um we also in our heritage is also that we are a sherpa if you will for those uh occupiers and landlords who are wanting to go down the journey was most people are these days of how do I take my built environment and make it smart in a purposeful way so we’ve been doing this for the uh the the better part of the last uh two decades all over the globe.
Memoori: I like that Sherpa I remember that one good stuff um so I asked you today I wanted us to have a kind of in-depth conversation on cyber security so just to kick things off how would you describe the current state of cyber security as it relates to uh Building Technology.
Rob Murchison: wow I mean it a lot of cases just non-existent I hate to say um but I think important to put that a little bit of context if you will it’s uh it’s good to sort of look back in time and uh as as you look as you look back in time say in the late 80s um when I was graduating graduating from uh high school and I’m not I were you born yet Jim yeah because because uh it’s been a quite a transformational quite a transformational time um in the late 80s the the the this this digitization of the of the built environment was just beginning and it was done because automation could happen and at a local level the the cloud wasn’t around we didn’t have the internet uh but but we could do Automation and uh enhance the the the the the the the the the the environment itself around specifically around the HVAC the the the how we control controlled that piece of uh of the the the hot and the cold and the and the flow there that piece could be automated because we went from running pneumatics which most folks don’t really experience unless you’ve sort of hit that hiss on the thermostat um to to now to a digital environment and that wave of DDC that took took place in buildings went on well over or is still going on the day well over a decade and it was in in the late 1990s 1999 actually that the first Java base controller called a Jace was introduced into into the world the world of the built environment all of this was happening with security not even on the radar it was just about Automation and how could could we improve the performance of the built environment specifically say around the the temperature managing the air molecules um so that happened and there was there was no plan and more and more uh digitization took place we then start to see uh Lighting systems and this thing called dally which is the lighting light Lighting systems go go into the marketplace and then then and it started around 2010 we start to see this evolution of all sorts of digital things and to the point now that whether it’s an access control or video surveillance or rainwater harvesting or or the clocks on the wall um everything’s digital everything is digital but it was all done and a unplanned way for a different purpose and then I would say it’s starting around the originally with the target uh hack which wasn’t directly to a building control system but used to an HVAC vendor and then a colonial pipeline where oil flow stopped here in the United in the United States it got onto the radar of of the traditional Enterprise I.T folks and they had a voice at the table and said holy cow all this digitization has taken place in our built environment and there was never really a plan how in the heck do we go put a plan around this and then to complicate things in the past couple years uh the Cyber uh crimes uh particularly around ransomware have dramatically increased and then we had the the addition the the the Ukrainian War earlier this year which created it even more tax took place um and when we’re now to a point of of realization that digitization in the built environment is is full steam ahead it’s not turning around but we have this Legacy cycle of of Technology refresh that is literally in some cases decades behind where we are on traditional Enterprise I.T and we call those Technologies operational Technologies versus information Technologies so we can get a bit into more of this but the bottom line is that the operational technology is something that impacts the physical environment so it needs to and for for buildings there are bigger category called industrial control systems but for buildings it impacts the environment and be because of that if they aren’t available the things you either get in a bad experience or or worse you can’t have good air quality or the lights turn off or the elevator gets stuck and so availability is a lot more important than the traditional world where potentiality data breaches are so I would I would say that we we we’re we’re on a journey that’s been accelerated um but the the root cause is that it was it wasn’t planned to go out this way or to grow up this way and now we have digitization all over the place and we have fragmented um uh parties working on it we have fragmented systems we have fragmented decision making. I don’t want to sound like a pessimist but it it’s it’s quite it’s quite a mess um and um it’s going to take some time to to to get it turned get it turned around but it needs to be done for purpose and I think coming out of the pandemic we we are seeing that there needs to be a purpose uh around digitization in the built environment and that’s specifically around uh ESG and experience so long long answer there.
Memoori: Fantastic summary I’m covering 30 years in uh two minutes great stuff and I mean I I completely I couldn’t agree more of what you said and I would add to that as well like I think a lot of what’s Happening uh in terms of ransomware attacks and cyber security isn’t also reported so I think in probably like the situation is worse than people actually realize because we’re not seeing the full impact people you know and we wrote an article about this as part of the research that we’ve done recently you know obviously for reputational purposes people don’t want to promote the fact that there has been a cyber cyber issue or so we’ve ransomware attack for example one really interesting thing um something you said to me which I think is fascinating uh and I’ll read it back to you now most of the industry is probably self-insuring and does not know it while at the same time doing very little to mitigate the actual risks I think that’s a great statement and really in two parts right some of which we kind of covered with and we’ll go into in a minute with like mitigation um but describe to me like what’s going on with insurance at the moment.
Rob Murchison: Well it’s a it’s a double whammy if you will uh forget this this operational technology I.T thing it was talking about a second ago cyber in general uh cyber and the the calls for cyber Insurance um really due to to people and and how they react to phishing attacks um it has skyrocketed it it’s just extremely expensive and then when you go and look at our world the built environment commercial real estate uh that that that that World um to your point goes unreported 95 percent of the time because of the brand risk associated with saying I my building was attacked um all that is happening and insurance rates mainly because of cyber and some natural disasters as well are going up and if you have a uh a quarter uh 250 million euro or asset um and you need to and you you gotta insure it in some way if your insurance is doubling in cost um it it really perfects your performa and so what what is happening is is these because when you when you get insurance you don’t get a 10-year insurance contract because the landscape changes so insurance is renewing say on an annual basis and as these renewals come across and the prices are changing uh the insurance companies are realizing the carriers are are realizing that that there is a risk that they’re insuring against that they don’t understand they don’t know and so what happens is to to the uh the the insured um is there the Riders are getting uh inserted into the the these these new in insurance contracts and they’re not insured anymore because the carriers are just not it’s not because they’re trying to do something to malice way they’re just saying I don’t understand the risk therefore I’m going to not ensure that so back to that statement that that you read. the owners the landlords of of of buildings in a lot of cases are not just because of Education are a lack of awareness if you will are not self or not insuring um the the HVAC the lighting the elevator and all these Control Systems because it’s being excluded for the reasons I just described and what are you advising your clients to do the building owners and operators about about this uh figure out what you got I mean I mean I can’t I can’t say it any simpler is that that let’s listen the the the first step in in solving this problem is to understand it and in order to understand it uh you gotta under you gotta uh have an inventory if you will of what lies in your built environment and and the the digital the digital uh footprint of that which also then allows you to understand to understand what your attack surface to a techie term your attack surface looks like so you can get your art get your arms around it so number one thing and we worked with many clients on this some ten thousand buildings in some cases um figure out how to go get a accurate inventory of your existing uh Building Systems the the good news Jim is that uh Ai and and artificial intelligence those types of technologies have evolved and it can help automate a lot of that inventory doesn’t have to be 100 manual process.
Memoori: Also I mean specifically about insurance so if you have a client like they’ve gone and looked at their insurance they’re saying actually we’re not covered for this what can they do about that can they go back to the insurer and say do you have a separate policy for this are they or do they have to go to someone else to to get that that cover?
Rob Murchison: There are a couple tiers there there are there are companies that that just offer cyber okay okay and then there are companies underneath those companies if you will on certain layers that that focus on the the the building system side of things but if you’re going to go down that path um which you should because you need some type of insurance they are going to ask sooner rather than later what am I insuring and of course and if you don’t know then they’re not going to touch you yeah but it makes logical sense and so I think there’s a growing number of landlords that are realizing that and therefore they’re they’re looking for cost-effective ways to not only know what I have right now but also what do I do because you can never prevent was to be clear there’s no magic answer to preventing a cyber event if someone wants to break in they’re going to break in bad guy will figure it out but if that happens you need to have a quick path to recovery and so simple things like making sure your systems are are are backed up or making sure your your your software the firmware on these devices is is is current or is there an overall policy that that your your vendors the different fragmented vendors that work on your buildings is there a policy that they’re following doing some simple things like that um Can can not mitigate which can completely get rid of but can do some compensating controls so that you have that you minimize your risk exposure.
Memoori: Absolutely fantastic advice there uh and we were talking about mitigation and you’re saying you know know what you have on your network and then and again something that came up in our research and that you’ve talked a lot about is Network scanning um and you’ve talked as well about this difference between passive and active scanning of networks could you can you describe that for us and what you’re advising your clients.
Rob Murchison: We are getting a bit technical yes which I but it’s important it’s important so one of the misunderstandings of and quite frankly a frustration point between uh traditional Enterprise I.T I call All Digital My mindset and and uh the facilities or the operational technologies that stuff that impacts the physical physical environment is that everything uh should be IP everywhere so you and you and I are were thousands of miles apart talking over talking over the Internet flowing lots of bits of data but the amount of data that we’re flowing is is uh is probably order of magnitude higher than what an HVAC system needs to operate in it’s a building because they’re just a few data points versus video and sound and all that stuff but the mindset is from a from a traditional I.T folks that well I can do this you mentioned this active and passive I can just do this active thing and I’ll go scan the entire building system Network for uh to go get that inventory if you will and I’ll do some analysis I’ll do some quick analysis of it like I do for my PCS and my printers and my wireless access points and there’s this thing called SNMP so simple Network management protocol and that’ll fix it we can point to dozens of situations where that active scan took place on Building Systems and by the way we talked about have been evolving from digital since 19 late 1980s 1989 that in some cases still exists in the building because of the life cycle of these things um and when they do that the system breaks and it happens over and over again when we have customers that unfortunately happen in a new construction building just to open up and they spent hundreds of thousands of dollars repairing The Building Systems because they did this active scan on building system devices that just can’t take that much data so in order to go get that inventory and to go do that at scale you can’t go out there and query because that’s what kills things you have to just listen and that’s what a passive scan is a passive scan is just listening to that existing Network traffic and then um using AI that I talked about earlier to go look at the the the the the signatures of the data the the passive and build and continue to build a library so you can go recognize based on just how the device is talking what type of device that is and that is how you go get inventories without breaking your Building Systems it’s really important.
Memoori: That’s great and actually it’s not something I think that gets talked about that much so I think it’s really uh really something that people can take away from this conversation at least if you know if it comes up with your team like in the future you know like that’s something to consider yeah and something in the research that we’ve done which I think interesting and we’re talking bit you know a lot about mitigation of this risk we know we can’t completely um stop cyber attacks not possible these things happen it’s about mitigating the risk but what I see I think sometimes is well that there is um really isn’t a willingness right to kind of take this subject on like really tackle it as an industry and I think I think one is one or two things one people don’t really understand it um and therefore are a little bit afraid of it so what I think I’m saying is here is it’s not just it’s really not a technical problem or just a technical problem it’s also a people problem right?
Rob Murchison: For sure for sure what can we do to to kind of move this forward at least to get people you know talking more about about cyber security and at least doing being more proactive instead of reactive well there there’s carrots and there’s sticks I mean I hate to break it down to those two simple worlds and and uh the I would say the the smart building movement in general has generally been a a a a carrot LED for a long time I just something I should do but it had some optionality to it because of the current global economic um environment um there there there’s double uh three I I would say uh uh uh Market forces that that are um accelerating um the need to go deal with the cyber security problem the first one we talked about insurance my insurance rates are going up and I’m not just making up numbers my insurance rates going up by a thousand going up a a thousand Euros um uh but I could pay a hundred euros and get it to only go by 500 euros so that that that situation um which is playing playing out uh more and more saying okay it’s a simple Roi equation but that’s just to mitigate this digital fragmentation Nest I’ll call it that’s happened over the past 30 years the two other forces that are really driving this and they’re somewhat combined is that a um I have to hit ESG goals ESG is regulated in much of much of Europe in the UK now it’s coming to the United States um it’s happening in Australia um so so in order to meet my uh goals which are regulatory driven I need to get data out of this asset if I’m gonna get data on this asset I gotta make sure that it’s not gonna negatively impact my operations so that’s the second one should we have insurance and we have we we have ESG the third one is built on those those other two and that is the great reoccupation of of of the of the office or or going back to retail or Hospitality vacancy uh room per rooms going up whatever whatever that is is we got to offer a better experience to the folks that are within that built environment and that requires a heck of a lot of data um interaction um in the office World we’re calling that experiential Leasing and the need to have destination worthiness for the physical office itself um but but because of that data Mead and when you combine that with part of the experience is ESG and risk mitigation they all are sort of coming together to drive a more holistic view of I gotta get data out of my building but at the same time I need to make it uh I need to reduce the risk and I’ll I’ll close that by saying the the the the the the the trend and we’re seeing this happen more and more is that the occupant who is renewing their lease who is likely shrinking their footprint while wanting to create destination worthy space is asking for access to that Base building system and by them asking for access to that Base building system that we already said I’m not even sure what’s already in there is creating a really interesting conversation that drives us back to okay let me understand what I got I know I can’t get rid of all the risks but at least let’s make sure my systems are backed up I’m keeping my firmware I’m keeping my firmware uh uh current and I’m making sure there’s policy that that my vendors are complying so they don’t introduce even more risk into my environment.
Memoori: Yeah some fantastic points there and it’s really interesting to see these different Dynamics a player you you covered a lot a lot of topics there that all play into this um this ecosystem don’t they?
Rob Murchison: Yeah and I think that’s part of the problem is we’re we’re looking for a a hammer to to drill down the nail when when we need a dozen different tools and a lot of different understanding and and I don’t want to get political because different folks have different views here but I mean it’s pretty much scientifically proven that that that we got to reduce our carbon emissions I think Bill Gates says we’re 51 billion tons of carbon that are getting admitted every year if we don’t take technology and apply it to what we’re trying to get done we’re not going to get there and by applying technology that means we have to we’re we have opportunity but we’re introducing risk and we’ve got to mitigate those uh risks in fact I saw a a visual this morning I can share with you and it talks about the the the the impacts of uh of different areas of our sectors of our economy built environments energy and so forth and um this particular graphic said that the the built environment gets like is responsible for over 20 percent of the carbon emissions yet the the the back to this digital divide of folks not understanding the problem over 40 percent of VC Investments goes to mobile Mobility apps and hardly anything is going to the built environment at scale right now because they can’t find the right decision maker and they aren’t solving the right problems.
Memoori: Really good point I mean we’re coming to the end of the conversation now is there one thing that out of all those things that we’ve discussed is there one thing you want people to take away from this discussion?
Rob Murchison: Wow that’s a uh that’s a tough one because it’s such a a multi-faceted fragmented problem and I think maybe it’s two things one one is this is a I like to play on these words this is a complex problem not a complicated one and by that I mean is that a a Tesla is a very complicated car system but the the inputs usually almost always produce the same outputs in a complex world the world that we live in because it’s there’s people in our built environments in a complex world there’s a lot of unknowns and so the so so that means that the inputs don’t always get you the same outputs and the the common denominators this thing called people so the the first thing that that you need to be aware is that the technology is there to to The Innovation if you will is there there to overcome this problem but but but getting your people uh up to speed um is important the second piece and probably if there is a simplification of it this is it is that there are uh organizations um we’re one of them they’re internal groups and other organizations as well that have uh looked at the problem around this the keeping the systems available um inside the built environment and also recovering ways to recover uh creating ways to quickly recover them that if you will can offer a comprehensive set of managed Services um that have a degree of automation to them that you can apply um to across your built environments and this is back to the techie thing it doesn’t require that you have to re-ip address anything in your building um because of advances in technology so two things this is a complex issue and people are at the core of it but that that that’s the scary part the good news is that you can do something starting tomorrow or today by looking internal to your organization say I need a set of managed services or if your organization isn’t quite as big you can turn to firms like ours to provide that managed service.
Memoori: Awesome that’s a great summary thank you and on that last Point um if they want more information about intelligent buildings what’s the best way to to reach out to you guys?
Rob Murchison: Well we’re pretty easy is long but it’s our name so it’s intelligentbuildings.com of just sort of a funny story about that when we first started out the organization uh intelligent buildings didn’t that industry didn’t exist and we paid a whopping five thousand dollars to go get that domain name at the time it’s now the name of an industry yeah the money was spent in there hopefully that’s a money well spent.
Memoori: Good stuff Rob thank you so much for today I really really appreciate your time and I thought it was a very interesting. conversation thanks again.
Rob Murchison: Thank you for the opportunity Jim bye.