The future of cyber risks in real estate

In the third and final article in their series on the implications of cyber threats in the property industry, Laura Oliver and Seaton Gordon look to the future, and how technology and the associated risks might evolve.

First published in Estates Gazette 30 January 2021

Perceived wisdom dictates that technological advancement follows an exponential growth curve. Twenty years ago, only those at the cutting edge could have anticipated the extent to which technology has embedded itself in our built environment. Astute developers, investors and occupiers will have a keen eye on the next generation of technology, but they will need an equally keen understanding of the cyber risks that are inherent in those advances and how they can be mitigated.

Smart thinking

In April 2020, Forbes published a list of 25 technology trends that would define the next decade. Of particular significance for the real estate industry were (at number two) the “internet of things” and (at number five) intelligent spaces and smart places.

In fact, both of those trends are inherently linked. The IoT is the concept of connecting physical objects embedded with technology to the internet to enable them to connect with other devices and share data over the network without any human input. The IoT enables smart places to operate – from smart homes and smart offices to smart cities.

• Smart homes connect and operate domestic devices including thermostats, lights, security systems and even kitchen appliances. Smart fridges are a good example and are already available on the domestic market. They can track expiry dates, shop for groceries and provide recipes.
• Smart offices enable people to work better and more efficiently and reduce operational carbon. They can inform decisions on optimising space, provide increased connectivity and reduce menial tasks to (so the theory goes) foster greater creativity and innovation.
• Smart cities bring together multiple strands of technology to improve the functionality and efficiency of towns and cities. By constantly monitoring and processing data they can, for example, reduce traffic congestion, streamline efuse collections, control street lighting and even improve air quality.

IoT networks are becoming increasingly vulnerable owing to increased online connectivity, weak security design and the spread of targeted malware. On 29 December 2020, the FBI issued a public service announcement warning users of smart home devices incorporating security cameras and voice capabilities to use complex passwords to protect their accounts. This followed a spate of hacks on such devices, which were then used to record the police arriving at residences in response to the hackers’ hoax calls to the emergency services. The hoax calls suggested an immediate danger or threat to life, so that the police would arrive in force (this practice is known as “swatting”).

The use of smart devices in swatting is a new and disturbing development. It allows the hacker to live-stream the results of the hack, and even interact with the police as they arrive. It is an unintended consequence of poorly secured smart devices designed to do something entirely different – protect a built environment, not endanger it. Where such devices are connected to the internet they provide more access points for a hacker to compromise the central environment, access data or worse. The security of a device is unlikely to be its primary function.

The FBI warning is a salutary reminder that organisations seeking to capitalise on the opportunities presented by automated data gathering, analysis and action cannot assume that any device can be safely integrated into existing systems and left alone. IoT devices are a fundamentally new and different proposition that demand a reanalysis of an organisation’s risk profile and security posture. Security (and privacy) by design is key.

Digital twins

Alan Newbold, Arup’s digital services leader for UKIMEA, believes that the future of the real estate industry will be shaped by digital twins. A digital twin is a digital representation of something physical – in the real estate world, that includes individual systems, buildings or whole cities.

Concepts are tested on digital twins to model their effects, and information gathered is used by digital twins to refine them. Digital twins then inform what happens to their real-life counterparts, to save time and money and to minimise disruption.

Newbold uses the example of traditional maintenance cycles to explain the efficiencies: rather than sending in engineers at fixed intervals to test or repair the mechanical and electrical equipment, the digital twin will model maintenance requirements so that they are targeted, bespoke and efficient. Real-life engineers will only be deployed where the digital twin has flagged a need.

As with all digital revolutions, there are inherent risks involved with digital twins. In particular, if hackers (or disgruntled employees) can successfully access and manipulate the digital twin, they could hold it hostage for a ransom or cause malicious damage in the real world. In addition, the digital twin will have been created using reams of valuable intellectual property and other sensitive data. That intellectual property and data will only be as secure as the digital twin’s security design and related cyber defences.

Given the potential fallout from any cyber event, there are some key legal questions that need to be considered as the use of digital twins becomes more widespread:

• Who is responsible for the integrity of the data that is used to create and manipulate the digital twin, and what duties do they have to ensure that it remains accurate and uncorrupted? 
• Should there be tough financial penalties for those creating, accessing and manipulating the digital twin if, in doing so, they fail to take adequate steps to build into the design all appropriate technical and organisational measures to secure data?
• Given that digital twins are intended to facilitate the whole lifecycle of a building, should contractual liability be equally enduring?
• Does traditional insurance provide adequate cover against the risks?

Those involved in promoting digital twins will need to come to a consensus on these matters, and industry protocols will need to be developed.

Interestingly, because they are intended to be interactive and evolving, digital twins are themselves a useful tool in defending against cyber threats. By modelling different kinds of cyber attacks on digital twins, real-life defence systems and reactions can be refined so that any real-life attack can be dealt with faster and with greater success.

Blockchain

Blockchain is a decentralised, distributed ledger that irreversibly records the provenance and history of a digital asset (including information).

Not so long ago, blockchain was the word on everyone’s lips, but its use in relation to cryptocurrencies seems to have dampened enthusiasm. However, blockchain’s potential should not be written off. In particular, it provides the underlying technology used to power smart contracts. These can automate contractual procedures which otherwise rely on human input and have inherent potential when it comes to construction projects and supply chains.

For example, smart contracts using blockchain can automatically release payments when technology confirms evidence that construction stages have been reached or that services have been supplied. This would minimise the exposure of a construction business to late payments and cashflow risks. Equally, if properly implemented, a blockchain at the heart of a project could be used as the sole reference point for all relevant matters and would ensure increased transparency and consistency of dealings.

While blockchain technology was previously hailed for its inherent security, there have been a number of recent examples which have exposed its vulnerabilities – in particular to the endpoints, such as digital wallets, that operate at the intersection between the digital and real worlds. However, these risks are unlikely to be the main barrier to widespread use of blockchain within the real estate industry. Implementation of digital solutions in what remains a fairly traditional and analogue industry seems a more likely sticking point. People will have to be persuaded that a new way of doing things is worth the uncertainty, let alone the potential risks.

A brave new world?

Those of us who work in the real estate industry enjoy the tangible nature of it, and that can sit slightly uncomfortably with the new technology that is moulding our built environment. Talk of cyber threats does nothing to alleviate those concerns, but must be addressed. The good news is that organisations can be pragmatic about the way forward. Hackers will always seek out the most vulnerable prey, so provided that an organisation has proactively engaged with cyber defence, it is less likely to be targeted.

Newbold says that organisations need to be clear about where cyber risks sit on their corporate risks register and that all organisations should have a chief information security officer, to anticipate and head off threats. He advises that any cyber defence strategy requires a synergy between people, process and technology. If any one of those elements is not robust, the system will be vulnerable.

The reality is that technology is set to change the face of real estate quickly and beyond recognition. As part of that, we will need to learn to live with the inherent cyber risks because, as Newbold observes: “Each new evolution of technology opens up new vulnerabilities, so the risks can never be ‘locked down’.”

Property developers, investors and occupiers have plenty of experience of heading off physical threats to their buildings. We install fire protection equipment and security alarms and we change locks when tenants move on. Cyber defences are no different – they just operate in the digital world, where proactivity is key.