Welcome to our Case Study series, where we dive into case studies of real-life, large-scale deployments of smart building technologies, supported by the Nexus Marketplace.
I emphasize “real life” because this isn’t a marketing fluff story. We're here to share real lessons from leaders who have done the work to integrate smart building technology into their operations. I also emphasize “large scale” because we're not here to talk about pilot projects. We're here to talk about deeper commitments to changing how buildings are operated.
---
---
In the Nexus Labs Buyer’s Guide to the Network Layer, we reviewed the history of networks within buildings. The 2010s and 2020s could be referred to as the Internet of Things Era. While the 90s and early 2000s brought us broadband and ubiquitous WiFi, the recent decades have been a mad dash to connect every electronic device to the internet. In commercial buildings, the network of connected devices that operate the building is referred to as the operational technology (OT) network, in contrast to the informational technology (IT) network that most people are familiar with.
But while cloud-connected operational devices have revolutionized our ability to operate buildings, they have also introduced a massive rise in cybercrime: more connected devices equals more opportunities for bad actors to get into the network.
The estimated yearly loss due to cybersecurity crimes in 2025 will be $10.5 trillion worldwide, and the average cost of a data breach will be nearly $5 million. The increase in cybersecurity crime and network-connected devices has created a flywheel effect that building owners simply can’t ignore: cybersecurity must be addressed.
BGO (BentallGreenOak) is a real estate investment company with over $82 billion in assets under management and 27 offices worldwide. With such a diverse profile geographically and by building vertical, BGO is naturally a target for cybersecurity attacks.
BGO has been forced to create robust standards and best practices for OT data in addition to IT data so that data is not siphoned, risks don’t become reality, and reputation isn’t lost. BGO has become an industry leader in the field of cybersecurity, all based on a uniform and well-adopted set of processes and procedures for bringing buildings up to a cybersecurity benchmark.
BGO was established in 2019 as the merger of two well-respected real estate companies, Bentall Kennedy and GreenOak Real Estate. They have 750+ clients and partners and focus on real estate investment, lending, management, and leasing across multiple building verticals of commercial real estate.
We sat down with Ben Cooper, Director of Property Technology at BGO, to learn more about how BGO has become a leader in cybersecurity for commercial real estate. Cooper entered the built environment industry in the luxury home technology space. After that, Cooper worked at QuadReal on the IT side of the business, strengthening his expertise in commercial building networking. In January of 2022, Cooper found himself leading the focus on cybersecurity at BGO.
Cooper recapped how a corporate company’s vulnerability to cyberattacks hit the mainstream in 2014, when Target famously had the data of over 70 million customers breached. The attackers got access by using stolen vendor credentials on an IoT device. Cooper expanded on what else attackers can do when accessing the OT network:
“You’re looking at potential criminals accessing your core systems. The possibilities are endless with what they can do from there: turn off elevators, put inappropriate stuff on your digital signage, not to mention siphoning of data and reputational damage. There’s definitely a lot of risk there.” – Cooper
The amount of vendors accessing portions of the OT network skyrockets the associated risk. Vendors have historically accessed the OT network through classic virtual private networks (VPNs) and port forwarding for remote access. While these can be practical tools for remote access to a secure network, if vendors are not given policies from the building owners, they will simply complete the job they’re given, typically installing their own network line with full management. To name just a few of the risks associated with no vendor network access policy:
Cybersecurity has historically been a topic many building owners don’t openly discuss. Experts commonly talk about the threats but don’t always explain what building owners should do to avoid them. But the script is flipping on that industry norm, explains Cooper, “In the last year, I’ve noticed that the conversation around cybersecurity is growing quite organically and evolving… we’re getting approached proactively by property management teams who want to follow the cybersecurity standards. Whereas before, you would see properties do this all on their own”.
The openness for teams to discuss and develop a cybersecurity strategy revolves around the ROI. Cybersecurity targets used to be ambiguous; the goal was simply to avoid breaches. However, with more statistics about the cost of these significant breaches becoming available, teams can start to develop an equation. Cooper brought an example from a converged networks standpoint. Assessing and converging your OT networks on a commercial building can be ballparked at $100k - $300k cost, but the average data breach cost is $5 million. “The cost of a converged network is peanuts compared to having an open door for attackers,” says Cooper. When you add the cost risk to the potential reputational risk, major companies' C-suites are starting to see the value of a cybersecurity strategy.
With the risk and state-of-the-industry well defined, we had Cooper dive into what BGO has done to develop a thorough cybersecurity strategy that effectively protects BGO, specifically regarding operational technologies.
It shouldn’t be a surprise to the Nexus Labs community that an effective smart buildings program starts with stakeholder engagement. This was precisely the case for Cooper and his team. BGO started by engaging IT colleagues, property managers, and other stakeholders to define some of the more vague questions around cybersecurity strategies. For example, do all networks have to be converged? What does it mean for you to have a standardized building network? Different building types and ownership models govern what can and cannot be done from a network infrastructure perspective, so BGO needed to develop a flexible approach and definition of success for each building to keep everyone on the same page.
With the formation of a strategy in place, Cooper emphasized the importance of getting ahead of the next building. Policies become baked into contracts with vendors and passed along to property teams so that any future work has cybersecurity standards as an inherent part of the project.
After the strategy and associated policies were ironed out, Cooper expanded on the importance of the network assessments.
“Go to the sites, make a template, and collect as much information as you can so that you understand your options…You have to do your due diligence before you start looking at the technologies and the physical deployment of that technology. I think the due diligence process is often understated when deploying cybersecurity.” – Cooper
Whether done internally or using a third-party network administrator, developing a clear network topology and asset inventory of the connected devices is crucial to a successful deployment. Understanding how converged or independent your connected devices are is especially important. If systems are independent, getting everything behind a universal firewall and access point may be too big of a lift. Cooper brought up the example of a building automation system (BAS) and lighting control system (LCS) on independent networks. When assessing the amount of data going in and out of each system, it made sense for BGO to prioritize the protection of the BAS with the available budget.
As BGO assesses buildings and determines the best solution, implementation becomes a mixture of hardware devices and software platforms that enhance cybersecurity. The device BGO uses is essentially a black box that physically plugs into the building network. The black box and respective software offer a multitude of cyber protection features to BGO:
The cybersecurity hardware/software combination is based on SASE and zero trust architecture, which are essential to understanding the overall product approach.
SASE stands for secure access service edge. For our technical audience, the SASE framework combines VPN and SD-WAN capabilities through a cloud-based security function that has zero-trust network access baked in. More generally, SASE is a newer networking concept that combines security and speed to allow users to connect directly to cloud-based applications. Many applications accessed via a VPN have latency issues for the users, making remote work more difficult. However, SASE allows users a faster and more reliable connection, especially for content-rich applications like BAS graphics.
Zero trust architecture is relatively self-explanatory: the system assumes zero trust of anyone accessing the network. Cooper explains, “Access is given on a need-to-know basis.” The network administrators can define access per user at a highly granular level. For example, a building operator may only work on two buildings in a ten-building portfolio - they can be given access to just those two buildings. Beyond that, perhaps that operator only works on the BAS. They can be limited to only accessing the BAS, not the CCTV or security data and applications. Even further, let’s say the operator hires a vendor to support an issue on the BAS for only one month; the vendor can be limited to one month of BAS access. Finally, the network admin can view the audit logs to see what actions the vendor took during the one month of access to two of the buildings' BAS applications. In this example, the operator and vendor must continually provide multi-factor authentication so that users do not stay logged in by default. This level of granular permissions and auditing of user actions gives an IT/OT team significantly better control of what is occurring.
Historically, vendors of smart building products will provide their own gateway as part of the solution to getting their product information and control into the cloud. When dozens of vendors implement their solution into a building, you can end up with an IT room full of redundant gateways, all doing nearly the same thing, each for an individual application. This not only adds hardware (cost) and complexity to the building but also uses more energy and produces more heat.
When BGO began implementing a single cybersecurity hardware solution, this device allowed connection to any web application, eliminating the need for redundant gateways. Cooper elaborated, “As long as the vendor has a cloud version of their application, we can connect to it. With the SASE model, there are encrypted secure tunnels that allow us to go worry-free connecting to a cloud app and eliminate that on-prem hardware which clutters up mechanical rooms”. Edge computing devices are typically used as this universal gateway based on their ability to reap the benefits of cloud computing and on-prem computing. Rather than each application relying on its own physical devices to provide computing, application-agnostic edge computing devices can consolidate multiple apps into one device.
The converged networks and edge compute capabilities that BGO is creating also help accelerate the adoption of new technologies for each building. BGO can deploy new technologies on top of the existing network infrastructure and avoid new on-prem hardware.
“We built ourselves this very nice future-proof platform, that whatever comes, we’re ready to deploy it and the uplift is going to be very minimal.” – Cooper
As for how BGO plans to expand its smart buildings on top of this robust platform, Cooper mentioned that they are focused on any applications that can help reduce operational costs. One example is an AI overlay to their CCTV application. This reduces the operational costs of security, allowing the AI to be responsible for always watching all cameras. It can detect emergencies like fires faster than other systems and automatically dispatch 911.
The result of a robust cybersecurity program is as straightforward as it gets: BGO has avoided any serious threats to its network and, therefore, avoided the average $5 million cost per data breach and the reputational baggage that goes along with it.
A more measurable achievement is the adoption and change management of the new program. Building operators in an extensive portfolio of buildings like BGO’s may have many different tools, procedures, and styles. It can be challenging to have a corporate team enforce standards that affect the work of people who are shielded from the bigger picture.
Cooper’s team is proud to have a 70% adoption rate of their new cybersecurity platform throughout their facilities. They credit much of this adoption to the benefits of operating off a SASE platform. Many of their operators have struggled with the latency of working with traditional VPNs, and this new, more secure remote access doubles as a higher-performing and quicker-loading solution. Additionally, the new platform allows operators to work more efficiently from a mobile device, a massive improvement for fleet workers who are commonly on the move.
Cooper mentioned that BGO has also placed a large emphasis on training and context, making sure that operators know why BGO is deploying this new technology and how to use it. That includes training operators on the two-factor authentication tool, so it becomes second nature rather than a nuisance.
These case study articles aim to share success stories in a way that can benefit similar building owners by helping them make accelerated decisions toward improved tech. Cooper was willing to share the largest obstacles to getting to where they are today, hoping other building owners could benefit from the shared knowledge.
All good smart building programs start with stakeholder engagement. In the case of BGO’s cybersecurity program, integrating the IT team early on was paramount to the project's success. A converged OT network often becomes a gray area of responsibility between facilities and IT, two groups that never seem to communicate enough. Getting the IT team to agree to the strategy across the portfolio and building by building was the most effective way to improve the security of the OT networks.
You will waste time attempting to implement cybersecurity solutions if you don’t understand the building. Cooper brought up the example of triple-net lease buildings in BGO’s portfolio. In triple-net leases the tenant owns the majority of the systems and equipment within the building. Therefore, the BGO team has no autonomy over the implementation of cybersecurity. Cooper’s team needed to focus on buildings with BGO-owned networks.
Additionally, the on-site assessment can give a status report on how converged a particular building's networks are. For buildings with less converged networks, the OT and IT teams have to discuss and negotiate what networks to converge and what networks to protect.
Cooper phrased BGO’s cybersecurity strategy as “a never-ending project”. Building owners need to understand that you shouldn’t just set it and forget it. There are constantly new threat avenues to assess and new internet-connected devices to add to the network. But it doesn’t need to only be viewed as a burden; once the network is set up and the solution is installed, new features are continually added for vulnerability scanning, network configuration, and edge compute. If approached in the correct fashion, keeping up with cybersecurity protection becomes the method by which you make a more useful and advanced network.
Cybersecurity can be thought of as a race. You have to constantly stay at least one step ahead of the criminals who are looking for weak spots within your network to exploit. The only difference is that the criminal may be solely focused on the race while you, as a building owner, are trying to keep the building functional, lower your operational costs, keep tenants happy, stay profitable, etc. Case studies like this one on BGO’s success are an attempt to give the good guy a leg up and demystify the procedures to effectively protect and modernize your network. If you’d like to further your education, we recommend you watch the Buyer’s Guide to the Network Layer, where we break down the buying options and considerations for those getting their cybersecurity programs and OT Networks to the modern age.
Welcome to our Case Study series, where we dive into case studies of real-life, large-scale deployments of smart building technologies, supported by the Nexus Marketplace.
I emphasize “real life” because this isn’t a marketing fluff story. We're here to share real lessons from leaders who have done the work to integrate smart building technology into their operations. I also emphasize “large scale” because we're not here to talk about pilot projects. We're here to talk about deeper commitments to changing how buildings are operated.
---
---
In the Nexus Labs Buyer’s Guide to the Network Layer, we reviewed the history of networks within buildings. The 2010s and 2020s could be referred to as the Internet of Things Era. While the 90s and early 2000s brought us broadband and ubiquitous WiFi, the recent decades have been a mad dash to connect every electronic device to the internet. In commercial buildings, the network of connected devices that operate the building is referred to as the operational technology (OT) network, in contrast to the informational technology (IT) network that most people are familiar with.
But while cloud-connected operational devices have revolutionized our ability to operate buildings, they have also introduced a massive rise in cybercrime: more connected devices equals more opportunities for bad actors to get into the network.
The estimated yearly loss due to cybersecurity crimes in 2025 will be $10.5 trillion worldwide, and the average cost of a data breach will be nearly $5 million. The increase in cybersecurity crime and network-connected devices has created a flywheel effect that building owners simply can’t ignore: cybersecurity must be addressed.
BGO (BentallGreenOak) is a real estate investment company with over $82 billion in assets under management and 27 offices worldwide. With such a diverse profile geographically and by building vertical, BGO is naturally a target for cybersecurity attacks.
BGO has been forced to create robust standards and best practices for OT data in addition to IT data so that data is not siphoned, risks don’t become reality, and reputation isn’t lost. BGO has become an industry leader in the field of cybersecurity, all based on a uniform and well-adopted set of processes and procedures for bringing buildings up to a cybersecurity benchmark.
BGO was established in 2019 as the merger of two well-respected real estate companies, Bentall Kennedy and GreenOak Real Estate. They have 750+ clients and partners and focus on real estate investment, lending, management, and leasing across multiple building verticals of commercial real estate.
We sat down with Ben Cooper, Director of Property Technology at BGO, to learn more about how BGO has become a leader in cybersecurity for commercial real estate. Cooper entered the built environment industry in the luxury home technology space. After that, Cooper worked at QuadReal on the IT side of the business, strengthening his expertise in commercial building networking. In January of 2022, Cooper found himself leading the focus on cybersecurity at BGO.
Cooper recapped how a corporate company’s vulnerability to cyberattacks hit the mainstream in 2014, when Target famously had the data of over 70 million customers breached. The attackers got access by using stolen vendor credentials on an IoT device. Cooper expanded on what else attackers can do when accessing the OT network:
“You’re looking at potential criminals accessing your core systems. The possibilities are endless with what they can do from there: turn off elevators, put inappropriate stuff on your digital signage, not to mention siphoning of data and reputational damage. There’s definitely a lot of risk there.” – Cooper
The amount of vendors accessing portions of the OT network skyrockets the associated risk. Vendors have historically accessed the OT network through classic virtual private networks (VPNs) and port forwarding for remote access. While these can be practical tools for remote access to a secure network, if vendors are not given policies from the building owners, they will simply complete the job they’re given, typically installing their own network line with full management. To name just a few of the risks associated with no vendor network access policy:
Cybersecurity has historically been a topic many building owners don’t openly discuss. Experts commonly talk about the threats but don’t always explain what building owners should do to avoid them. But the script is flipping on that industry norm, explains Cooper, “In the last year, I’ve noticed that the conversation around cybersecurity is growing quite organically and evolving… we’re getting approached proactively by property management teams who want to follow the cybersecurity standards. Whereas before, you would see properties do this all on their own”.
The openness for teams to discuss and develop a cybersecurity strategy revolves around the ROI. Cybersecurity targets used to be ambiguous; the goal was simply to avoid breaches. However, with more statistics about the cost of these significant breaches becoming available, teams can start to develop an equation. Cooper brought an example from a converged networks standpoint. Assessing and converging your OT networks on a commercial building can be ballparked at $100k - $300k cost, but the average data breach cost is $5 million. “The cost of a converged network is peanuts compared to having an open door for attackers,” says Cooper. When you add the cost risk to the potential reputational risk, major companies' C-suites are starting to see the value of a cybersecurity strategy.
With the risk and state-of-the-industry well defined, we had Cooper dive into what BGO has done to develop a thorough cybersecurity strategy that effectively protects BGO, specifically regarding operational technologies.
It shouldn’t be a surprise to the Nexus Labs community that an effective smart buildings program starts with stakeholder engagement. This was precisely the case for Cooper and his team. BGO started by engaging IT colleagues, property managers, and other stakeholders to define some of the more vague questions around cybersecurity strategies. For example, do all networks have to be converged? What does it mean for you to have a standardized building network? Different building types and ownership models govern what can and cannot be done from a network infrastructure perspective, so BGO needed to develop a flexible approach and definition of success for each building to keep everyone on the same page.
With the formation of a strategy in place, Cooper emphasized the importance of getting ahead of the next building. Policies become baked into contracts with vendors and passed along to property teams so that any future work has cybersecurity standards as an inherent part of the project.
After the strategy and associated policies were ironed out, Cooper expanded on the importance of the network assessments.
“Go to the sites, make a template, and collect as much information as you can so that you understand your options…You have to do your due diligence before you start looking at the technologies and the physical deployment of that technology. I think the due diligence process is often understated when deploying cybersecurity.” – Cooper
Whether done internally or using a third-party network administrator, developing a clear network topology and asset inventory of the connected devices is crucial to a successful deployment. Understanding how converged or independent your connected devices are is especially important. If systems are independent, getting everything behind a universal firewall and access point may be too big of a lift. Cooper brought up the example of a building automation system (BAS) and lighting control system (LCS) on independent networks. When assessing the amount of data going in and out of each system, it made sense for BGO to prioritize the protection of the BAS with the available budget.
As BGO assesses buildings and determines the best solution, implementation becomes a mixture of hardware devices and software platforms that enhance cybersecurity. The device BGO uses is essentially a black box that physically plugs into the building network. The black box and respective software offer a multitude of cyber protection features to BGO:
The cybersecurity hardware/software combination is based on SASE and zero trust architecture, which are essential to understanding the overall product approach.
SASE stands for secure access service edge. For our technical audience, the SASE framework combines VPN and SD-WAN capabilities through a cloud-based security function that has zero-trust network access baked in. More generally, SASE is a newer networking concept that combines security and speed to allow users to connect directly to cloud-based applications. Many applications accessed via a VPN have latency issues for the users, making remote work more difficult. However, SASE allows users a faster and more reliable connection, especially for content-rich applications like BAS graphics.
Zero trust architecture is relatively self-explanatory: the system assumes zero trust of anyone accessing the network. Cooper explains, “Access is given on a need-to-know basis.” The network administrators can define access per user at a highly granular level. For example, a building operator may only work on two buildings in a ten-building portfolio - they can be given access to just those two buildings. Beyond that, perhaps that operator only works on the BAS. They can be limited to only accessing the BAS, not the CCTV or security data and applications. Even further, let’s say the operator hires a vendor to support an issue on the BAS for only one month; the vendor can be limited to one month of BAS access. Finally, the network admin can view the audit logs to see what actions the vendor took during the one month of access to two of the buildings' BAS applications. In this example, the operator and vendor must continually provide multi-factor authentication so that users do not stay logged in by default. This level of granular permissions and auditing of user actions gives an IT/OT team significantly better control of what is occurring.
Historically, vendors of smart building products will provide their own gateway as part of the solution to getting their product information and control into the cloud. When dozens of vendors implement their solution into a building, you can end up with an IT room full of redundant gateways, all doing nearly the same thing, each for an individual application. This not only adds hardware (cost) and complexity to the building but also uses more energy and produces more heat.
When BGO began implementing a single cybersecurity hardware solution, this device allowed connection to any web application, eliminating the need for redundant gateways. Cooper elaborated, “As long as the vendor has a cloud version of their application, we can connect to it. With the SASE model, there are encrypted secure tunnels that allow us to go worry-free connecting to a cloud app and eliminate that on-prem hardware which clutters up mechanical rooms”. Edge computing devices are typically used as this universal gateway based on their ability to reap the benefits of cloud computing and on-prem computing. Rather than each application relying on its own physical devices to provide computing, application-agnostic edge computing devices can consolidate multiple apps into one device.
The converged networks and edge compute capabilities that BGO is creating also help accelerate the adoption of new technologies for each building. BGO can deploy new technologies on top of the existing network infrastructure and avoid new on-prem hardware.
“We built ourselves this very nice future-proof platform, that whatever comes, we’re ready to deploy it and the uplift is going to be very minimal.” – Cooper
As for how BGO plans to expand its smart buildings on top of this robust platform, Cooper mentioned that they are focused on any applications that can help reduce operational costs. One example is an AI overlay to their CCTV application. This reduces the operational costs of security, allowing the AI to be responsible for always watching all cameras. It can detect emergencies like fires faster than other systems and automatically dispatch 911.
The result of a robust cybersecurity program is as straightforward as it gets: BGO has avoided any serious threats to its network and, therefore, avoided the average $5 million cost per data breach and the reputational baggage that goes along with it.
A more measurable achievement is the adoption and change management of the new program. Building operators in an extensive portfolio of buildings like BGO’s may have many different tools, procedures, and styles. It can be challenging to have a corporate team enforce standards that affect the work of people who are shielded from the bigger picture.
Cooper’s team is proud to have a 70% adoption rate of their new cybersecurity platform throughout their facilities. They credit much of this adoption to the benefits of operating off a SASE platform. Many of their operators have struggled with the latency of working with traditional VPNs, and this new, more secure remote access doubles as a higher-performing and quicker-loading solution. Additionally, the new platform allows operators to work more efficiently from a mobile device, a massive improvement for fleet workers who are commonly on the move.
Cooper mentioned that BGO has also placed a large emphasis on training and context, making sure that operators know why BGO is deploying this new technology and how to use it. That includes training operators on the two-factor authentication tool, so it becomes second nature rather than a nuisance.
These case study articles aim to share success stories in a way that can benefit similar building owners by helping them make accelerated decisions toward improved tech. Cooper was willing to share the largest obstacles to getting to where they are today, hoping other building owners could benefit from the shared knowledge.
All good smart building programs start with stakeholder engagement. In the case of BGO’s cybersecurity program, integrating the IT team early on was paramount to the project's success. A converged OT network often becomes a gray area of responsibility between facilities and IT, two groups that never seem to communicate enough. Getting the IT team to agree to the strategy across the portfolio and building by building was the most effective way to improve the security of the OT networks.
You will waste time attempting to implement cybersecurity solutions if you don’t understand the building. Cooper brought up the example of triple-net lease buildings in BGO’s portfolio. In triple-net leases the tenant owns the majority of the systems and equipment within the building. Therefore, the BGO team has no autonomy over the implementation of cybersecurity. Cooper’s team needed to focus on buildings with BGO-owned networks.
Additionally, the on-site assessment can give a status report on how converged a particular building's networks are. For buildings with less converged networks, the OT and IT teams have to discuss and negotiate what networks to converge and what networks to protect.
Cooper phrased BGO’s cybersecurity strategy as “a never-ending project”. Building owners need to understand that you shouldn’t just set it and forget it. There are constantly new threat avenues to assess and new internet-connected devices to add to the network. But it doesn’t need to only be viewed as a burden; once the network is set up and the solution is installed, new features are continually added for vulnerability scanning, network configuration, and edge compute. If approached in the correct fashion, keeping up with cybersecurity protection becomes the method by which you make a more useful and advanced network.
Cybersecurity can be thought of as a race. You have to constantly stay at least one step ahead of the criminals who are looking for weak spots within your network to exploit. The only difference is that the criminal may be solely focused on the race while you, as a building owner, are trying to keep the building functional, lower your operational costs, keep tenants happy, stay profitable, etc. Case studies like this one on BGO’s success are an attempt to give the good guy a leg up and demystify the procedures to effectively protect and modernize your network. If you’d like to further your education, we recommend you watch the Buyer’s Guide to the Network Layer, where we break down the buying options and considerations for those getting their cybersecurity programs and OT Networks to the modern age.
Head over to Nexus Connect and see what’s new in the community. Don’t forget to check out the latest member-only events.
Go to Nexus ConnectJoin Nexus Pro and get full access including invite-only member gatherings, access to the community chatroom Nexus Connect, networking opportunities, and deep dive essays.
Sign Up