.webp)
When You Can't Remediate Every Device, the Network Becomes Your Defense: Hines's Case for Fixing the Infrastructure First
The standard advice for OT security is to patch and upgrade your devices, but sometimes the cost of touching a device outweighs its benefits.
For example, upgrading a Windows 2000 machine running a BAS server can trigger a $600,000 controls replacement. For buildings with tight budgets and aging infrastructure (which describes the majority of the commercial real estate market) that math doesn't work. The device stays. So the question becomes: how do you protect it?
The answer for Hines Real Estate and its network management partner, Montgomery Technologies, is to improve the network, not the devices. A properly configured next-generation firewall doesn't just block threats from outside the building. It stops threats that originate inside too. When a user downloads a file, the firewall scans it in a sandbox before it executes. Client isolation prevents devices from communicating with each other unless explicitly authorized. A legacy server that can't be patched can still be protected by controlling what can reach it.
Hines and Montgomery Technologies have applied across a large commercial portfolio: fix the network infrastructure first, and let it carry the security load for devices that aren't feasible to touch. "The network, if you can't get to remediating all devices, is a way of ensuring those devices, even if they're vulnerable, can't be accessed by outside parties," said Joe Gaspardone, COO of Montgomery Technologies.
The same logic shapes how the building network should be structured relative to corporate IT. Hines typically keeps building networks completely separate from corporate systems, with each building functioning as its own island: all connectivity is tied to the asset, not the owner's enterprise. When a building changes hands, a properly air-gapped network travels with the asset cleanly, without untangling corporate IT infrastructure in the transaction.
Getting ownership to fund this work is its own challenge. A converged, managed network eliminates the need to order new circuits for each system added to a building, resulting in savings of $5,000 to $100,000 per project in Hines's case. The security benefit and the OpEx reduction come from the same investment.
For buildings where a full device remediation isn't on the table, the network is where the protection lives.
Register for the next Nexus Labs event.
Sign up for the newsletter to get 5 stories like this per week:
The standard advice for OT security is to patch and upgrade your devices, but sometimes the cost of touching a device outweighs its benefits.
For example, upgrading a Windows 2000 machine running a BAS server can trigger a $600,000 controls replacement. For buildings with tight budgets and aging infrastructure (which describes the majority of the commercial real estate market) that math doesn't work. The device stays. So the question becomes: how do you protect it?
The answer for Hines Real Estate and its network management partner, Montgomery Technologies, is to improve the network, not the devices. A properly configured next-generation firewall doesn't just block threats from outside the building. It stops threats that originate inside too. When a user downloads a file, the firewall scans it in a sandbox before it executes. Client isolation prevents devices from communicating with each other unless explicitly authorized. A legacy server that can't be patched can still be protected by controlling what can reach it.
Hines and Montgomery Technologies have applied across a large commercial portfolio: fix the network infrastructure first, and let it carry the security load for devices that aren't feasible to touch. "The network, if you can't get to remediating all devices, is a way of ensuring those devices, even if they're vulnerable, can't be accessed by outside parties," said Joe Gaspardone, COO of Montgomery Technologies.
The same logic shapes how the building network should be structured relative to corporate IT. Hines typically keeps building networks completely separate from corporate systems, with each building functioning as its own island: all connectivity is tied to the asset, not the owner's enterprise. When a building changes hands, a properly air-gapped network travels with the asset cleanly, without untangling corporate IT infrastructure in the transaction.
Getting ownership to fund this work is its own challenge. A converged, managed network eliminates the need to order new circuits for each system added to a building, resulting in savings of $5,000 to $100,000 per project in Hines's case. The security benefit and the OpEx reduction come from the same investment.
For buildings where a full device remediation isn't on the table, the network is where the protection lives.
Register for the next Nexus Labs event.
Sign up for the newsletter to get 5 stories like this per week:
This is a great piece!
I agree.