04 March 2020

Corey Nachreiner, chief technology officer, WatchGuard Technologies

It’s no secret that much of construction has progressed slowly in technology adoption and this applies to cyber security.

Despite this, the industry rarely makes headlines around serious security breaches.

There are a few notable exceptions such as the recent incident at Canadian-based Bird Construction, which had 60 GBs of data stolen.

In fact, recent figures from Allianz Insurance revealed that theft costs UK construction firms £800m a year.

Another report of alarming statistics, insurance provider, Hiscox, stated that last year, 55% of UK firms have faced cyberattacks, with losses amounting to an average of £176,000.

This has proved a wake up call and combined with GDPR, it appears the industry has finally realised the value of its data and the importance of protecting it.

According to UK Government data, between 2018-19, businesses in construction spent on average £3,750 on cyber security.

While not a big number, it is a 188% rise on the previous year.

The industry and its sprawling supply chain face the same threats and vulnerabilities as every other, but there are many areas, particularly around active construction sites, that pose greater cyber risks along with physical security aspects.

For a new construction site, one potential attack vector is the office or offices, temporary bases where developers, engineers and construction managers connect with their organisations and share plans and financial data.

This is also where they set up an IT hub, typically including a cellular or wired internet connection, wireless hotspot, computers and printers.

There may also be workstations with computer-aided design and drafting (CADD) and blueprint software for real-time updates and changes.

This traditional infrastructure presents a ripe target for cyberattacks and the temporary nature of these sites means organisations may not have put in the security controls of permanent ones.

Additionally, security can often be laxer, especially if there is a ‘bring your own device’ policy, allowing workers to access critical systems on their own devices.

In this case, it is important to have a policy requiring passwords and other validation, while mobile devices should always be assessed for vulnerabilities.

Digital plus physical threats 

Another susceptibility is that some forward-thinking construction companies may be undergoing digital transformation and using wireless or cellularly-connected rugged tablets and shared blueprints and plans on digital devices rather than paper.

They could be using drones for site inspections or 3D printers for prototyping.

Today’s cyber criminals already target tablets, smart phones and mobile devices and while attacks on drones or 3D printers aren’t as common, they are possible.

Physical site security is more focused on preventing the theft of equipment and materials than protecting exposed data cables, for example, that could be tapped into to monitor traffic and ‘listen in’. 

Inside an existing building, security controls may get disabled or minimised for workers needing frequent access.

Planting devices or trojans, which would give attackers remote access to the facility once completed, are not common threats, but again are possible.

Motivation

One main motive for targeting a construction site is the theft of intellectual property, such as blueprints which could provide intelligence needed to defeat the physical security in future.

It’s always easier to hack a company from the inside than out. Another could simply be compromising the supply chain to divert payments or extortion via ransomware.

Then there is the targeting of building automation systems being installed in new developments for planting of malicious devices, which then open a backdoor into the future tenant’s network.

Awareness and counteractions 

Better cyber security awareness is an important starting point and should be standard.

Being aware of phishing, other malicious emails and not clicking on every link will significantly improve things.

Understanding the connection between physical and cyber security is also important as cyber attackers often gain access by simply walking through the front door - there is a lot of movement on a building site.

Anyone wearing a hi-viz jacket may be assumed to be there legitimately.

Another thing to look for are malicious requests for wire transfers.

This is an area which has given thieves access to companies and individuals and is of particular interest in construction where multiple bills, invoices and payments permeate.

In these scams, criminals might send phony invoices or calls requesting immediate payment to avoid defaults.

Building on firm foundations

Like any other business, strong cyber security needs to be built on strong foundations.

This should follow the same lines as with any organisation.

Computing devices on site should be secured in the same way as in an office: firewalls should be deployed, along with other network security services, endpoint anti-malware protection, patch software, back up data etc.

New generations of ruggedised appliances from multi-function security appliances to wi-fi access points make this easier, while remote monitoring and management tools allow IT managers to update and monitor alerts without travelling nationwide.

While things are improving, the industry still has catching up to do and there is still a risk that hackers may see the sector as soft targets.

As the housebuilding industry increasingly holds more data on its buildings, suppliers, house buyers and their solicitors, construction certainly needs to invest more in cyber security.