Cyber Security & the Construction Industry
Why Cyber Security Matters
Historically, construction has not been high on the list of targeted industries. Attackers generally aim for industries that hold sensitive and personal data which are more lucrative. However, in recent years, we have seen a trend move towards the construction industry with several high profile successful cyber attacks causing delay, business disruption, financial impact and reputational damage.
The extensive use of sub-contractors and suppliers involving large numbers of high-value payments makes construction businesses an attractive target for spear phishing, which is when attackers send a targeted email that’s pretending to be from a legitimate organisation, in an attempt to trick the construction business into paying money into a criminal’s account.
Although construction businesses don’t store the same kind of financial information a bank does, they still store (and have access to) valuable data. Criminals could be looking for details about the company’s next bid (or building design) in order to gain an unfair advantage. Cyber criminals might be looking for sensitive employee data, like national security numbers, bank account numbers and payroll data, in order to engage in identity theft or to craft realistic authentic-looking emails for phishing attacks.
Investment in cyber defences has not been at the forefront of the leader’s minds in the construction industry. This is largely due to fewer mandatory regulations and guidance and partly due to the lack of compelling reasons for boards to invest in cyber defences. The chance of an attack has been lower than in other industries and hence did not justify the return on investment.
Attackers have now turned their attention to construction companies as their defences are not as mature. Furthermore, the financial rewards are becoming more lucrative as many construction companies are embarking on digital transformation programs and rapidly increasing their digital footprint and therefore attack surface.
Regardless of the size of your construction company, the information you hold is of value to a criminal. Although they may not target your business directly, it is all too easy to be damaged by phishing emails that cyber criminals send out to millions of businesses.
Watch the full Webinar today
Whether you lose money, data or are hit by a ransomware attack you need to ask yourself these questions:
- Can you afford a temporary shutdown of your business whilst the breach is investigated, and systems are recovered?
- Could you afford the reputational damage to customers and your broader supplier and partner ecosystem?
- Does your IT provider or team have a comprehensive Incident Response plan in the event of a cyber attack?
Learn more about our Cyber First managed IT services for Construction companies.
Government mandates and cyber regulations for construction industry
ACSC advise all Australian businesses to mature their cyber security posture by implementing the ACSC Essential Eight
Construction companies must take cyber security seriously as it is a matter of if they will receive an attack not when.
The ACSC has prepared their Essential Eight strategies to help businesses protect and mitigate a cyber attack, however, we recommend you go above and beyond this.
The ACSC Essential Eight is made up of eight mitigation strategies divided across three primary objectives:
1. Prevent Cyberattacks
Protecting internal systems from malicious software attacks such as ransomware, malware and other cyber attacks.
- Application control
- Patch applications
- Configure Microsoft Office macro settings
- User application hardening
2. Limit the extent of Cyber Attacks
Limit the penetration or expansion of a cyber attack by remediating all security vulnerabilities so hackers cannot exploit them.
3. Data recovery & system availability
To support the business if in the event of a cyber incident recover and restore the business quickly.
- Daily Backups.
Is your business compliant with the ACSC Essential Eight?
Take our self-assessment to help you understand your cyber security posture in relation to the Essential 8 maturity model.
Top 10 most common cyber attacks for construction companies
Ransomware has emerged as a dire cybersecurity threat to the construction industry, posing significant risks to project continuity, data integrity, and financial stability. In a ransomware attack, malicious software encrypts a company’s valuable data, rendering it inaccessible until a ransom is paid to the attackers for a decryption key. In the context of the construction sector, where projects are time-sensitive and rely on seamless data access and collaboration, ransomware attacks can lead to severe disruptions.
Construction companies often handle a vast array of sensitive data, including project blueprints, design plans, financial records, and proprietary information. A successful ransomware attack can cripple ongoing projects, compromise intellectual property, and potentially expose client data, leading to financial losses, reputation damage, and legal ramifications.
Ransomware attacks typically exploit vulnerabilities in software, weak security practices, or through phishing emails that trick employees into downloading malicious attachments or clicking on malicious links. Once the ransomware infiltrates the system, it rapidly encrypts data, leaving the company in a precarious position – pay the ransom and hope for a decryption key, or restore from backups and potentially incur significant downtime.
To defend against ransomware threats, construction companies must adopt a multi-faceted approach. Regularly updating and patching software, including operating systems and applications, helps close vulnerabilities that attackers exploit. Strong email security measures, such as filtering out suspicious attachments and links, can minimize the risk of ransomware entering the network.
Having robust data backup procedures is essential. Regularly backing up critical data and ensuring that backups are stored offline and securely can enable companies to recover from a ransomware attack without having to pay the ransom.
Employee education is a linchpin in ransomware defense. Regularly training staff on recognizing phishing attempts, practicing safe online behavior, and reporting suspicious activities can thwart the initial vectors of ransomware attacks.
By proactively addressing ransomware threats, construction companies can protect their critical data and operational continuity. Employing a combination of technical defenses, employee education, and comprehensive backup strategies, construction companies can reduce the risk of falling victim to ransomware attacks and maintain the security and integrity of their projects and sensitive information.
2. Business Email Compromise (BEC)
Business Email Compromise (BEC) has emerged as a significant cybersecurity threat within the construction industry, exploiting trust and authority to deceive employees and partners into performing unauthorized actions or divulging sensitive information. BEC attacks involve cybercriminals impersonating key figures within a company, such as executives, project managers, or vendors, to manipulate victims into transferring funds, revealing financial information, or sharing sensitive project details.
In the construction sector, where projects involve numerous stakeholders, collaboration, and financial transactions, BEC attacks can have dire consequences. Cybercriminals meticulously research their targets, often leveraging publicly available information, to craft convincing emails that appear legitimate. They may instruct employees to transfer funds for fake project expenses or redirect payments to fraudulent accounts, causing financial losses that can disrupt projects and harm the company’s bottom line.
BEC attacks come in various forms. CEO fraud involves impersonating top executives to request urgent financial transfers. Vendor email compromise targets construction companies’ relationships with suppliers, convincing them to change payment details to fraudulent accounts. Spear phishing, a subtype of BEC, targets specific individuals with personalized messages, often making it harder to detect.
Mitigating BEC risks in the construction industry demands a combination of technical and human-focused strategies. Implementing email security measures, such as anti-phishing filters and email authentication protocols like DMARC, can help identify and block suspicious emails. Multi-factor authentication (MFA) adds an extra layer of protection by requiring additional verification steps beyond passwords.
However, the human element remains critical. Training employees to recognize the signs of BEC attacks, scrutinize email addresses, and verify requests for sensitive actions can significantly reduce the risk. Encouraging an open culture where employees feel comfortable reporting suspicious emails can also help in early detection and response.
By adopting a proactive approach that combines technical safeguards and employee education, construction companies can defend against BEC attacks and protect their financial resources, sensitive data, and operational integrity.
3. Supply Chain Attacks:
Cybercriminals target vendors, subcontractors, or partners to gain access to the construction company’s network or data. Supply chain attacks have become an increasingly prevalent and concerning issue within the construction industry’s cybersecurity landscape. As construction companies collaborate with numerous vendors, subcontractors, and partners, their digital supply chains have expanded, creating new avenues for cyber threats. A supply chain attack occurs when malicious actors target a company’s partners or suppliers to gain unauthorized access to their systems or data.
In the construction industry, where projects are intricate and multifaceted, the reliance on various stakeholders is critical for successful project completion. However, this intricate network also introduces vulnerabilities. Cybercriminals exploit weaker links in the supply chain to infiltrate the main target – construction companies. These attacks can have far-reaching consequences, compromising sensitive project plans, proprietary designs, financial data, and potentially causing project delays and financial losses.
In a supply chain attack, an attacker might compromise a vendor’s system, using it as a stepping stone to breach the construction company’s network. This could lead to unauthorized access, data breaches, or the introduction of malware that can disrupt operations. The interconnectedness of modern construction processes, including Building Information Modeling (BIM) and real-time collaboration tools, exacerbates the risk by increasing the number of potential entry points.
To mitigate supply chain attacks, construction companies must prioritize cybersecurity not only within their own infrastructure but across their entire ecosystem. This involves thorough due diligence when selecting partners, ensuring that security practices align with industry standards. Regular security assessments and audits of partners’ systems can help identify vulnerabilities. Collaboration should extend to sharing threat intelligence and best practices with partners to collectively strengthen the supply chain’s cybersecurity posture.
Ultimately, securing the construction industry’s supply chain demands a holistic approach that integrates robust cybersecurity measures throughout the interconnected network of stakeholders. By addressing vulnerabilities, fostering a culture of security awareness, and maintaining a proactive stance, construction companies can safeguard their operations, protect sensitive data, and ensure the seamless execution of projects even in the face of evolving cyber threats.
4. Credential Theft
Credential theft has emerged as a significant cybersecurity concern within the construction industry, posing threats to sensitive project data, financial information, and operational integrity. Construction companies, like other sectors, rely heavily on digital systems and networks to manage projects, collaborate with partners, and store crucial information. However, this increased digital presence has also made them vulnerable to credential theft, where malicious actors gain unauthorized access by stealing login credentials.
In the context of the construction industry, compromised credentials can have severe consequences. Project plans, blueprints, financial documents, and proprietary designs are valuable assets that need safeguarding. Cybercriminals can exploit stolen credentials to gain entry to project management platforms, cloud storage, and communication tools, potentially leading to data breaches, intellectual property theft, and even project disruptions.
Phishing remains a common method for credential theft. Cybercriminals send deceptive emails that appear legitimate, tricking employees into revealing their usernames and passwords or clicking on malicious links. Additionally, weak password practices, such as using easily guessable passwords or reusing them across multiple accounts, create vulnerabilities that attackers can exploit.
To counter credential theft, construction companies should implement robust security measures. Employee education is crucial – training staff to recognize phishing attempts and adopt strong password practices can significantly reduce the risk. Multi-factor authentication (MFA), which requires an additional verification step beyond a password, adds an extra layer of security, even if credentials are compromised.
Regularly monitoring network activity and leveraging advanced threat detection tools can help identify suspicious behavior indicative of credential theft attempts. Moreover, access controls should be finely tuned to grant employees only the privileges necessary for their roles, limiting the potential impact of a compromised account.
The construction industry’s digital transformation brings immense benefits, but it also necessitates a proactive approach to cybersecurity. By prioritizing employee training, implementing MFA, enforcing robust password policies, and embracing advanced security solutions, construction companies can better protect themselves against the growing threat of credential theft and maintain the security of their valuable project data and intellectual property.
5. Denial of Service attack (DoS)
Denial of Service (DoS) attacks pose a significant threat to the construction industry’s digital operations, potentially disrupting critical processes and causing project delays. In a DoS attack, cybercriminals flood a company’s network, website, or online resources with a massive volume of malicious traffic, overwhelming the system’s capacity to handle legitimate requests. This leads to service unavailability, rendering crucial tools and communication channels inaccessible.
For the construction industry, where projects are time-sensitive and rely on seamless communication and collaboration, DoS attacks can be highly damaging. Online project management platforms, real-time collaboration tools, and communication channels are integral to coordinating construction tasks, sharing updates, and making prompt decisions. An attack that disrupts these services can cause delays, miscommunication, and hinder productivity, potentially leading to financial losses and reputation damage.
The motivations behind DoS attacks can vary. Competitors, hacktivists, or malicious actors seeking ransom may launch these attacks to gain a competitive advantage, express grievances, or extort companies for financial gain. Even though the attacker’s goal might not be to steal data, the impact on a construction company’s operations can be severe.
To mitigate the risks of DoS attacks, construction companies must adopt proactive cybersecurity measures. Implementing robust network infrastructure, capable of handling increased traffic loads, can help absorb the impact of potential attacks. Cloud-based solutions can also distribute the load and provide scalability during traffic spikes.
Investing in intrusion detection and prevention systems can help identify and thwart DoS attacks in real time. Regularly updating and patching software, especially for operating systems and security software, can address vulnerabilities that attackers exploit. Collaborating with internet service providers (ISPs) and security experts to develop response plans for potential attacks is also crucial.
The construction industry’s digital evolution is essential for efficiency and competitiveness, but safeguarding against DoS attacks is imperative to maintain uninterrupted project operations. By understanding the risks, implementing preventive measures, and having contingency plans in place, construction companies can bolster their cybersecurity posture and ensure the smooth progress of projects even in the face of potential cyber threats.
6. Malware Infections
Malware infections pose a substantial cybersecurity risk to the construction industry, potentially jeopardizing critical project data, sensitive financial information, and operational continuity. Malware, short for malicious software, encompasses a range of harmful programs that cybercriminals use to compromise systems and gain unauthorized access to sensitive data.
In the context of the construction industry, where digital tools and platforms are integral to project management, design, and communication, a malware infection can have severe consequences. Malware can infiltrate systems through various vectors, including email attachments, malicious downloads, or compromised websites. Once inside, it can steal project plans, proprietary designs, and financial data, leading to data breaches or intellectual property theft.
Ransomware, a type of malware, is particularly concerning. It encrypts a company’s data and demands a ransom for its release, potentially disrupting ongoing projects and causing financial losses. The interconnected nature of construction processes, including Building Information Modeling (BIM) and real-time collaboration tools, provides numerous entry points for malware, further highlighting the urgency of cybersecurity.
To defend against malware infections, construction companies must adopt comprehensive security measures. Regular employee training on recognizing phishing attempts and avoiding suspicious downloads is critical. Utilizing robust endpoint security solutions, including antivirus and anti-malware software, can provide a crucial defense layer.
Implementing a strong patch management strategy is essential to keep operating systems and software up-to-date with the latest security fixes, minimizing vulnerabilities that malware exploits. Application whitelisting, which allows only approved applications to run, can thwart unauthorized and potentially malicious software from executing.
In addition to preventive measures, having a well-defined incident response plan is crucial. This plan outlines the steps to take in the event of a malware infection, facilitating quick containment, data recovery, and minimizing the impact on ongoing projects.
As the construction industry continues to embrace digital technologies, the risks of malware infections must be addressed with vigilance. By adopting proactive cybersecurity strategies, educating employees, and establishing robust defense mechanisms, construction companies can protect their sensitive data and maintain uninterrupted project operations, even in the face of evolving cyber threats.
7. Insider Threats
Insider threats pose a unique and often underestimated cybersecurity risk within the construction industry. These threats stem from employees, contractors, partners, or anyone with authorized access to an organization’s systems, who intentionally or inadvertently compromise security. Given the collaborative nature of construction projects and the sharing of sensitive data, insider threats can have profound consequences on project integrity and confidentiality.
Construction companies rely on the expertise and contributions of a diverse group of stakeholders, often granting them access to critical project plans, proprietary designs, and financial information. However, this openness can create opportunities for insider threats. Malicious insiders might intentionally leak sensitive information to competitors, steal valuable intellectual property, or disrupt operations. Meanwhile, unintentional actions, such as sharing login credentials or falling victim to phishing attacks, can also lead to security breaches.
The interconnectedness of modern construction processes amplifies the risk of insider threats. Collaboration platforms, shared databases, and real-time communication tools facilitate information exchange but can also serve as potential entry points for unauthorized access.
Mitigating insider threats demands a multifaceted approach. First, robust access controls should be in place to limit employees’ and partners’ access to only the data and systems essential for their roles. Regular security awareness training can educate personnel about cybersecurity risks, including the importance of safeguarding sensitive data and recognizing social engineering attempts.
Implementing user behavior monitoring and analytics can help identify unusual or suspicious activities that might indicate insider threats. Encouraging a culture of transparency and reporting can empower employees to raise concerns about potential threats without fear of reprisal.
Ultimately, preventing insider threats requires a combination of technical measures and a strong organizational culture focused on security. By fostering awareness, enforcing strict access controls, monitoring user behavior, and having a clear incident response plan in place, construction companies can effectively address the risks posed by insider threats and safeguard their projects, sensitive data, and reputation.
8. Social Engineering
Social engineering has emerged as a significant cybersecurity challenge within the construction industry, exploiting human psychology to manipulate individuals into revealing sensitive information, granting unauthorized access, or performing actions that compromise security. In an industry that relies heavily on collaboration, communication, and trust among stakeholders, social engineering attacks can exploit these dynamics to gain unauthorized entry and compromise valuable project data.
In the construction sector, social engineering attacks can take various forms. Phishing, for instance, involves sending deceptive emails that appear legitimate, often tricking employees into clicking malicious links, downloading malware, or divulging login credentials. Spear phishing targets specific individuals, using tailored information to increase credibility and likelihood of success.
Pretexting is another form of social engineering where attackers create a fabricated scenario or pretext to elicit sensitive information from individuals. In the context of construction, an attacker might impersonate a colleague, vendor, or partner to obtain project details or financial information.
Baiting involves enticing individuals to take actions that compromise security, often by offering something enticing like free software downloads or USB drives with malware.
Social engineering exploits the human factor, making it challenging to fully defend against. Employee training is a crucial defense. Regularly educating personnel about the tactics used in social engineering attacks can empower them to recognize red flags and adopt a skeptical mindset when encountering unusual requests or scenarios.
Establishing strict verification protocols for sensitive actions, like fund transfers or data access, can add an additional layer of security. Encouraging open communication among team members about potential threats or incidents can help quickly identify and mitigate social engineering attempts.
The construction industry’s fast-paced and collaborative nature can sometimes make it susceptible to social engineering attacks. However, by fostering a culture of security awareness, implementing stringent verification processes, and investing in ongoing employee training, construction companies can bolster their defenses against social engineering and safeguard their valuable project data and intellectual property.
9. Unpatched Software Vulnerabilities
Phishing attacks have emerged as a significant cybersecurity concern within the construction industry, exploiting human vulnerability to trick individuals into revealing sensitive information or performing actions that compromise security. In an industry that relies on effective communication, collaboration, and trust among stakeholders, phishing attacks leverage these dynamics to gain unauthorized access to valuable project data and financial information.
In the construction sector, phishing attacks can take various forms. Cybercriminals send deceptive emails that appear legitimate, often impersonating colleagues, vendors, or partners to create a sense of urgency or credibility. These emails typically contain malicious attachments or links that, when clicked, lead to the installation of malware or the redirection to fake websites designed to capture login credentials.
The construction industry’s digital transformation, with increased reliance on email communication and online project management platforms, provides ample opportunities for phishing attacks. Malicious actors exploit the busy nature of construction projects and the desire for seamless collaboration to deceive employees.
Mitigating phishing risks in the construction industry demands a multi-pronged approach. Employee education is paramount – regular training on recognizing phishing attempts, scrutinizing email addresses, and avoiding suspicious downloads can significantly reduce the risk. Encouraging a cautious mindset and promoting a culture where employees feel comfortable reporting potential phishing incidents is essential.
Implementing technical measures is equally crucial. Email filtering solutions can identify and block malicious emails before they reach recipients. Multi-factor authentication (MFA) adds an extra layer of security by requiring an additional verification step beyond passwords.
Construction companies should also establish clear protocols for verifying sensitive actions, such as fund transfers or sharing project details. Regular security audits and assessments can identify vulnerabilities and potential entry points for phishing attacks.
In the construction industry’s dynamic environment, safeguarding against phishing attacks is essential to protect sensitive project data and maintain smooth operations. By prioritizing employee education, deploying robust technical defenses, and fostering a security-conscious culture, construction companies can effectively mitigate the risks posed by phishing and ensure the integrity of their projects and data.
How cyber attacks are challenging the construction industry
There are three key stages in the construction process being design, construction and handover. All involve extensive digital workflows, so all of them are at risk.
Everything from the computers, phones and tablets used to access emails, to the essential software used to process and store information, to sophisticated site equipment and digital-based systems installed within buildings. And of course, throughout the entire construction process, you’ll need to manage and protect your business information (including client, staff, and project information).
The early stages of the construction process, such as the tender process, will generate for example, detailed quotes and signed contracts. A cyber attack at this stage might prevent a business from being able to win current tenders for work, and impact on future opportunities. (1)
1. Design Stage
The design stage is mostly carried out digitally and there are a number of different software tools used during this stage.
- CAD and 3D modelling
- Collaboration tools for sharing project information
- Simulation packages to assist in structural and other specialist engineering roles
- Common Data Environments (CDE) for the sharing of data with third parties
- Servers and Data Centres for the storage of information
These digital tools provide cyber security risk and an opening or vulnerability for an attacker to come and attack.
- Software must be up to date, including proactive patching
- Quality policies around who has access to data with Identity & Access Management
- Monitoring for ransomware and malware proactively with Endpoint Detection & Response (EDR)
- Cyber risk assessment with a quality managed cyber security provider.
2. Construction phase
The construction phase requires a larger more mobile workforce using more materials and equipment and interaction with third parties. As the complexity and scale of the project increase, teams will naturally focus on project deliverables and deadlines. Cyber security is often on the backburner.
The following digital systems are often used during this stage:
- BMS – Building management systems
- BACS- Building automation and control systems
- BEMS – Building energy management systems
- IACS – Industrial automation and control systems
It is critical during the construction phase we secure:
- Securing construction sites and high end equipment. Equipment can be a target both for resale and if they store data.
- Secure surveying tools, cameras, tablet computers, lifting equipment and suchlike, to prevent their theft and any data stored on them.
- Efficient onboarding and offboarding of project personnel (ensuring they are removed from systems and access as soon as they leave a project)
2. Handover phase
On completion of the project, there may be installed building management systems. It is critical these are handed over to the client so they can secure the building and any digital-based systems it may contain.
The installed systems will depend on a project’s nature and use, but may include
combinations of the following
- lighting automation and control
- heating, ventilation and air conditioning (HVAC)
- fire, smoke detection and alarms
- motion detectors, CCTV, security and access control
- lifts and escalators
- industrial processes or equipment
- shading devices
- energy management and metering
KMT MANAGED CYBER SECURITY FOR CONSTRUCTION
Protect your business from a cyber threat with our managed cyber security solution
Construction companies must prioritise a cyber security strategy including complying with the Essential Eight and more.
Kaine Mathrick Tech will help your business achieve Maturity Level one, two or three of the ACSC Essential Eight and go a step further.
We recommend all security, IT and business leaders must be thinking about their cyber security even more holistically and take their cyber security further by considering these additional services which are part of our managed cyber security offering:
The NIST framework
We also follow the well known NIST framework to build and manage our cyber security programs. Developed by the National Institute of Standards and Technology, this framework provides a common set of standards for businesses to use when building a cyber security program.
There is no one silver bullet for business leaders of construction firms, however important factors in reducing cyber risk include, meeting the requirements of the ACSC Essential Eight Maturity Model, achieving management support and fostering a cybersecurity culture.
A risk assessment should be performed to identify the cyber security vulnerabilities. Risks should be quantified and explained in simple language to top level management to ensure business cases can be understood, reviewed and approved.
A comprehensive cyber security strategy and implementation plan helps ensure that the firm has the most appropriate people, processes and technology in place to help mitigate cyber risks.
Firms should also have an incident response plan that is regularly tested to ensure the impact of a successful cyber-attack is minimised.
Cyber Security Solutions made easy
with Kaine Mathrick Tech
- “New guidelines to safeguard the construction sector” Source: https://www.computerweekly.com/news/252513797/New-cyber-guidelines-to-safeguard-construction-sector
- “Australian organisations encouraged to urgently adopt an enhanced cyber security posture” Source: https://www.cyber.gov.au/acsc/view-all-content/alerts/australian-organisations-encouraged-urgently-adopt-enhanced-cyber-security-posturehttps://hostingtribunal.com/blog/cloud-adoption-statistics/#gref
- “Russia’s invasion raises the cyber stakes for Australian business,” Source: https://www.researchgate.net/figure/Average-downtime-for-data-recovery-for-cloud-versus-non-cloud-users-26_fig6_342154295
- “Federal Government spices up $9.9B cyber investment”. Source: https://www.arnnet.com.au/article/696672/federal-government-spices-up-9-9b-cyber-investment
- “Gartner Predicts 2022: Cybersecurity Leaders Are Losing Control in a Distributed Ecosystem”