Cyber Security & the Construction Industry in 2022
Why Cyber Security Matters
Historically, construction has not been high on the list of targeted industries. Attackers generally aim for industries that hold sensitive and personal data which are more lucrative. However, in recent years, we have seen a trend move towards the construction industry with several high profile successful cyber attacks causing delay, business disruption, financial impact and reputational damage.
The extensive use of sub-contractors and suppliers involving large numbers of high-value payments makes construction businesses an attractive target for spear phishing, which is when attackers send a targeted email that’s pretending to be from a legitimate organisation, in an attempt to trick the construction business into paying money into a criminal’s account.
Although construction businesses don’t store the same kind of financial information a bank does, they still store (and have access to) valuable data. Criminals could be looking for details about the company’s next bid (or building design) in order to gain an unfair advantage. Cyber criminals might be looking for sensitive employee data, like national security numbers, bank account numbers and payroll data, in order to engage in identity theft or to craft realistic authentic-looking emails for phishing attacks.
Investment in cyber defences has not been at the forefront of the leader’s minds in the construction industry. This is largely due to fewer mandatory regulations and guidance and partly due to the lack of compelling reasons for boards to invest in cyber defences. The chance of an attack has been lower than in other industries and hence did not justify the return on investment.
Attackers have now turned their attention to construction companies as their defences are not as mature. Furthermore, the financial rewards are becoming more lucrative as many construction companies are embarking on digital transformation programs and rapidly increasing their digital footprint and therefore attack surface.
Regardless of the size of your construction company, the information you hold is of value to a criminal. Although they may not target your business directly, it is all too easy to be damaged by phishing emails that cyber criminals send out to millions of businesses.
Whether you lose money, data or are hit by a ransomware attack you need to ask yourself these questions:
- Can you afford a temporary shutdown of your business whilst the breach is investigated, and systems are recovered?
- Could you afford the reputational damage to customers and your broader supplier and partner ecosystem?
- Does your IT provider or team have a comprehensive Incident Response plan in the event of a cyber attack?
Learn more about our Cyber First managed IT services for Construction companies.
Government mandates and cyber regulations for construction industry
In 2022 the ACSC issued an urgent alert to all Australian businesses to mature their cyber security posture by implementing the ACSC Essential Eight
Construction companies must take cyber security seriously as it is a matter of if they will receive an attack not when.
The ACSC has prepared their Essential Eight strategies to help businesses protect and mitigate a cyber attack, however, we recommend you go above and beyond this.
The ACSC Essential Eight is made up of eight mitigation strategies divided across three primary objectives:
1. Prevent Cyberattacks
Protecting internal systems from malicious software attacks such as ransomware, malware and other cyber attacks.
- Application control
- Patch applications
- Configure Microsoft Office macro settings
- User application hardening
2. Limit the extent of Cyber Attacks
Limit the penetration or expansion of a cyber attack by remediating all security vulnerabilities so hackers cannot exploit them.
3. Data recovery & system availability
To support the business if in the event of a cyber incident recover and restore the business quickly.
- Daily Backups.
Is your business compliant with the ACSC Essential Eight?
Take our self-assessment to help you understand your cyber security posture in relation to the Essential 8 maturity model.
Top 5 most common cyber attacks
Ransomware is malicious software that typically infects computer systems and encrypts files making end-users unable to access them until a ransom is paid. Ransomware is an ever-evolving form of malware rendering any files and systems unusable.
Malicious actors continue to adapt their ransomware tactics over time. Federal agencies remain vigilant in maintaining awareness of attacks and associated tactics, techniques and procedures across the country and around the world.
The impact of ransomware is not simply limited to the payment of the ransom and associated clean-up costs, but may also include reputational damage
2. Business Email Compromise (BEC)
BEC is often called whaling, spear-phishing or CEO/CFO fraud. The attackers perform research on the victim firm and then target employees with access to company finances. The method of attack is where the attacker fraudulently accesses company funds by sending an email purporting to be from a legitimate sender such as a customer or trusted company executive.
Attacks are becoming much more targeted. In the past, the same fraudulent email tended to be sent to large numbers of recipients in the hope that a small proportion would be tricked into opening them and either clicking on a link or opening an infected attachment.
Research has found 77% of business email compromise (BEC) attacks are aimed at employees outside of traditional financial and executive roles. Around one in five involve employees in sales positions.
Email is going to remain an enticing attack vector, for this reason, it’s important for businesses to take all the necessary steps to reduce their vulnerabilities and make 2022 the year that BEC attacks awareness is highlighted within your organisation.
3. Data Breach of Intellectual Property or Personal Data
Construction companies often hold and work with highly sensitive information such as blueprints, or schematics in their Building Information Modelling (BIM) system, breach of these systems, other technology devices, and their vendor supply chain could result in major reputational damage and potential regulatory fines and lawsuits where personal data is involved.
4. Supply Chain Attacks
Complex projects in the construction industry pose a particularly high risk of cyber-attack, as they often involve multiples entities such as suppliers, contractors and partners. These entities, if compromised by an attacker, can then be used as a platform or conduit to launch attacks against the target firms’ systems and employees. The attacks are usually less likely to be detected due to the trusted relationship between the parties.
Potential impacts are wide-ranging, from disruption, delay, financial
loss and reputational damage.
5. Insider Threats
Insider threats include malicious insiders, disgruntled employees, reckless third parties, insider agents, careless employees or compromised employees.
Potential impacts are wide-ranging as described in 4. above.
How cyber attacks are challenging the construction industry
There are three key stages in the construction process being design, construction and handover. All involve extensive digital workflows, so all of them are at risk.
Everything from the computers, phones and tablets used to access emails, to the essential software used to process and store information, to sophisticated site equipment and digital-based systems installed within buildings. And of course, throughout the entire construction process, you’ll need to manage and protect your business information (including client, staff, and project information).
The early stages of the construction process, such as the tender process, will generate for example, detailed quotes and signed contracts. A cyber attack at this stage might prevent a business from being able to win current tenders for work, and impact on future opportunities. (1)
1. Design Stage
The design stage is mostly carried out digitally and there are a number of different software tools used during this stage.
- CAD and 3D modelling
- Collaboration tools for sharing project information
- Simulation packages to assist in structural and other specialist engineering roles
- Common Data Environments (CDE) for the sharing of data with third parties
- Servers and Data Centres for the storage of information
These digital tools provide cyber security risk and an opening or vulnerability for an attacker to come and attack.
- Software must be up to date, including proactive patching
- Quality policies around who has access to data with Identity & Access Management
- Monitoring for ransomware and malware proactively with Endpoint Detection & Response (EDR)
- Cyber risk assessment with a quality managed cyber security provider.
2. Construction phase
The construction phase requires a larger more mobile workforce using more materials and equipment and interaction with third parties. As the complexity and scale of the project increase, teams will naturally focus on project deliverables and deadlines. Cyber security is often on the backburner.
The following digital systems are often used during this stage:
- BMS – Building management systems
- BACS- Building automation and control systems
- BEMS – Building energy management systems
- IACS – Industrial automation and control systems
It is critical during the construction phase we secure:
- Securing construction sites and high end equipment. Equipment can be a target both for resale and if they store data.
- Secure surveying tools, cameras, tablet computers, lifting equipment and suchlike, to prevent their theft and any data stored on them.
- Efficient onboarding and offboarding of project personnel (ensuring they are removed from systems and access as soon as they leave a project)
2. Handover phase
On completion of the project, there may be installed building management systems. It is critical these are handed over to the client so they can secure the building and any digital-based systems it may contain.
The installed systems will depend on a project’s nature and use, but may include
combinations of the following
- lighting automation and control
- heating, ventilation and air conditioning (HVAC)
- fire, smoke detection and alarms
- motion detectors, CCTV, security and access control
- lifts and escalators
- industrial processes or equipment
- shading devices
- energy management and metering
KMT MANAGED CYBER SECURITY FOR CONSTRUCTION
Protect your business from a cyber threat with our managed cyber security solution
Construction companies must prioritise a cyber security strategy including complying with the Essential Eight and more.
Kaine Mathrick Tech will help your business achieve Maturity Level one, two or three of the ACSC Essential Eight and go a step further.
We take a 15 way approach, incorporating additional cyber security strategies to protect your business from a cyber threat.
We recommend all security, IT and business leaders must be thinking about their cyber security even more holistically and take their cyber security further by considering these additional services which are part of our managed cyber security offering:
The NIST framework
We also follow the well known NIST framework to build and manage our cyber security programs. Developed by the National Institute of Standards and Technology, this framework provides a common set of standards for businesses to use when building a cyber security program.
There is no one silver bullet for business leaders of construction firms, however important factors in reducing cyber risk include, meeting the requirements of the ACSC Essential Eight Maturity Model, achieving management support and fostering a cybersecurity culture.
A risk assessment should be performed to identify the cyber security vulnerabilities. Risks should be quantified and explained in simple language to top level management to ensure business cases can be understood, reviewed and approved.
A comprehensive cyber security strategy and implementation plan helps ensure that the firm has the most appropriate people, processes and technology in place to help mitigate cyber risks.
Firms should also have an incident response plan that is regularly tested to ensure the impact of a successful cyber-attack is minimised.
Cyber Security Solutions made easy
with Kaine Mathrick Tech
- “New guidelines to safeguard the construction sector” Source: https://www.computerweekly.com/news/252513797/New-cyber-guidelines-to-safeguard-construction-sector
- “Australian organisations encouraged to urgently adopt an enhanced cyber security posture” Source: https://www.cyber.gov.au/acsc/view-all-content/alerts/australian-organisations-encouraged-urgently-adopt-enhanced-cyber-security-posturehttps://hostingtribunal.com/blog/cloud-adoption-statistics/#gref
- “Russia’s invasion raises the cyber stakes for Australian business,” Source: https://www.researchgate.net/figure/Average-downtime-for-data-recovery-for-cloud-versus-non-cloud-users-26_fig6_342154295
- “Federal Government spices up $9.9B cyber investment”. Source: https://www.arnnet.com.au/article/696672/federal-government-spices-up-9-9b-cyber-investment
- “Gartner Predicts 2022: Cybersecurity Leaders Are Losing Control in a Distributed Ecosystem”