Is the construction sector an increasingly attractive target for cyber criminals?

It could be argued that all sectors provide an increasingly attractive target. Just as criminal gangs evolved from armed robbery to the more lucrative and lower risk world of drugs, the success of security initiatives in the financial space has led to cyber criminals looking at a broader spectrum of targets to attack. The construction industry is increasingly vulnerable due to the uptake in diverse technical initiatives to improve efficiency and reduce overheads.

The construction industry has placed a clear emphasis on physical security for many years. The importance of protecting sites from theft and vandalism has been a clear objective of site security plans and it is commonplace to find robust physical security planning included at all stages of project planning. It is far less common to see cyber security built in at project inception, and cyber security controls are often an after-thought and are bolted on late in the project.

Why has the uptake in technology placed the construction industry at greater risk?

Technology has broadened the ‘attack surface’ available to cyber criminals in that there are far more opportunities for a cyber criminal to leverage in targeting an organisation or project.

The workforce

The human element remains a key factor in cyber-attacks. Criminals seeking to inject a malware payload to facilitate attacks such as Ransomware are still heavily dependent on the cooperation of an often-unwitting insider to achieve their aims. Cyber criminals rarely attempt to brute force a break into IT networks. Ransomware attacks such as the recent Colonial Pipeline in the US and the Republic of Ireland’s HSE breach demonstrate the success criminals are having in placing malware within the logical security perimeters of organisations.

Construction projects often involve large numbers of employees from disparate contractors, all with varied levels of maturity in terms of cyber security awareness and practice. This workforce is then given access to systems via smartphones, tablets and laptops on sites which lack the level of security control found at a head office or similar location. When policies of ‘Bring your own device’ (BYOD) are added to the mix, the vulnerability to attack methods such a ‘phishing’ via email is greatly amplified.

Systems

The introduction of Building information Modelling (BIM) and Building Management/Automation Systems presents emerging opportunities for cyber criminals to exploit. BIM frequently involves collaboration between clients, consultants, contractors and other stakeholders. The dissemination of sensitive data including IP and security plans increases the difficulty of maintaining control of information access. The automation of building management with internet-enabled smart devices presents significant challenges to the sector. The use of an internet-enabled Thermostat was pivotal in a cyber attack on a Las Vegas casino demonstrating the potential use of such devices as a means of access.

Drones

The emergence of drone technology has been significant for the construction industry with widespread potential for drones to improve efficiency and productivity. Drones can be utilised for:

• Surveying
• Inspections
• Production of promotional material
• Monitoring and surveillance

Recent military exercises have explored the use of drones for resupply of combat troops. Although current technology limits the payload capacity of the drone the prospect of drones being used in the actual construction process is very real as payload capacity increases.

Operational costs of procurement and setup provide significant savings over traditional means of accessing difficult or remote areas. Drone usage in the industry is likely to expand significantly over the next decade.

Drones bring new cyber security threats to the industry. The potential litigation and damage to reputation not to mention financial impact, of losing control of a drone in a populous area is significant. Some will point to the use of geofencing to provide operational constraints on where a drone may fly but this depends on the drone being controlled by a compliant operator. Hacks to remove geofencing constraints are readily available online.

Drones can also carry sensitive data. The inspection footage and logs could be useful to a threat actor planning a physical attack on a site. Drone cameras have further implications for privacy, particularly in built up areas.

Risk mitigation

What can the industry do to mitigate the risks associated with the changing threat landscape?

The basics of robust cyber security policy and planning remain very important. It is the implementation of policy and practice that needs to be reviewed for scope and applicability. Good practices at the central head office are not going to mitigate risks on the construction site if the same practices are not followed.

There is a great deal of advice online extolling the virtues of security frameworks such as the use of ISO and/or NIST standards or baseline schemes such as Cyber Essentials and Cyber Essentials Plus. These are very good frameworks for establishing a baseline of best practice but are not going to protect against attacks directed at the construction site if their scope ends at centralised functions. It is not uncommon for the construction industry to just roll out policy to construction sites without ever having the sites themselves in scope of security frameworks. This can be due to perceived cost, lack of expertise or simply lack of consensus among disparate contractors around how things should be done. This leaves the sites themselves exposed and vulnerable.
How much visibility of cyber security practice in the supply chain do you have? It isn’t uncommon for organisations to be placing substantial trust in the practices of contractors and suppliers without validating that trust.

Perhaps the single most important step the construction industry can take is to ensure that cyber security is considered at project inception. Incorporating security controls at the design phase of a project is far more reliable and efficient than retrofitting controls once the site is established and construction commenced. How many construction projects have cyber security ‘gates’ built into the project plan? Is the Chief Information Security Officer (CISO) or Head of Cyber Security involved in construction projects to the same degree as the physical security function? If not, then ask the question, why not?