Stroz Friedberg Named A Leader In The Forrester Wave™: Cybersecurity Incident Response Services, Q1 2022 Report - Read Now

Cyber vulnerability in the construction sector

HomeThinking → Cyber vulnerability in the construction sector

Cyber security is a growing challenge and the pandemic has amplified the need for the construction sector to have a robust cyber risk strategy.

Modern methods of construction are driving digital connectivity; not only across the construction supply chain to facilitate accurate collaboration but also ‘on site’ as performance, progress, logistics, health & safety and sustainability is monitored in ‘real time’. This increased connectivity has significant benefits and drives value across the capital environment; however, increased connectivity and collaboration will also increase risk, including cyber risk.

Cyber security is a growing challenge and the pandemic has amplified the need for the construction sector to have a robust cyber risk strategy.

A recent Forrester survey (January 2020) revealed that more than 75% of respondents in the construction, engineering and infrastructure industries had experienced a cyber-incident within the previous 12 months.

Huge array of new risks

Construction firms are currently dealing with a huge array of new risks – both on and offsite – but it is a sector that’s been notoriously slow at identifying and addressing its cyber risk vulnerabilities. There is an almost ‘arms race’ to use and exploit technology to drive value and efficiencies across capital programmes; often without appreciating what risks are potentially being inadvertently introduced into the programme.

Cybercriminals are continually evolving, modifying their techniques to exploit new avenues of attack. The construction industry needs to be equally proactive in its response, looking at the risks holistically and instilling a culture of cyber security in the boardroom, on site and everywhere in-between.

Understanding the impact

Understanding the impact a cyber threat could have would help identify vulnerabilities and better enable the management of a recovery following an attack. A threat can expose all of a company’s digital assets including business plans and acquisition strategies; proprietary construction plans and designs; customer, contractor, and supplier lists and pricing; personally identifiable information (PII) of employees and contractors; protected health information of staff as well as facilities security information. Collaborative working methodologies, such as Building Information Modelling (BIM), can also increase these risks if the international standards are not used as guidance.

As the supply chain creates data rich, highly visual and virtually navigable models, asset data and information not only increase the assets value but can create new or heighten existing risks by exposing how the asset ‘lives and breathes’. BIM processes force data aggregation which, although, can be of immense benefit for the lifecycle of the asset (in particular, design, build and operate) but can also create risks that have never been seen before.

Additionally, many construction firms have access to confidential information from third parties. This access is granted under strict non-confidentiality agreements as a part of individual construction projects, thus exposing them to risk of contractual penalties should a breach occur.

Project delays and reputation as considerations

With building practices changing and more contractors employing off-site manufacturing (Design for Manufacturing & Assemble – DfMA) these contractors and their supply chain hold valuable IP and business critical information. If this information is in anyway compromised, stolen, or held ransom, it can severely interrupt not only the manufacturing and building process but also hit profit margins and cause reputational damage. A ransomware attack might not lead to a loss of information, but by shutting down a company’s computer networks and potentially destroying information, it can cause an enormous amount of lost productivity and business delay. Especially concerning is the potential to cause project delays on project sites, where contractors can be financially penalized for delivering projects behind schedule. In addition, the ability for cyber attackers to hijack physical devices – from security cameras to vehicle telematics to industrial control systems – means that there is an ever-increasing risk of property damage and personal injury due to cybersecurity incidents.

A recent article (February 2020) in ‘Off-site’ magazine for the construction trade highlighted an increased prevalence of ransomware attacks where criminals have attempted to hack into information relating to high profile buildings or projects, including government buildings, infrastructure (water and power) and military bases – all of which can be sold on lucratively to terrorist or activist groups. In some cases, it isn’t so much about the information, but about slowing down the progress of a project. A recent article published in October 2020, in ‘Construction News’ magazine mentioned a recent ransomware attack on a large multinational contractor that was delivering an NHS hospital project in the UK. The attackers requested different payment methods for each file held ransom, showing that they were less interested in the information or ransom money, but in slowing down and wreaking havoc on a project of high national importance.

Other common characteristics of the sector include the widespread use of tablets, smart phones or laptops (increasing system vulnerability entry points) combined with a heavy reliance on sub-contractors and transient labour forces – all of which present further entry points for cyber criminals.

Construction is a high volume, low margin business with its success based upon its ability to meet project deadlines and contract specifications, in which many contractors experience strains on cash flow. Certain cyber incidents have the potential to impact a company’s ability to meet those goals, causing huge financial penalties, that in some cases puts strain on the balance sheet.

Base camps are usually set up on locations where workers can access a network to transfer information through portable devices and as many locations are a temporary workspace, the same network security protocols used in permanent locations might be overlooked. When employees connect to these networks – with company issued devices or personal ones – they are again exposing critical systems to cyber attacks.

Employees and contractors commonly use project management software as well as BIM processes to track job status and collaborate with external vendors. This data is highly valuable for cyber criminals so it’s imperative for construction companies to take an inventory of this data and know exactly who has access to what, where, why, how and for what purpose. With the increase in use of cloud platforms and SaaS solutions, data sovereignty is increasing in importance. Understanding global data security laws (and more importantly what Governments are allowed to do what with foreign data stored in their country) should inform contracts. But it’s not just down to cyber and ‘electronic’ information, physical documents are also still being created as either contractual deliverables, collaboration or as a preferred modus operandi often without any of the control measures around them exposing the same level of detail but with no governance to protect it.

Additionally, there is growing trend among governments in creating a smart city, although the term smart is being dropped from the global agenda and likely to be replaced by intelligent or sustainable, is fundamentally about connecting people, places and spaces and leveraging citizen centric data to make accurate, informed (potentially automated) decisions. The built environment is central to the success of a smart city but will be enabled by technology; the design, deployment, maintenance and security of the devices that facilitate ‘smart’ needs to be thought about with a security minded approach. The UK’s PAS185:2017 is a good standard to consult.

Cybersecurity is now a C-suite risk

Cybersecurity is now firmly positioned as C-suite risk and should be a regular topic of conversation at Board level. Investing the time and resources in creating an effective cybersecurity plan – from educating employees, creating a prevention plan and a strategy post breach – construction companies can protect themselves from threats and have a plan ready for when the unexpected hits.

Without a proactive stance on cyber security, attacks are inevitable and it’s never easy dealing with a cyberattack while you are compromised. Being cyber aware will help prevent, detect and respond professionally and effectively when a cyber attack occurs – and it’s never a question of “if” a business will experience a cyberattack, but “when” it will happen.

How fast a business will be able to react and contain a breach can be the difference between survival or not.

Top current cyber threats in the construction sector

  • Ransomware – a malicious programme which locks access to company files and data until a ransom payment is made, after which time access may be restored. (There have also been an increasing number of ransomware cases; not only is there a cost associated with paying a ransom to re-access your systems and files, there is no guarantee that access will be granted even after a ransom has been paid, leaving companies at the whim of cyber criminals that demand additional sums.)
  • Payment interception – criminals are able to compromise the email account or credentials of an individual inside the organization to authorize a change to the bank account details for large payments
  • Phishing – malicious emails designed to look like genuine emails which encourage employees to click – infecting their computers in the process.
  • Viruses – code which infects computer system, corrupting or deleting data.
  • Hacking – an individual or group attempting to gain access to company systems with the intent to steal or destroy data.

 

Ways to mitigate cyber-security risk

  • Policies and training – Even the best IT can’t prevent human error. It’s therefore essential to implement clear policies on cybersecurity basics like use of strong passwords, multi-factor authentication, use of encryption for sensitive data and restrictions on the use of removable media. It’s also essential to train employees on best practices, including how to recognise potential phishing emails and sensitive information to which they have been granted access.
  • Supply chain management – Contracts with subcontractors, suppliers and others are an essential component of mitigating cyber risk. Legal review of business practices around cyber of business partners can mitigate cyber risks associated with doing business with third parties.
  • Insurance – Cyber insurance is widely available and can be an effective component of an overall insurance program. Most cyber policies cover the costs of forensic investigation and breach notification associated with a cyber incident. In addition, many other lines of cover, such as Professional Indemnity and D&O, are now actively excluding any type of Cyber cover in order to address silent cyber concerns. Many construction firms are starting to take an interest in Cyber insurance policies as a way to mitigate this exposure.

 

This is a ‘Point of View’ article and constitutes information only and is not intended to provide advice. Professional advice should always be sought regarding insurance coverage or specific risk issues.



Cyber security services offered by Stroz Friedberg Inc. and its affiliates. Insurance products and services offered by Aon Risk Insurance Services West, Inc., Aon Risk Services Central, Inc., Aon Risk Services Northeast, Inc., Aon Risk Services Southwest, Inc., and Aon Risk Services, Inc. of Florida and their licensed affiliates. Aon UK Limited is authorised and regulated by the Financial Conduct Authority in respect of insurance distribution services. FP.AGRC.238.JJ The following products or services are not regulated by the Financial Conduct Authority:
• Cyber risk services provided by Aon UK Limited and its affiliates
• Cyber security services provided by Stroz Friedberg Limited and its affiliates.


Copyright 2021 Aon plc. All Rights Reserved.


Copyright 2021 Aon plc. All Rights Reserved.
Cyber security services offered by Stroz Friedberg Inc. and its affiliates. Insurance products and services offered by Aon Risk Insurance Services West, Inc., Aon Risk Services Central, Inc., Aon Risk Services Northeast, Inc., Aon Risk Services Southwest, Inc., and Aon Risk Services, Inc. of Florida and their licensed affiliates. Aon UK Limited is authorised and regulated by the Financial Conduct Authority in respect of insurance distribution services. FP.AGRC.238.JJ The following products or services are not regulated by the Financial Conduct Authority:
• Cyber risk services provided by Aon UK Limited and its affiliates
• Cyber security services provided by Stroz Friedberg Limited and its affiliates.