From building neighborhood homes to mile-long suspension bridges, construction is the foundation of the growth and essential to the development and advancement of the country. Because of the importance of the construction industry, it is imperative that we understand the existential threats presented by cyberattacks and cyber criminals to construction companies, contractors, and their employees.

The cyber risks the construction industry is exposed to are a mix of common cyberattacks as well as very niche risks that can permeate every corner of a construction enterprise.

In this article, and in our recent webinar, we explore an overview of cyber risk in the construction sector. 

Cyber Risk Basics for Construction

The construction industry has always inherently had cyber risk. For years, cybersecurity experts have warned contractors that they are targets for ransomware attacks, phishing theft, and data breaches/theft of sensitive information. Today, construction industry industrial espionage and geopolitically driven cyber disruption are on the rise.  

Managed service companies who monitor and respond to cyberattacks have been clear about the significance of the risk to the industry. For example, ReliaQuest’s 2023 Annual Cyber-Threat Report, the construction industry ranked No. 1 on the most-targeted sectors list (followed by transportation) with an average of 226 incidents per year.

As a result, the construction industry has experienced massive losses including stolen or misdirected funds and failed bids due to system interruptions, as well as brand damage to future teaming arrangements, lost contracts, and customer confidence, on top of cascading cyber incident response costs like system restoration and ransom payments.

To put the magnitude of the effects of a cyberattack into context, a large-scale ransomware event has a high likelihood of causing severe disruption across the supply chain and may even impact suppliers or clients if malware is spread outside of the company or confidential data is leaked. The financial impact of an attack of this nature should not be underestimated as a construction company under attack will experience large-scale business disruption, particularly when users are locked out of crucial systems necessary for the progression or completion of a project. Additionally, when a cyberattack leads to a significant delay in project delivery or compromises the supply chain, this could cause considerable reputational damage, particularly if highly sensitive data is leaked. This in turn causes distress and/or financial losses for other businesses or individuals associated with the business.

Why Is the Construction Sector So Heavily Affected?

There are several factors present in the construction industry that make it more attractive to criminals, and sometimes a target.

• Lack of investment in cyber security infrastructure: An entity without appropriate cyber hygiene and cyber architecture signifies an entity that is easy to attack and extort. Monetarily driven cyber criminals will be able to apply little effort for maximum gain. Many engineering and construction companies operate on narrow margins. Effective and meaningful technology and software implementation and the accompanying data privacy and security compliance require a dedicated corporate resource, management, and investment, which are often viewed as expenses against the balance sheet. Accordingly, in construction many companies have not properly invested in cyber security and pay dearly when they experience an attack.
• Target for those seeking sensitive information: For nation states seeking to gain valuable infrastructure information, intellectual property, or entrance to critical public works, the construction industry is the weak link and an easy target for access. Examples of information that cyber criminals target include proprietary construction plans and designs, facilities security information, and other intellectual property.
• Fast adoption of new technologies: Engineering and construction services supported by technologies such as artificial intelligence, advanced analytics, cyber-physical systems, machine learning, and robotics have paved the way for increased productivity, efficiency, connectivity, and stronger service offerings. However, cyber and data privacy risk is often overlooked in the race to embrace new technologies, creating a significant risk.
• Reliance on legacy systems is a significant problem in the construction industry. Legacy or end-of-life operating systems present significant opportunities for cybercriminals. An operating system that is no longer supported will have known vulnerabilities, and because support has ended, patches will not be available. Often, the encryption event itself will cripple the legacy operating system or apparatus, preventing any recovery.
• Third-party risk: Vendors that are connected to a common network can be an often-unmitigated threat. Third-party cyber risk includes potential data breaches due to vulnerabilities within a vendor’s IT environment and can lead to financial, reputational, and regulatory/compliance consequences.
• Lack of cyber security-related regulations: For many decades, it seemed the construction sector did not have many regulations in place for data security, whereas sectors like financial services are subject to stringent regulation. However, the US government has been increasingly regulating and requiring government contractors to comply with the National Institute of Standards and Technology (NIST) Cybersecurity Framework and further pushed the compliance with Cybersecurity Maturity Model Certification. Increasingly, those who contract with the federal government must demonstrate effective cybersecurity and data protection practices as a means of doing business. A construction company’s ability to bid or participate in federal works projects will require cyber maturity as a condition.

Basic Cybersecurity Measures for the Construction Industry

All construction companies and contractors need to be aware of the cyber risks facing their industry.

Taking measures to ensure adequate controls are in place to protect the enterprise’s ability to function and its crown jewels include, but are not limited to:

• Multi-factor authentication for all remote access, webmail, and privileged and administrative accounts.
• Employee training with robust phishing simulations. Cyber insurance carriers often offer employee training as a value-add to the insurance policy.
• Strict dual controls with callback requirements for payment account modifications and invoice manipulation to mitigate social engineering fraud.
• Effective data breach prevention strategies around confidential information like employee data, trade secrets such as pricing and contract bidding frameworks, schematics, and operational technology (OT) engineering data.
• Endpoint detection and response (EDR), including mobile device management (MDM) for devices in the field to track and wipe stolen or lost gadgets.
• Software sandboxing, which offers a controlled environment before deploying new and/or updated software, including patches.
• Segmented, tested, proven, and protected backups for all critical systems and databases. Note that some cyber policies can assist with business interruptions due to cyberattacks.
• A tested and annually refreshed incident response plan including ransomware preparedness, resource planning/task lists, and public relations strategies.

In my next article, we will dive deeper into the specific cyber risks facing the construction industry, and what to do about them.