The construction industry’s rapid digital transformation has opened the door to new cybersecurity challenges. As the sector adopts innovative technologies like cyber-physical systems, Building Information Modeling (BIM), and digital twins, it must shift its cybersecurity strategies from traditional perimeter-based approaches to data-centric ones. Part 1 of this three-part series discusses the current cybersecurity challenges confronting the U.S. construction industry; Part 2 focuses on mitigating cyber risks and practical strategies for protecting businesses from emerging cyber threats; Part 3 discusses what is next.

Cyber Risks in the Construction Industry

Understanding Data Breaches

Companies should be aware of the potential impacts of a data breach, including operational setbacks, revenue loss, reputational damage, legal fees, technical costs, and more. Understanding data breaches, their causes, and potential consequences is crucial for organizations looking to protect their sensitive data and mitigate the risks associated with cyber threats.

Key Cyber Risks

The construction industry faces various cyber risks that can have significant implications for businesses, projects, and stakeholders. The following key cyber risks are of particular concern to the construction sector:

• Ransomware Attacks: Ransomware is malware that encrypts a victim’s files, rendering them inaccessible until a ransom is paid to the attacker. In the construction industry, ransomware attacks can lead to project delays, critical data loss, and significant financial losses.

Organizations rarely go public about incidents making statistical studies impossible. However, the few global incidents that have been highlighted in the media demonstrate the severity of the risk of ransomware attacks. For example, in February 2018, the Colorado Department of Transportation (CDOT) was hit by the SamSam ransomware attack. SamSam ransomware infected thousands of computers at CDOT, forcing the state to declare a state of emergency and spend $1.7 million on recovery efforts. The attack also disrupted CDOT’s business operations, including contract administration and payment processing.

In another incident in June 2017, global construction materials supplier Saint Gobain experienced a significant network outage due to the NotPetya ransomware attack. The attack severely disrupted Saint Gobain’s operations, causing temporary downtime and reportedly leading to a loss of around €250 million in sales. A similar attack targeted Turner Construction Company (TCC), a prominent U.S. construction company. Ryuk ransomware affected TCC’s IT systems, forcing TCC to take its systems offline to limit the spread of the ransomware. As illustrated by the above examples, the operational disruptions caused by ransomware attacks can have significant financial impacts on construction businesses. 

• Fraudulent Wire Transfers: Cybercriminals often target the construction industry’s financial transactions, attempting to divert funds through methods such as business email compromise (BEC) and impersonation scams.

While specific instances of fraudulent wire transfers in the construction industry might not always make headlines, here are some examples demonstrating the potential impact of such incidents. In 2017, a construction company in North Carolina, Wallace Construction Group, fell victim to a BEC scam. The attackers spoofed the email address of the company’s CEO and sent a fraudulent email to the company’s accountant, requesting a wire transfer of $122,850. Unaware of the scam, the accountant completed the transfer. In 2015, a large Canadian construction company was targeted by cybercriminals in a BEC scam. The attackers impersonated the company’s CEO and requested an urgent wire transfer of $1.2 million to a Chinese bank. The finance department questioned the request but ultimately completed the transaction after receiving follow-up emails that appeared to be legitimate.

• Breach of Intellectual Property and Bid Data: Because much of the construction industry falls within the nation’s critical infrastructure sector, construction companies are continuously targeted by cyber-espionage groups aiming to steal valuable intellectual property and other sensitive data. These groups often target organizations in engineering, industrial control systems, and transportation sectors, where bid data and intellectual property can be valuable assets. For instance, the bidding process often involves exchanging sensitive financial and project information. Cybercriminals may target this data to gain a competitive advantage, manipulate bidding results, or cause financial harm.

In 2018, cybersecurity firm FireEye reported a cyber-espionage campaign targeting multiple organizations in the engineering and maritime industries. The campaign, attributed to a group dubbed “TEMP.Periscope,” targeted organizations across various countries, including the United States. The report demonstrates the potential risk to critical infrastructure sectors and the need to protect sensitive data such as intellectual property and bid information.

Now that we have outlined some of the key cyber risks, stay tuned for Part 2 of this series, in which we’ll discuss how to address and mitigate those risks and the associated impacts.