Construction: Don’t Avoid Cyber, It Could Be Costly

The construction industry builds entire ecosystems that touch the most critical infrastructure in any location. Within each project there is a requirement for many groups, organizations, utilities, cities, banks, insurance companies, architects, and engineers to bring the projects to closure, making the project and its participants susceptible for cyber vulnerabilities.

Looking at the headlines of the high profile cyber-attacks, no industry appears to be immune from the threat of cyber intrusions. The attackers are looking to either profit through extorting money or they are stealing intellectual property for another form of financial gain.

Trends in the Hacking Industry

Cyber criminals are always looking for the weakest link in the chain. Weak links between participants or devices that are unmanaged/unmonitored for cyber create opportunities for attacks. The other common model is through email campaigns that trick the user into clicking on an infected link or file. Other trends in hacking in industry include:

  • Internet of Things (IoT): Vulnerable connectivity of sensors, meters and automation wired and wireless
  • Cyber hygiene of all participants with email and administrative configurations
  • Various levels of “security posture” between each party working on the project: contractor A may have a high cybersecurity methodology in place, and contractor B does not understand their cyber posture
  • File sharing
  • Industrial espionage
  • Phishing attempts
  • Insider threats: contractors being hired by other parties to steal information
  • Connections to third parties using the vulnerabilities of an infected device

Implementing Good Cyber Posture

Think about it, how many participants in each project have access to the most critical data? Who owns the security access and identity of every worker entering a site? Who decides which workers are privy to what information about the project? It’s important to understand the ease of hacking when many participants are involved without a central management of the known and unknown.

Construction companies must take steps to implement good cyber posture. This includes:

  1. Have a third party conduct a complete network assessment and audit.
  2. Assess all participants (subcontractors included) who have access to systems and data of the project.
  3. Identify gaps and set plans to remediate vulnerabilities.
  4. Identify and manage secure device access to the Internet.
  5. Require secure connections between all participants of the project.
  6. Conduct periodic scans and assessments to identify changes, before, during and after the project concludes.
  7. In the event of a cyber-attack, have a plan in place to recover.

Keep in mind that proper cyber hygiene is never a point in time, but an ongoing practice for every company. The best companies to do business with are the ones who can identify their cyber posture with a measurable process.  The Cybersecurity Framework is a method that supports all industry types and enables companies to make business decisions about their cyber in a practical process.

By Brian Berger, executive vice president, commercial cybersecurity, Cytellix

Related Articles