Cyber crime: How construction has become a high-risk industry
Published in Construction News 5th March 2018 by Fabian Saverimuttu
Despite the uncertainty of Brexit, there’s a lot to be positive about in 2019 for the construction industry. However, there’s one danger that cannot be overlooked: it’s an unfortunate reality that the construction industry is increasingly vulnerable to cyber crime threats – a trend that looks set to increase in 2019.
The continuing drive towards BIM, automation, and collaboration brings with it an exponential increase in the digital attack surface a construction company needs to protect.
Within a low-margin industry, it’s imperative that projects run on time and budget. For all construction firms, the risk of delay due to cyber-attacks can erode profitability as well as reputation. The situation is exacerbated by the perception that the industry is at a lower risk of attack than more historically knowledge or data-based industries.
This is partly as a result of decades of under-investment in technology. In the Department for Culture, Media and Sport’s 2018 cyber security breaches survey, construction ranked as one of the sectors where senior managers are most likely to see cyber security as a low priority (35 per cent vs the average of 24 per cent).
On top of this, the construction industry ranked in the bottom three from 12 industries, based on average investment in cyber security in 2018, with spend in the construction industry equating to less than 10 per cent of the top ranked-industries’ spend.
An example
When entering a construction site, a safety briefing can be expected, alongside a check to ensure that visitors are in the right condition to go on site. However, it’s unlikely that any thought would be given to someone’s understanding of, or compliance with, an organisation’s security policy. Visitors may be allowed to connect to an open WiFi network with a laptop or mobile device with out-of-date (if any) security. They may be able to share documents or information via a number of methods, with little to no thought to the potential of malware.
Cyber security needs to be considered in the same way as health and safety – and that will take a cultural shift across the industry. Developments such as BIM, cloud-based software, VR, Internet of Things sensors and autonomous plant and machinery – coupled with a drive towards a more connected, collaborative working methodologies – all expand the digital attack surface of an organisation.
“Cyber security needs to be considered in the same way as health and safety – and that will take a cultural shift across the industry”
The first factor to consider is the increase in the number and type of endpoints: the use of laptops, tablets and smartphones significantly expands the attack surface. While it is in theory possible to tightly control and protect corporate assets, the same is not the case for devices, which are owned and used by contractors. Another factor is the proliferation of IoT sensors and autonomous plant and machinery, which adds another layer of risk and complexity. These devices are typically not designed with security in mind and are either difficult to impossible to patch as security vulnerabilities are identified. All need connectivity to share information with the BIM or other applications, so the ability to secure this connectivity is critical.
Data sharing
The sharing of data is another key consideration. Data is key to construction and is widely shared as the industry becomes more digitised. Whether that be project documents, plans, diagrams or for BIM, thought needs to be given on how to secure data as it traverses the network. It is important that security is as transparent as possible, in order to allow data to flow freely and enable the collaboration that underpins a people-powered industry.
Finally, the extended supply chain element must not be overlooked. These subcontractors are typically made up of SMEs who have little to no security in place to protect their devices and systems and may not have received any security awareness training.
Given the speed at which new entrants are coming into the market, this creates additional challenges around end-to-end protection. Consequently, it’s critical that any access or connectivity provided to these contractors is secured and segmented to ensure their devices and infrastructure can’t be used as an easy entry point for malware.
Post-Brexit, there is no clear idea of what the landscape will look like for construction, and organisations are seeking newer markets and foreign acquisitions that open up additional cyber threats. In such an uncertain and unpredictable economic environment, confidence is key; to achieve this, good cyber security hygiene is a great place to start.
In other words, 2019 will become the year when control of data will be what instills customer confidence and sets construction companies apart from their competitors – resulting in knock-on benefits across the entire industry.
Fabian Saverimuttu is construction and engineering business development manager at cloud and network provider Exponential-e