A recent Hiscox report found that construction was fifth on the list of UK industries at risk of cyber attack, observing that the sector is not doing enough to prevent attacks.
All users are vulnerable – and it is important to be aware that people, not just technology systems, are a primary target. Even well-meaning users of technology can unknowingly be manipulated into enabling malicious activity through techniques such as social engineering.
Technology can be a risk, as well as an enabler for service improvement. But it would be wrong to suggest that technological developments are too risky to use because of security concerns. Rather, we should focus on securing information properly, and encouraging the prevention of breaches.
Attacks could come from any of the following sources:
Construction businesses and companies in related fields are generally seen as cash-rich but having little appetite to invest in cyber security – and thus can be easy targets. Large volumes of transactions are made from vendors of all sizes, throughout design, construction, and into handover. Consequently, mistakes can be made and malicious requests can slip through the net unnoticed.
As well as immediate gains for the attacker – such as money from your accounts and the damage caused to your reputation – there's also a risk to assets themselves, their users or their general purpose.
For example, a construction project for a financial institution or law enforcement agency will generate vital information such as floorplans or data contained in digital building services and management systems and, potentially, information about the people responsible for the asset, making the project an attractive target.
A quick search will reveal many recent stories of attacks on the construction industry in the UK. Three examples illustrate the wide variety of potential dangers.
In one case, hackers exploited a vulnerability in a construction services firm's website. By doing so, they were able to access its network and carry out a ransomware attack. This meant that organisation's files were encrypted, and a payment demanded before the hackers would restore access for users.
Another major contractor likewise suffered a ransomware attach on its computer systems. This impaired its operations, requiring a full restoration of the network.
Meanwhile, an infrastructure management company was hit by a cyber attack from a criminal group that leaked some of its data. This included contracts, financial documents, confidential partnership agreements and non-disclosure agreements.
The National Cyber Security Centre (NCSC) has published guidance on how to protect sensitive data when it is being shared across a network. While primarily intended for a more technical information security specialist audience, there are some lessons for us all.
Someone who intercepts a communication may seek to gain an advantage in a number of ways. For instance, they may:
Mechanisms to protect systems against such attackers work in two main ways, aiming first of all to prevent information being intercepted in the first place, then, should that fail, trying to prevent breaches of confidentiality or integrity.
Strategically planning cyber security measures can feel as though it is a monumental task. The NCSC therefore advocates using a set of technology principles, each of which should identify:
User education |
Network perimeter defences |
Password policy |
Train all technology users to consider what they include in publicly available documents and web content. They should also be aware of the risks of discussing asset, financial or site access information, for example, and how these can increase the risk of social engineering. |
Next-generation firewalls and web/app-traffic management tools can block insecure or unnecessary services, or only allow access to permitted websites. RICS members will need to access research material from resource pools such as RICS. |
Stipulations such as a minimum length and a mixture of alphanumeric characters can prevent users from selecting easily guessed passwords, while accounts can also be locked after a small number of failed attempts to log in. |
Malware protection |
Secure configuration |
Patch management |
Dedicated software can block malicious emails and prevent malware being downloaded from websites. |
The functionality of every device used to conduct business should be restricted to the minimum needed for business operation. Unnecessary software should be removed. Ensure that automatic features that could activate malware are turned off. |
When software vulnerabilities are discovered, patches should be applied at the earliest possibility to limit exposure. In lay terms, make sure you update regularly. |
Device controls |
User access |
Monitoring |
Devices in the internal gateway should be used to prevent unauthorised access to critical services, or inherently insecure services such as external software applications that may still be required within the company. |
Well-maintained controls can restrict access to the applications, privileges and data to those users who need them. |
Once preventative measures have been put in place, checking on their effectiveness is crucial. Cyber criminals are well funded and highly skilled, and they will continue to test your defences. Detecting a breach early enables prompt intervention and a reduction in the severity of the potential consequences. |
Human behaviour is central to the majority of cyber attacks in construction. Therefore, organisations should reflect on some critical questions.
CONSTRUCTION JOURNAL
Raj Cholia MRICS 07 June 2023
PROPERTY JOURNAL
Catherine Thompson MRICS, Megan Such, Tom Davies, Dr Eirini Mantesi, Zoe Dolan, Kris Karslake and Joe Huddleston 05 June 2023
CONSTRUCTION JOURNAL
Ann Bentley FRICS 31 May 2023