A recent Hiscox report found that construction was fifth on the list of UK industries at risk of cyber attack, observing that the sector is not doing enough to prevent attacks.
All users are vulnerable – and it is important to be aware that people, not just technology systems, are a primary target. Even well-meaning users of technology can unknowingly be manipulated into enabling malicious activity through techniques such as social engineering.
Technology can be a risk, as well as an enabler for service improvement. But it would be wrong to suggest that technological developments are too risky to use because of security concerns. Rather, we should focus on securing information properly, and encouraging the prevention of breaches.
Digital attacks come from various sources
Attacks could come from any of the following sources:
- cyber criminals interested in making money from fraud or the sale of valuable information
- industrial competitors and foreign intelligence services wanting to gain an economic advantage for their companies or countries
- hackers who find interfering with computer systems an enjoyable challenge
- hacktivists who wish to attack companies for political or ideological motives
- employees or other parties with legitimate access such as contractors or partners, who may accidentally or deliberately misuse this.
Why construction firms are targeted
Construction businesses and companies in related fields are generally seen as cash-rich but having little appetite to invest in cyber security – and thus can be easy targets. Large volumes of transactions are made from vendors of all sizes, throughout design, construction, and into handover. Consequently, mistakes can be made and malicious requests can slip through the net unnoticed.
As well as immediate gains for the attacker – such as money from your accounts and the damage caused to your reputation – there's also a risk to assets themselves, their users or their general purpose.
For example, a construction project for a financial institution or law enforcement agency will generate vital information such as floorplans or data contained in digital building services and management systems and, potentially, information about the people responsible for the asset, making the project an attractive target.
Cases illustrate range of danger
A quick search will reveal many recent stories of attacks on the construction industry in the UK. Three examples illustrate the wide variety of potential dangers.
In one case, hackers exploited a vulnerability in a construction services firm's website. By doing so, they were able to access its network and carry out a ransomware attack. This meant that organisation's files were encrypted, and a payment demanded before the hackers would restore access for users.
Another major contractor likewise suffered a ransomware attach on its computer systems. This impaired its operations, requiring a full restoration of the network.
Meanwhile, an infrastructure management company was hit by a cyber attack from a criminal group that leaked some of its data. This included contracts, financial documents, confidential partnership agreements and non-disclosure agreements.
'Construction businesses and companies in related fields are generally seen as cash-rich but having little appetite to invest in cyber security – and thus can be easy targets'
How to reduce your vulnerability
The National Cyber Security Centre (NCSC) has published guidance on how to protect sensitive data when it is being shared across a network. While primarily intended for a more technical information security specialist audience, there are some lessons for us all.
Someone who intercepts a communication may seek to gain an advantage in a number of ways. For instance, they may:
- want to extract sensitive information directly
- want to modify the communication to masquerade as a legitimate user and send malicious messages
- look to resend previously transmitted information – such as requests for funds – for the sake of disruption. Commonly this could be in the form of seemingly legitimate communication letting an individual know that bank details have changed and funds should be routed to the 'new account', which actually belongs to threat actors
- seek to prevent data reaching its intended recipient, causing a denial of service.
Mechanisms to protect systems against such attackers work in two main ways, aiming first of all to prevent information being intercepted in the first place, then, should that fail, trying to prevent breaches of confidentiality or integrity.
Strategically planning cyber security measures can feel as though it is a monumental task. The NCSC therefore advocates using a set of technology principles, each of which should identify:
- what it is aiming to achieve and why
- the threat that it aims to mitigate
- protective measures, such as using encryption to protect the confidentiality of the data and ensuring that any messages modified in transit can be identified
- a list of sample defensive measures – practical techniques such as using standardised algorithms to encrypt content at source and decrypting only at the destination, never en-route, and then verifying message integrity.
Table 1: NCSC principles
User education |
Network perimeter defences |
Password policy |
Train all technology users to consider what they include in publicly available documents and web content. They should also be aware of the risks of discussing asset, financial or site access information, for example, and how these can increase the risk of social engineering. |
Next-generation firewalls and web/app-traffic management tools can block insecure or unnecessary services, or only allow access to permitted websites. RICS members will need to access research material from resource pools such as RICS. |
Stipulations such as a minimum length and a mixture of alphanumeric characters can prevent users from selecting easily guessed passwords, while accounts can also be locked after a small number of failed attempts to log in. |
Malware protection |
Secure configuration |
Patch management |
Dedicated software can block malicious emails and prevent malware being downloaded from websites. |
The functionality of every device used to conduct business should be restricted to the minimum needed for business operation. Unnecessary software should be removed. Ensure that automatic features that could activate malware are turned off. |
When software vulnerabilities are discovered, patches should be applied at the earliest possibility to limit exposure. In lay terms, make sure you update regularly. |
Device controls |
User access |
Monitoring |
Devices in the internal gateway should be used to prevent unauthorised access to critical services, or inherently insecure services such as external software applications that may still be required within the company. |
Well-maintained controls can restrict access to the applications, privileges and data to those users who need them. |
Once preventative measures have been put in place, checking on their effectiveness is crucial. Cyber criminals are well funded and highly skilled, and they will continue to test your defences. Detecting a breach early enables prompt intervention and a reduction in the severity of the potential consequences. |
Critical questions you should ask
Human behaviour is central to the majority of cyber attacks in construction. Therefore, organisations should reflect on some critical questions.
- Are all users aware of the importance of maintaining cyber security?
- Do they all know how to spot suspicious or malicious behaviour, and what to do about it?
- Can the organisation say it is doing everything in its power to mitigate risks?