Rick Jones, CEO, DigitalXRAID, looks at how and why a cyberattack could cripple a construction business and discusses the threat ransomware poses to construction, why companies should heed the latest NCSC advice and how the industry can build a strong cyber defence
The threat of cyberattacks continues to grow in all industries and construction is no exception. Recent research based on ransomware data released by hackers shows construction as the worst-hit industry in 2021. Though they may not traditionally be seen as a major target for cybercriminals, construction firms are increasingly adopting more digital ways of working. This digital transformation combined with high cash flows, wide-spanning supply chain relationships and storage of sensitive data leaves the industry at risk of critical data breaches.
In fact, high profile cyberattacks against construction businesses have led the National Cyber Security Centre (NCSC) to issue specific cyber defence guidance for the industry. Launched in partnership with the Chartered Institute of Building (CIOB), the targeted advice for small-to-medium sized businesses addresses why cybersecurity matters and recommends particular measures that should be adopted to bolster cybersecurity strategies.
So, what else is contributing to the vulnerability of construction businesses and what cyber defence can industry leaders and IT teams implement to address these cyber threats?
Construction industry is lagging behind in cybersecurity awareness
Alongside manufacturing, the construction industry is lagging behind in terms of its digital transformation and cybersecurity awareness. This issue is also compounded by the nature of its high cash-flow business, rendering construction companies both high priority and low hanging fruit for hackers who are increasingly exploiting gaps in security strategies to effectively target and hold data to ransom.
The UK Government’s Cyber Security Breaches Survey 2022, published in March, revealed that only 56% of respondents have a policy not to pay ransomware. What is particularly concerning here is that this translates to nearly half of organisations either considering paying or not planning ahead at all.
Typically less mature in IT and cybersecurity processes and strategies, it’s vital for construction businesses to understand that data is compromised as soon as it is breached – even if a ransom is paid – and that paying up must stop.
Another contributing factor to the industry’s cyber vulnerability is the traditional understaffing of IT departments. A strong leadership approach around cybersecurity is required to ensure boardrooms and IT teams are aligned on cyber defence strategies and keep them front of mind going forward.
The implementation and consistent use of basic cyber hygiene practices, patching and regular penetration testing can all reduce the likelihood of a data breach. These strategies are also strengthened by staff training, conducted little and often, to help mitigate both internal and external threats.
Nature of construction projects is leaving organisations at risk of cyberattacks
The nature of construction projects is leaving organisations at risk of cyberattacks. For instance, some projects cover hugely critical and highly sensitive sites. This means that construction organisations will often serve as back-door entrances for hackers to enter larger networks – e.g., within the public sector or government.
The bottom line is that construction companies are vulnerable to exploitation by bad actors if they form part of the wider supply chain that serves Critical National Infrastructure and stores sensitive data. What’s more, businesses in the industry also store confidential information themselves, such as intellectual property, data around property assets and architectural drawings and specifications of government buildings – all of which are valuable and open to abuse if compromised by hackers.
Construction enterprises of all sizes, therefore, need to implement stringent cybersecurity measures to protect themselves as part of supply chains and as standalone organisations. This is especially pertinent when considering the Cyber Security Breaches Survey found that only 13% of organisations review the risks posed by their immediate suppliers (and this figure drops to 7% for the wider supply chain).
It is concerning that businesses are underestimating the security risks associated with having or being part of supply chains, as hackers continue to deploy increasingly sophisticated and targeted attacks through third-party providers.
The recent high-profile Okta breach serves as a stark warning of the potential damage that can be caused by this type of attack. Construction businesses should therefore look to implement proactive security measures, such as contractually agreed liability around breaches, well-defined security policies and regular penetration testing, to help mitigate vulnerabilities. A Zero Trust architecture can also offer additional protection against a supply chain attack by removing the implicit trust given to internal users.
Due to the tender process for projects in the industry, companies are also required to have some form of cyber defence strategy in place in order to win large contracts. The UK Government, for example, will not award projects to any business that is not meeting the more rigorous cyber regulations that have been introduced in recent years.
Yet seeing cybersecurity as a tick box exercise simply to win new business is not enough. And although the industry is on its journey toward a full culture shift regarding cybersecurity, there is still a long way to go. In the meantime, construction businesses should consider working with an external security partner to take on these cyber defence requirements.
An outsourced Security Operations Centre (SOC) can not only demonstrate organisations’ commitment to cybersecurity, it will also ensure that threat monitoring becomes a 24/7/365 activity and cyberattacks are identified and mitigated before compromising an entire network.
Devices used by construction enterprises are a source of vulnerability
The devices used by construction enterprises in projects are also a source of vulnerability. According to research, 95% of construction organisations believe that emerging technology – like IoT – will fundamentally impact their industry in the future.
However, the increasing convergence of the Internet of Things (IoT) with Operational Technology (OT) is a point of weakness. Many OT environments were not designed with the intention of being connected to the wider IT environment, and consequently, connectivity and cybersecurity were not a top priority. As the industry is increasingly reliant on OT, it is critical to recognise the risk this poses to the wider IT network.
To ensure the entire OT and IT network is protected, an outsourced SOC can alleviate some of the pressure being felt by understaffed and overloaded construction industry IT teams. A SOC is able to alert businesses to security events as they arise, investigating and neutralising them to prevent lasting damage to organisations.
Drawing on the aggregate value of cyber experts with extensive knowledge of the threatscape, it is one of the best ways to bolster the industry’s cybersecurity posture and support businesses to prioritise and embrace the protections to keep their organisations safe.
Construction industry is becoming a bigger target for cybercriminals
The construction industry is only becoming a bigger target for cybercriminals, as demonstrated by the publication of the NCSC’s latest guidance. It is therefore vital for businesses who are more at risk due to the nature of the industry, their projects and devices, to act proactively and implement strong, comprehensive cybersecurity measures.
Not only will this help to reinforce their defences against potential attacks, but it will also aid construction organisations in their broader cultural shift towards cybersecurity awareness as they continue to embrace a more digital future