Cybersecurity has never been more disruptive in the construction sector, as the number of cyberattacks on companies increases and the potential damage and disruption caused grows exponentially. Victims of recent cyberattacks include large companies such as Bouygues, Emcor, Saint-Gobain, and BAM, as well as many smaller contractors and suppliers.
Cybersecurity adds to challenges facing the construction industry
The construction industry on the whole has poor cyber defences as it is experiencing rapid digitalisation while continuing to employ out-of-date software. Furthermore, companies face many challenges that lead to additional vulnerabilities. Responding to the challenges often requires an increasing IT footprint and the resulting financial difficulties make investing in cybersecurity all the more difficult.
A key challenge facing the construction sector is the increasing complexity of projects. This results in greater collaboration between stakeholders and contractors. Unfortunately, collaboration frequently generates cyber threats due to access to shared IT systems. Increasing project complexity also adds more personal devices and IT and OT assets to the network. It is common for a complete lack of visibility of these assets. If this is the case, then it is impossible to protect them from attacks. Supply chain issues and growing resource costs are hitting construction companies. Many have diversified their supplier base, and these additional partners often have access to intellectual property and sensitive data. This increases their vulnerability as any company a firm has a relationship with may hold data that could be used to breach defences.
There is also growing scrutiny of companies’ environmental, social, and governance (ESG) credentials. Governance encompasses risk management, and social issues include workplace safety. Cybersecurity is a vital aspect of risk management, and workers’ safety and data may be at risk in the event of a cyberattack.
These challenges present cost management issues, especially as margins are squeezed and project expenses increase. Cyberattacks are also likely to exacerbate any financial difficulties due to time lost on projects, extortion, or regulatory fines.
Investment is needed across construction projects
Construction companies should invest in cybersecurity software and services throughout the construction process. This begins at the conceptual design stage and during feasibility studies, as a loss of trust from stakeholders due to a data breach will make it harder to win new contracts.
In the design and engineering phase, vulnerabilities arise because tools such as building information modelling (BIM) are highly collaborative. Attackers’ motives may include tampering with crucial data or stealing intellectual property. Although an attack at this stage may not cause immediate disruption, intellectual property often underpins an organisation’s competitiveness. Disclosure of trade knowledge could thus limit a company’s ability to win future contracts.
During construction, it is essential to have a decentralised cyber policy due to the number of sites at any one time. Connected Internet of Things (IoT) devices, collaboration tools, and electronic building tools represent a large potential attack surface. This means disciplined cybersecurity precautions must be followed on-site, as construction projects cannot continue without connectivity.
Companies must respond to the increasing threats
The response by some companies is lacking. The employment of chief information security officers (CISOs) is patchy. It is even rarer to find a CISO that sits on the company board, which is necessary to allow them to confront the matter at hand. To tackle the threats posed by cyberattacks, construction companies should prioritise cybersecurity services such as managed security services, post-breach response services, and risk and compliance services. This is most easily achieved by outsourcing the services due to the complexity and skills required to address cybersecurity-related issues. Threat detection and response software are also particularly vital to ensure a robust cyber defence, and construction companies should place a high priority on these capabilities.