In the cat-and-mouse game of cyber security, the construction industry is particularly vulnerable as it increasingly embraces digitization and integrates information technology (IT) and operational technology (OT) systems.
A majority of the 37 cyber incidents analyzed in the sector in the Verizon 2020 Data Breach Investigations Report confirmed a worrying pattern: External actors who understood the construction industry's vulnerabilities and how to exploit them perpetrated most of the crimes.
Construction cyber security risks
The construction industry is a particularly ripe target for attacks because it is lucrative—the $10 trillion sector is one of the largest in the world—and increasingly vulnerable. What's more, by its very nature, construction cyber security faces industry-specific challenges.
First, the sector is becoming increasingly digitized. Paper blueprints are making room for building information modeling (BIM) processes so all project participants can view the same data changes at the same time. The increased efficiencies that digitization delivers also increase the number of weak links, since the more stakeholders with access to proprietary information there are, the more vulnerabilities that open up. The infamous 2014 Target data breach, which compromised millions of customers' sensitive credit card information, traced its source to an HVAC operator who was managing the stores' smart thermostats.
Construction cyber security also has to contend with employees on the road who bring their own devices to work and create more vulnerable endpoints. Furthermore, it has to factor in potentially lax protocols while companies install temporary networks for internet connectivity.
The Internet of Things (IoT) is making rapid advances in construction, from connected sensors to radio-frequency identification (RFID) tags on workers' hats. As companies work with streaming big data from IoT technology, insecure machines and shaky integration between IT and OT infrastructure complicate cyber security challenges even further.
Finally, insufficiently trained employees and old firmware with outdated security patches are challenges that need to be considered as cyber security threats constantly evolve.
Considerations for cyber security in construction industry
Given the risks, construction companies need to conduct comprehensive and frequent third-party cyber security assessments so they can identify and remediate vulnerabilities. Independent assessments will typically include penetration testing and password spraying among other procedures to spot weaknesses.
Third-party vendors who work with construction companies will demand risk assessment reports, so conducting these regularly and implementing a data breach management plan in case of an attack are best practices. In addition, construction companies should train employees frequently about phishing scams and malware they are especially vulnerable to. Basic cyber security hygiene includes installing robust firewalls and the latest security patches.
Another step is to implement multi-factor authentication (MFA), which verifies the identity of system users through unique, user-specific codes. In addition, cyber security protocols need to include mobile device management (MDM) plans so IT can control workers' device use centrally.
Construction companies should consider end-point detection and response (EDR), which frequently uses artificial intelligence (AI) to scan all endpoints and flag abnormal traffic patterns. Such a system is especially useful to analyze the volumes of big data that IoT-ready sensors generate. BIM software often allows users to control which third-party vendors can access data and when. Enterprise file synchronization and sharing (EFSS) solutions also allow construction companies to implement these procedures so you can blunt the effect of weak links on your cyber security plans.
A security-first mindset
The construction cyber security landscape is changing rapidly as the industry adopts new digital technologies on the path to modernization. While you cannot eliminate risk completely, weaving cyber security into your company's DNA and working with a security-first mindset is key to staying ahead. Implementing cyber security strategies to fortify endpoints and IT/OT integration while establishing a robust incident response plan will go a long way toward delivering peace of mind.
Learn more about the cyber security challenges in the construction sector.
The author of this content is a paid contributor for Verizon.