With attacks increasing in both frequency and sophistication, firms are under pressure to bolster their security. So why have so few construction companies taken any action to protect themselves? Josephine Smit reports

cyber low res

The magnitude of Russia’s cyber capacity is fairly consequential and it’s coming. One of the tools [Putin’s] most likely to use is cyber attacks. They have a very sophisticated cyber capability. The point is that he has the capability. He hasn’t used it yet, but it’s part of his playbook

Joe Biden to a business roundtable quarterly meeting in Washington, March 2022

When the president of the United States tells you to look to your cyber security, you may well sit up and take notice. In the wake of Russia’s invasion of Ukraine, Joe Biden this month warned business leaders that cyber attacks were likely, a call that was echoed on this side of the Atlantic by the National Cyber Security Centre (NCSC), a UK government agency.

Security concerns were high ahead of these warnings, with insurer Hiscox’s cyber readiness report for 2021, which surveys global businesses, charting an increase in firms coming under threat and listing construction among the top five industries targeted.

“Attacks are always evolving and we have seen definite increases in both frequency and sophistication,” says James Carter, global cybersecurity risk manager at consultant Arcadis. “We are also seeing targeted attacks, which mean that threat actors see construction companies as lucrative targets.”

Building’s Construction Cyber Security Forum 2022

As the construction industry continues to employ increasingly digitalised ways of working the risk proposed by cyber threats has never been greater. 

Join us on 28 April as our Construction Cyber Security Forum joins forces with the National Cyber Security Centre and Department for Business, Energy and Industrial Strategy to discuss how and why construction firms need to protect themselves from cyber threats.

CCSF

Construction firms may be targets in their own right, or because of their clients, he explains, saying of the latter: “Firms may be targeted as part of a supply chain attack on a client or by ‘hacktivists’ in relation to sensitive or controversial projects they are part of. It’s important to understand how projects and clients can influence your threat profile.”

In spite of these threats, the government’s annual cyber security breaches survey consistently identifies construction as trailing other industries when it comes to action. “Construction has always been aware of a cyber threat, but often only in relation to specific specialised cases, such as government and defence work,” Carter says.

But he believes that attitudes are now changing, pointing out that “the new digital environment brings a vastly increased risk from cyber threat, as the risk is now to the actual delivered digital product, such as smart buildings”.

Advances in construction and maintenance, like drones for example, also present increased risk. “The potential reputational, financial and human cost of a drone coming down in a crowded city – whether because of interference on the connection or because it has been hacked – is severe,” cautions Ian Davis, head of information security at management consultant Gemserv, which advises business clients on cybersecurity and resilience. That risk will increase as bigger, more powerful drones replace lower-level cranes for supply of materials to upper levels of buildings, a prospect that Davis says is not far away. 

Businesses need to recognise the site is the primary, more vulnerable source of threat and far easier to attack than head office

Irrespective of such advances, construction sites are inherently complex working environments, because they bring together disparate players, from tier one contractors to one-person SMEs, all having their own policies, IT standards and employees using their company’s equipment, or perhaps personal devices.

“The challenges for sites are immense and it can appear too difficult to create a robust security framework across them,” says Davis. “Businesses need to recognise the site is the primary, more vulnerable source of threat and far easier to attack than head office.”

A common way of addressing site challenges is for IT departments to limit staff access to the information they need. “But the business side of a company can see that as constraining people’s ability to work, so you can have tension between security and business productivity,” he adds.

Essentially, a site’s cyber security needs to have the same focus as its physical security, Davis argues, while acknowledging: “It is easy to understand the cost of a group of activists coming onto a site, but less easy to understand the potential cost of a contractor bringing an unprotected laptop onto site and connecting to the network.”

>> Free webinar: Introduction to Smart Buildings and cyber security: New Guidance and Best Practices on the security of Smart Built Environments: IoTSF

>> Free webinar: Cybersecurity in construction

The government is already promoting best practice as a client, by requiring site cyber security and information security plans for many public contracts. Davis believes such assessments are key to gaining a clear view of the risks that contractors and suppliers potentially bring to a project and establishing a common cyber governance framework for areas such as incident reporting.

For contractor Willmott Dixon, the greatest cyber security threat comes from phishing emails, which seek access to a user’s Microsoft Office 365 account to steal what they have access to or use the account to send emails to other people, with the ultimate aim of stealing money.

“I speak to others at major construction companies and we’re all seeing the same problem,” says Steve Witty, the firm’s head of security and compliance.

The company’s priorities, therefore, are protecting its data and safeguarding users from phishing attacks, which it does with the help of a cyber security strategy based on the NCSC’s 10 steps to cyber security guidance and certification to the government-backed Cyber Essentials Plus scheme and ISO 27001.

Percentage of businesses identifying breaches or attacks in the past 12 months:

Micro-firms: 36% 
Small firms: 48% 
Medium firms: 59% 
Large firms: 72%

Among businesses identifying breaches or attacks, 49% say it happens once a month or more, and 31% say they experience breaches or attacks at least once a week

Mean cost of all breaches or attacks identified in the last 12 months (for organisations identifying any breaches or attacks):

All businesses: £1,200 
Micro/small businesses: £861 
Medium/large businesses: £8,040

Cyber Essentials is part of the government requirement when bidding for key public contracts, although that requirement does not commonly extend to sub-contractors.

“Generally we manage and maintain the information systems, giving the supply chain access to them. That’s why we need them to be cyber savvy, because if they are compromised it will, at best, have a knock-on effect for us.”

Cyber Essentials is a valuable tool for businesses ranging from SMEs to major organisations, says Witty, adding: “If everybody did it, there would be fewer issues for us all to deal with”.

ISO 27001, the international standard for information security management systems, complements Cyber Essentials, with its focus on policies and procedures. It also gives users exemption from some of the auditing requirements of part 5 of the new building information modelling (BIM) standard, ISO 19650, which covers security-minded information management.

Willmott Dixon will be piloting this with standards body BSI this summer and Witty believes security around BIM data and other advances can be assured, so long as the right safeguards are in place. “We don’t issue anything, whether it’s a drone or a smart fridge, without a process of evaluation, so if something is inherently insecure and presents a risk, we would look at other options,” he explains. 

For Witty, cyber security is everyone’s responsibility and should be as routine as putting on a high-vis jacket when going on site. “I can never say the business is completely secure because the bad guys are constantly evolving. “I need our people to act as the human firewall. Everyone has access to data and data has value so everybody is a target,” he stresses.

That extends to the supply chain, and Witty recently used the company website’s blog to highlight new NCSC guidance for construction SMEs.

It’s vital businesses, regardless of their size, put the right protections in place to reduce the chances of falling victim to an attack

The NCSC’s dedicated guidance grew out of the fact that “SMEs make up the majority of companies in the construction sector, and so building up their resilience can help protect the wider industry from online threats,” says its spokesperson. A common barrier to building resilience is cost.

“We know that construction businesses can operate on tight profit margins and that investing in cyber security can seem like a non-essential expense,” says the spokesperson. “However, it’s vital businesses, regardless of their size, put the right protections in place to reduce the chances of falling victim to an attack, as it could grind operations to a halt and potentially result in higher costs.”

Across the UK a network of regional cyber resilience centres, supported by the police and the Home Office, has been established to work on the ground with SMEs in all sectors. “Each sector has its own threats and technical issues around that, but there are common factors,” says Jared Thompson, spokesperson for the north west region’s cyber resilience centre (NWCRC).

“In construction we have noticed that people don’t want to see bad PR about being attacked – businesses can often feel there’s a stigma attached.”

NWCRC, whose team includes two officers seconded from Greater Manchester Police, supports businesses with free and easily accessible guidance and – for fee-paying members – training sessions and security services. It has around 500 business members in the Greater Manchester area, plans to expand its activities to the broader region, and also wants to work with more businesses in construction.

The sector has proved harder to engage with than some others, says Thompson, but NWCRC is in discussions with a partner to create a dedicated campaign targeting construction SMEs.

As a training provider at NWCRC, Thompson teaches businesses about common everyday threats, from phishing emails to the stranger who may be looking over your shoulder while you’re working on a tablet in a café. “Remote working is everyday working for a lot of people in construction as people are often moving from site to site, and working largely from a tablet or mobile,” he says.

“We want to be there to help people to prepare. It can be a matter of building resilience and confidence in staff so that they know what something suspicious looks like.”

NWCRC also warns of latest threats, drawing on police intelligence, which this year have already included a number of ransomware attacks. “We don’t want to scaremonger, but we tell companies it’s a case of when, not if,” says Thompson.  

Help on hand

The government’s National Cyber Security Centre provides information for businesses, including the 10 Steps to Cyber Security for medium-to-large organisations, and the Cyber Security for Construction Businesses guide for SMEs, released in February by NCSC with the Chartered Institute of Building.

The National Cyber Resilience Centre Group comprises a network of regional cyber resilience centres, which includes the North West Cyber Resilience Centre covering Greater Manchester. These bring together police, private sector and academia, all working to help SMEs get up to speed.

NWCRC has supplementary funding to provide support to 300 SMEs based in Greater Manchester that are looking to improve their cyber security, which includes a one-to one consultation, training and free one-year membership.

Case study: from attack to opportunity

One contractor that came under threat gave a rapid response that not only kept business on track, but resulted in it upgrading its email system and upskilling its people. The company asked not to be identified, but wants to share its experience to help others. The head of IT says:

“We noticed through our external perimeter security that we were starting to see a lot of detection attempts against our email infrastructure. Initially the attacks came from China, so we geo-blocked anything coming from there, but then more and more attacks started coming from Russia, the Cayman Islands, USA and other locations. We weren’t sure whether the attack was state-backed initially.

“This happened on a working Friday last December. I suddenly started getting calls from my team asking me what was going on. It turned out the software had a security vulnerability – a zero-day threat - that Microsoft had not yet patched, so there was no action we could take against it.

“We have Cyber Essentials Plus certification, our server was fully patched and our website and internal systems are ring-fenced and were under no threat, but zero-day software threats are out there and present a big risk for companies.

“We turned off our public-facing email service and cut off access straight away; we felt it was only a matter of time until the attackers broke in. We had to have email because it is critical for the business so I enabled our Mimecast cyber security service’s continuity mode – which allowed us to continue to send and receive messages – and then brought online a new cloud-based email service, configuring it over the weekend.

“We had plans to retire the old email service and this basically accelerated them. By Monday morning we had the new service working.

“The saving grace was our use of Mimecast. We use it as a secondary gateway to filter inbound and outbound messages and as our compliance tool, so all our email data is there and was accessible to people while we were doing what we needed to do to get everything back online.

“I did live video training sessions with all our staff on the new service over the first week, and we followed that up with one-to-one sessions, as people don’t always feel comfortable airing questions in public and to ensure everyone is upskilled.

“Now, 90 days later, we’ve gone to another level in collaboration and are working in a more unified manner – a key takeaway from this experience has been the importance of learning new skills to stay relevant and competitive.

The construction sector has gone through seven years of digital transformation in the space of two years because of covid

“Alongside the new email, we’re using Google Workspace tools, so people can collaborate on a single real-time document using Sheets – instead of swapping Excel files – and communicate via the Chat function instead of email. If we internally collaborate better, we make fewer mistakes and collaborate better externally.

“Covid saw us massively increase our use of video calls on Google Meet and people have realised this is an easier way to work than face-to-face meetings. I’ve carried out research, which suggested that the construction sector has gone through seven years of digital transformation in the space of two years because of covid. That shows the speed of acceleration, but also demonstrates how far behind the sector was and the massive jump it had to make. 

“We’ve been on the receiving end of attacks on other construction companies; I’ve probably seen 30 of the top 100 contractors attacked, but nobody wants to talk about it.

“The squeeze on main contractors’ profit margins means IT budgets get constrained, so it becomes challenging to manage and maintain systems properly. When I look at main contractors’ public email settings, it is evident a lot don’t have a secondary email gateway so could be badly affected if they have an attack like ours.”