Know Your Enemy: Construction Industry Needs Better Information About Cyber Crime Risk

Circling the Cyber Wagons

What To Do First If Your Company Is a Victim of a Cyberattack — A new survey of 111 cyber claims settled in 2014 show causes of loss and claims by revenue size of all firms covered. Although hackers and malware together only account for 40% of claims, together they account for 97% of the records exposed.

Source: NetDiligence

But even the NIST framework is not enough, says Lacombe, adding, "We're trying to move away from solely a compliance-oriented security approach to one that involves continuously monitoring the system for indicators of either a vulnerability, an attack or a performance issue that might demonstrate that there's something wrong. That is widely recognized as the means by which you will achieve the level of security required."

Security Is More Than Antivirus, Firewalls

Private contracting has even more to do to tighten up than federal contractors. Joe Weiss, president of Applied Control Systems LLC, says some private contractors act as if cybersecurity compliance is required only at the handoff. "There is this thought, 'We're going to build what we're going to build, and, at the very end, we'll put in a firewall, and, therefore, we will have addressed cyber.' And the answer is, 'No, you haven't,' " Weiss says.

WEISS

The view of cybersecurity as an IT issue that is confined to the office or company servers also does not work in the construction industry, Weiss adds. Computer-guided equipment and drones and even tampering with shared procedural or structure models on company servers can create significant issues. "If it's a large construction project, you're going to have large dump trucks and cranes, and a lot of those have remotely accessible controls," says Weiss. Industrial control-system vulnerabilities figure in worst-case scenarios involving power-grid outages and chemical- facility explosions, but, paradoxically, companies increasingly are connecting equipment to the internet to control it remotely or access sensors. Says Voeller, "If I want to do something that's going to cost you billions [of dollars] or I want to do something that's going to kill somebody, I'm going to change a crane rating or I'm going to change the time at which a certain set of motors are connected to the grid."

Most such operational technology is not built with embedded security on the assumption that security will be applied once it is put on the network, says Britton. Unfortunately, securing the tools often is overlooked by IT departments, a lapse that Britton says can be resolved if departments communicate better.

Britton says due diligence requires an expert safety audit, thorough vetting of the tools and products in use, a security-first attitude and a well-tested emergency plan. But even if a firm does everything right, a breach is only as far away as an unpatched, previously undetected "zero-day" vulnerability in the tools, either in-house or in a cloud.

"In typical construction casualty underwriting," says Scott Rasor, head of construction underwriting at Zurich NA, "we talk about having nurse trailers on the jobsite, access to doctors and hospitals, [and] emergency response plans if someone gets hurt, material gets damaged or if there's a threat to the community. If I were on the board of a construction company, I would ask, 'what is our resiliency plan if somebody hacks our system? How are we going to get up and going?' That's something people can really understand and buy into," Rasor says. "After an attack is no time to be drawing up your resiliency plan."

Consulting Editor Tom Sawyer began his journalism career at the Atlantic City Press, in N.J. The former ENR editor expanded technology coverage and devised ENR's popular annual photo contest. Tom has also written memorable special reports from disaster and war zones, often taking the lead when earthquakes and hurricanes strike. His technology, disaster and war-related reporting has involved trips to Iraq, Haiti, Japan and other countries.

Post a comment to this article

The Groundbreaking Women in Construction (GWIC) conference is a leading event focusing on empowering women in the construction industry through discussions on leadership, diversity, and career development.

The annual conference features a wide array of topics, including infrastructure law, sustainability, and strategies to overcome industry challenges.

Coinciding with the release of the new 2024 Top 400 Contractors list, this annual webinar dives into the results of the Top 400 survey. We'll bring together a panel of executives from the largest contracting firms to discuss the industry’s pressing issues, from workforce challenges to data security.