CISOs have a responsibility to strategically layer up security across the organisation in order to defend against cyberattacks. Bharat Mistry, Technical Director at Trend Micro, discusses the steps organisations in the construction industry should take to achieve a comprehensive risk-based cybersecurity strategy.
Security in the construction industry has always been important, but historically it meant guarding physical sites. Today the focus is very much on protecting the digital assets, IT systems and data flows on which the success of construction stakeholders is increasingly built. With so many points of potential failure for threat actors to probe, CISOs must take a strategic, risk-based approach that layers up security across the organisation. Any less could invite serious reputational and financial risk.
Digital is everywhere
Today’s construction sector is a keen adopter of technology and it’s easy to see why. Digital Transformation offers the prospect of enhanced employee productivity by automating manual, paper-based processes. It can accelerate competitiveness, cost reductions, data-driven decision-making and increased business agility. Depending on the type of business, industry organisations might be using cloud-based applications, 3D and 5D Building Information Modeling (BIM), industrial control systems (ICS), drones, robotics, Internet of Things (IoT) systems, mobile devices and much more.
Yet this reliance on technology – and the many stakeholders typically involved in projects – also creates IT blind spots and weak links in the security chain which bad actors are increasingly capable of exploiting.
The problem with tech
It’s not hard to see where these weak points are. During the course of the pandemic, many construction industry employees were forced to work from home (WFH) to ensure the smooth running of operations. According to official statistics, almost half of the UK’s working population did some or all of their work remotely as of April 2020.
Yet as Trend Micro research revealed, home workers can easily become distracted, making them perfect targets for phishing attacks, and often willingly engage in more risky behaviour than if they were at the office. They’re also likely to be using remote infrastructure such as VPNs and Remote Desktop Protocol (RDP) to login to corporate resources. Vulnerabilities and weak or breached passwords in these systems have been ruthlessly exploited during the pandemic. One estimate suggested a triple-digit increase in RDP attacks between Q1 and Q4 2020.
Many of these attacks were designed to deliver ransomware and steal data. Big-name construction firms, including Bouygues, Bam Construct and Interserve were all hit last year. If the threat of prolonged IT downtime isn’t enough, just consider the impact of sensitive BIM designs, budgetary and bid data, and technical and trade secrets going missing.
Part of the challenge for construction firms in this regard is that a typical project may have many moving parts — from contractors and sub-contractors to engineers, surveyors and architects. Some or all may need access to the same digital resources and they may do so via insecure home networks or mobile devices. Many workers are temporary, meaning they may care less about following security policies.
That’s not to mention the potential cyber-risks of operational technologies used in the sector. Many systems, like ICS and SCADA, play a vital role in monitoring and controlling heavy machinery. Yet with greater connectivity they can be remotely attacked. This is bad news as many are running legacy software and operating systems riddled with vulnerabilities, and communicate using insecure proprietary protocols. We recently revealed that ICS endpoints are an increasingly popular starting point for attacks.
The bottom line
Successful security breaches can have an outsized impact on construction sector companies. Why? Because success is predicated on the ability of these businesses to meet their deadlines and SLAs and pay contractors on time. Ransomware in particular can throw a major spanner in the works — causing project delays, productivity losses and ultimately serious financial and reputational damage.
A major breach could lead to regulatory fines — particularly if employee or customer personal data is involved — additional IT costs in the form of forensics and remediation, legal bills, lost client confidence and damaged competitiveness. If IoT or robotic equipment is sabotaged, it may even lead to physical injury for on-site workers.
Building back better
These challenges and risks are not lost on construction sector CISOs. So what does best practice look like in this space? A lot will depend on the organisation’s risk appetite, the type of work it does and what kind of data and assets it owns. However, the first step towards a comprehensive risk-based cybersecurity strategy starts with visibility: understanding what those assets are and where they’re located. Then you can start to apply the appropriate policies and controls. These should be updated to take account of the new hybrid workplace that is beginning to emerge as the pandemic recedes.
Supply chain risk is particularly acute in construction. That makes it vital to regularly and comprehensively audit any third-parties and ensure they follow the same high standards of security. Zero Trust is becoming a popular option for mitigating breach risks in an increasingly distributed and fluid IT environment. That means focusing on risk-based authentication, network segmentation, endpoint security and other controls. No organisation today can claim to be 100% secure. That’s why rapid threat detection and response via an XDR platform is another key piece of the puzzle.
Above all, never forget that cybersecurity ultimately comes down to the people. That makes regular training and awareness raising among staff and contractors essential. Turning that human-shaped weak link into an effective first line of defence could make all the difference.