Cybersecurity in the Construction Industry: Understanding the Risks

For small businesses, the result of a cyber incident can be disastrous. While larger organizations and enterprises may be able to absorb the monetary costs and reputational damage that is caused by a cyber incident, most smaller businesses are unable.

“The National Cyber Security Alliance has recently released statistics that show 20% of small businesses experience such an attack every year, and that 60% of these businesses were forced to close within six months of being hacked.”¹

Cybersecurity risks are constantly evolving as organizations adopt new technology (such as cloud services) and cyber criminals adopt new tactics, techniques, and procedures (TTPs). The construction industry doesn’t have the same regulatory and compliance requirements pertaining to cybersecurity that other industries—such as the financial and healthcare sectors—have, yet they face the same threats. For this reason, it is imperative for the construction industry to focus on cybersecurity risks to avoid becoming the next victim of cybercrime.

How a Cybersecurity Attack Can Impact Construction Companies

Today, construction companies transmit and store the kinds of sensitive data that cyber criminals target most. Employee and project information, contracts, financial data, and planning tools are all at risk — yet the industry remains behind the curve in bolstering cyber security measures compared to other industries. 

What’s more, the move to an increasingly remote workforce with more devices in play has exposed gaps in networks that cyber criminals are all too happy to exploit. And as the industry continues to embrace the Internet of Things (IoT) and leverage artificial intelligence technologies, their potential attack surface also continues to expand.

Cyber criminals most often seek financial gain from an attack via ransomware. But there are additional, deeper impacts of a cyber attack as well:

• Down time: Deadlines aren’t made to be broken. An interruption in business due to a technology disruption can cost a company days or even weeks it can’t afford in reduced or even lost productivity.
• Breach of project IP: Loss of privileged contracts, proprietary designs, schematics, and confidential blueprints can not only lead to huge financial losses. It could also result in irreparable damage to reputation.
• Loss of bid information: Forfeiting leverage in the upfront process can result in losing competitive advantage, as well as the job itself.
• Equipment damage: It’s a concern for equipment off and on site. Servers, devices, and key computing hardware are costly to repair or replace. And compromised on-site equipment can lead to significant physical damage to nearby structures and the equipment itself.
• Workforce injuries: Protecting the most valuable asset is paramount. A security breach or system failure that allows autonomous equipment to be compromised puts the safety of workers — and civilians — at significant risk.  

There are many ways that cybercriminals (also known as threat actors) can compromise confidential information in an organization. Below, we’ll address three of the most common vectors for a successful cyber attack.

Common Cybersecurity Threats for Construction Companies:

Spear Phishing

One of the most common techniques, “spear phishing is an email targeted at a specific individual or department within an organization that appears to be from a trusted source. It’s actually cybercriminals attempting to steal confidential information. A whopping 91% of cyberattacks and the resulting data breach begin with a spear phishing email, according to research from security software firm Trend Micro. This conclusively shows that users really are the weak link in IT security.”²

Often, threat actors will employ the use of malicious file attachments when conducting these types of attacks. “There are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary’s payload exploits a vulnerability or directly executes on the user’s system. The text of the spear phishing email usually tries to give a plausible reason to open the file, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one.”³

Password Spraying

This technique “uses one password (e.g. Password01), or a small list of passwords, that matches the complexity policy of the domain and may be a commonly used password. Logins are attempted with that password and many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords.” For instance, from September 2018 through February 2019, Proofpoint conducted a six-month study that analyzed over 100,000 unauthorized logins across millions of monitored cloud user-accounts.”⁴

“The company found that 60% of Microsoft Office 365 and G Suite tenants were targeted with IMAP-based password-spraying attacks, while 25 percent were successfully breached in this manner. Proofpoint noted that the number of IMAP-based password-spraying attacks jumped up following the December 2018 publishing of the Collection #1 data dump that exposed nearly 773 million unique emails and 21 million unique passwords.”⁵

Exploiting Vulnerabilities in Unpatched Software

“Earlier this year, the National Security Agency urged organizations to ensure that they are using patched and updated systems in the face of growing threats. The vulnerability is present in Windows 7, Windows XP, Server 2003 and 2008, and although Microsoft has issued a patch, potentially millions of machines are still vulnerable.”⁶

How Construction Companies Can Mitigate Cybersecurity Risks

Dean Dorton recommends that organizations consider the following to identify their risks and enhance their cybersecurity preparedness:

• Identify where your valuable information is stored (on your internal network and the cloud)
• Develop policies, procedures, and standards pertaining to cybersecurity
• Adopt a cybersecurity control framework
• Develop a cybersecurity incident response plan
• Secure your backups; also, test your backups to ensure they work correctly upon use
• Disable legacy authentication protocols (such as IMAP)
• Enforce two-factor authentication (2FA), also referred to as multi-factor authentication (MFA)
• Update and patch your computers. Vulnerable operating systems and third-party applications are often targeted by threat actors. You should ensure that your operating systems and third-party applications are updated with the latest updates.
• Train your organization. “Organizations should ensure that they provide cybersecurity awareness training to their personnel. Ideally, organizations will have regular, mandatory cybersecurity awareness training sessions to ensure their personnel are informed about current cybersecurity threats and threat actor techniques. To improve workforce awareness, organizations can test their personnel with phishing assessments that simulate real-world phishing emails.”⁷
• Perform regular cybersecurity assessment and penetration tests against the network—no less than once a year. Ideally, run these as often as possible and practical. Dean Dorton can perform these tests for you.

Dean Dorton’s Information Security Office (ISO) provides a team of experienced information security professionals who can augment your organization’s information security team or take the lead in designing, implementing, and maintaining a strong information security program on your behalf.

¹https://www.csoonline.com/article/3437777/how-a-small-business-should-respond-to-a-hack.html
²https://www.knowbe4.com/spear-phishing/
³https://attack.mitre.org/techniques/T1193/
⁴https://attack.mitre.org/techniques/T1110/
⁵https://www.scmagazine.com/home/security-news/password-spraying-attacks-abuse-imap-to-break-into-targets-cloud-accounts/
⁶ https://www.nsa.gov/News-Features/News-Stories/Article-View/Article/1865726/nsa-cybersecurity-advisory-patch-remote-desktop-services-on-legacy-versions-of/
⁷ https://www.us-cert.gov/ncas/tips/ST19-001