The construction sector remains one of the few sectors that still lags behind when it comes to cybersecurity maturity. However, some high profile attacks since 2017, seem to be inducing a slow change nudging the industry into action.

The relentless trend of digitalisation in all aspect of the sector, from Business Information Modelling Systems (BIMS), to digital ways of working, to sub-contractor systems interconnections and data-sharing, to smart-built-assets, the trend is far-reaching and requires careful attention to the cybersecurity that underpins all that.

Generally speaking, construction businesses of all sizes continue to be targets for cyber attackers.  This is typically fuelled by the volumes of sensitive data held, the high-value payments handled, the potential weakened defences due to organisational complexity, and also the perception that the industry is somewhat behind the curve in its cybersecurity mindset.

In an effort to raise awareness and provide guidance, industry associations such as The Chartered Institute of Building (CIOB), published a guidance document titled “The Role of Security in the Construction Industry” as the concept of cybersecurity within the sector is becoming increasingly important.

In Feb-2022, the UK’s National Cyber Security Centre (NCSC) in collaboration with the CIOB, also launched the first guide for cybersecurity aimed specifically at the construction sector.  It is described as a “Cyber security guidance for small-to-medium businesses working in the construction industry and the wider supply chain”.  (Click button below to download it).

Source: CIOB Guide “The Role of Security in the Construction Industry”

A good cyber posture for any construction company is certain to bring several business advantages.  To name a few, increased trust between project partners, bolster customer confidence, provide assurance to project staff around their own personal data, increased likelihood of success in joint ventures, smaller likelihood of letigiation in case of breach, and last but not least enablement of new business models and competitive advantage.

Some of the general risks areas one may envisage around the construction sector include:

PEOPLE:

  • Potential for fraud due to poor procedures for mitigating the targeting of persons of high-risk positions in a project;
  • Insider attacks and data compromise due to poor personnel security screening;
  • Increased exposure to operational disruption and increased security gaps due to inadequate security skills and competencies;
  • Operational disruption and data compromise due to staffs’ inadequate awareness of security hygiene.
 PHYSICAL:

  • Compromise of systems and data due to poor cybersecurity-design considerations at locations/facilities used to design, deliver, operate and support the built asset.  Leading to significant operational disruption and costs;

  • Compromise of systems, data, built assets, and possible health hazards, due to inadequate cyber-risk-assessments and protective measures for equipment storing asset models and information;

  • Compromise of built-assets and potential health hazard, due to inadequate design of protective measures for computing and electronic devices used to monitor/control built assets post project delivery phase.
PROCESS:

  • Unauthorised access due to poorly governed access control to data and information.  Potentially leading to regulatory reviews/notifications/penalties;
  • Poor control of sensitive information during data sharing activities due to inadequate policies and procedures around disclosure of information to 3rd parties.  Leading to sensitive information leaks and possible business embarrassment/losses;
  • Disruptive or even hazardous outcomes due to poor change-control to information assets.
TECHNOLOGY:

  • Cybersecurity compromise to computers, networks and monitoring and control systems through direct attacks by bad actors or via indirect compromise of a supply-chain partners. Potential also for health hazards;
  • Data compromise or exposure due to misconfiguration of online systems hosting sensitive business and project information;
  • Data and/or systems compromise due to poor assurance in 3rd party software;
  • Data/systems compromise due to inadequate security procedures around data handling from cradle to grave.