Bricks, Bytes, and Breaches: Cybersecurity in the Construction Sector

The construction sector is becoming a particularly appealing target to malicious actors. This is mainly due to the myriad of third-party suppliers used, horde of personal data being collected, and the large sums of money involved in construction projects.

Despite the past warning signs (Bird Construction and Solid Bridge Construction already falling victim) many construction companies see cybersecurity as an afterthought, due to strict time constraints when delivering projects.

Information Security and End User Behaviour

The first mitigations go back to time-tested cybersecurity controls of Information Security and End User behaviour, this being critical in the construction sector, with the names of contractors, investors, and suppliers all being part of the swamp of data that is attractive to an adversary.

It is vital that all those involved in any construction process are aware of regulatory best practices, alongside cybersecurity best practices, to ensure that a data breach does not just occur from a malicious actor; but also, that well-meaning emails do not breach data compliance laws, and lead to a hefty fine.

The Notorious Supply Chain

In the Construction sector, managing a supply chain can be complex, and involve numerous subcontractors and suppliers. Along with the physical delivery of materials, machinery, and labour, there is also the exchange of digital information, such as designs and specifications. Alongside the obvious construction providers, this must also take into consideration those that provide essential services, like email providers and accounting software companies.

Cyber-attacks on suppliers can be just as damaging as attacks on your own business, as they can provide a way for threats to gain access to your organization. It is essential to employ cybersecurity measures when collaborating with suppliers and partners.

Understanding your supply chain is critical to securing it effectively. Start by creating a list of all suppliers and partners and identify which ones are highest priority in terms of risk. Look for information published by your suppliers to understand how they provide services securely, and make sure you understand each party’s security responsibilities under your contract or licensing agreement.

Cyber Insurance

One element of Cybersecurity that is commonly absorbed into the price of a construction project, is Cyber-Insurance. Of course, we all know this is a very reactive control, and focuses more on financial mitigation. This, nonetheless, means that PII and sensitive information will be leaked online, and cyber-attacks will inevitably delay a project in the long run. It is also worth noting that Lloyds of London have released a statement, maintaining they will not pay for claims regarding cyberattacks from ‘APTs’ or Nation-State Attackers’. You can read this statement here.

Cyber-physical Systems (CPS) Security.

Construction companies expanding into concessions, water, waste management, energy systems, maintenance, and asset management are increasingly adopting Cyber-Physical Systems (CPS) technology. However, CPS security is even harder to maintain than traditional IT security, leaving businesses exposed to cyber threats. Cybersecurity strategies must now adopt a holistic approach to manage OT, IoT, IIoT, and IT security as part of a coordinated effort to mitigate the evolving threat landscape targeting CPS environments.

The End user, Information, CPS, and Supply Chain Controls are key focus areas for the Construction sector. This does not mean that a robust Network and Infrastructure security estate should not be ignored, as this is the foundation of any secure IT estate.

Next Steps

A MSSP can help alleviate cyber security issues within construction, by providing the necessary expertise to bridge the knowledge gap, assist with regulatory compliance, and streamline data management across the organization, ultimately improving overall cybersecurity posture.   

Managed Endpoint Protection (EPP) and Managed Detect and Respond (MDR) allows any threats targeting a large environment to be prevented and contained, mitigating any potential damage.   

This infrastructure expertise extends to the protection of sensitive data, ensuring the most effective security posture is implemented and continually audited and tested, ensuring that any sensitive data is secure. This extends to Vulnerability Management as a Service (VMaaS); which can ensure your digital estate is not exposed to any malicious actors and is protected and hardened.  

Enriched by Threat and Risk Intelligence (TRI) to stay ahead of any potential issues and leverage Dark Web Intelligence. SecurityHQ’s holistic approach to cybersecurity means that we can assess, manage, and provide advice regarding Third Party Risk exposure. We have bespoke Network and Infrastructure hardening plans and maturity roadmaps that we not only provide, but advise in relation to any business, to ensure that you can develop your Cybersecurity controls every step of the way.

This ensures that supply chain compromise and data exposure is never an issue that you have to face. To speak with one of our experts, get in contact here.