August 14, 2020 A Blueprint for Better Construction Industry Security

Construction companies can protect themselves from the growing threat of cyberattacks through basic digital security best practices.

By Corey Nachreiner, CTO at WatchGuard Technologies

The construction industry has been a laggard when it comes to adopting new technologies and cyber security solutions are no exception in this space. But the market is beginning to pay attention to the realities of the cyber security threats every organization faces today. In fact, according to the 2019 Travelers Business Risk Index, nearly half of all construction executives believe their firms are destined to fall victim to a cyberattack. This isn’t surprising, given the recent incidents within the industry, such as the ransomware attack sustained by Bird Construction in Ontario. And yet, despite their apparent concern more than 68% of these executives admit that they haven’t assessed their security risks or made any plans or preparations.

The reality is that the construction organizations are facing the same vulnerabilities and threats as every other industry, as well as a set of unique challenges that come with vast supply chains, active jobsites and more. Critical IT resources such as smart devices, routers, computers with CADD and blueprint software, Wi-Fi hotspots and so on are all housed in the base of operations at job sites. Due to the inherently temporary nature of construction projects, this IT infrastructure is often less protected than similar setups would be in a traditional office setting. This makes for a ripe target for attackers looking to steal valuable information that developers, architects, engineers and construction managers are accessing and sharing on a daily basis.

Now that we’ve covered the general state of security for construction organizations, let’s explore four key strategies and best practices you can leverage to better protect your company data:

Build a Solid Security Foundation – Like any other business, strong cyber security in the construction industry starts with fundamental layers of security. Any computing devices on site should be secured in the same way as it would be in a traditional office setting. Deploy firewalls, patch software regularly, back up your data frequently, enable core network security services and endpoint protections, etc. These are basic table stakes, but critical nonetheless. New generations of ruggedized security technologies including multi-function security appliances and Wi-Fi access points can address historical jobsite issues like heat, dust and moisture, while remote monitoring and management tools can allow IT managers to execute updates and monitor alerts from a central location.

Know Your Enemy – You can’t adequately protect your company data without first understanding who might want to get a hold of it, as well as how and why. One of the main motivations for targeting a construction site is the theft of intellectual property, such as blueprints which could provide intelligence a criminal would need to defeat the physical security in the future. Another could simply be compromising the supply chain to divert payments or extortion via ransomware. Attackers might even want to open a backdoor into a future tenant’s network by gaining control over the building automation systems being installed in a new development. Understanding these motivations can help you identify the best mix of security layers to implement in order to thwart attacks before they happen.

Prioritize Security Education and Training – Better cyber security awareness is a simple but powerful measure you can take, especially given how wide ranging the level of technical skill and training is across construction teams and employees. Teach all managers, employees and contractors to identify phishing attempts, flag suspicious emails, calls, or wire transfer requests, and not click on every link they receive. These are just a few basic precautions you can take that will go a long way toward preventing breaches.

Shore Up Digital and Physical Security in Tandem – Some construction companies may already be undergoing digital transformation initiatives, deploying using wireless or cellularly-connected rugged tablets and shared blueprints and plans on digital devices rather than paper. You might be using drones for site inspections or 3D printers for prototyping. Today’s cyber criminals are already targeting tablets, smart phones and other mobile devices and while attacks on drones or 3D printers aren’t as common, they are possible. Regularly update these devices, change their stock passwords and assess them for potential compromises.

Understanding the connection between physical and cyber security is also important as cyber attackers often gain access by simply walking through the front door – and there is a lot of coming and going on a building site. Physical security on site is often more focused on preventing stolen equipment and materials than it is on protecting exposed data cables, for example, that could be directly tapped to monitor traffic or “listen in.” Physical security controls are often disabled or minimized for workers who frequently need to get in and out, leaving the door open for insider threats or external attackers to take advantage. Ensure you have the necessary monitoring and processes in place to validate that gaps in your physical security aren’t giving way to potential cybersecurity incidents.

The deluge of cyber attacks is growing at a massive pace, and no industry is immune. As the construction market as a whole moves elevate security controls as a means to prevent the financial and reputational damage caused by breaches, consider implementing the above best practices and strategies to better protect your company data.

Corey Nachreiner

About the Author
Corey Nachreiner is the CTO of WatchGuard Technologies. A front-line cybersecurity expert for nearly two decades, Corey regularly contributes to security publications and speaks internationally at leading industry trade shows like RSA. A Certified Information Systems Security Professional (CISSP), Corey enjoys “modding” any technical gizmo he can get his hands on and considers himself a hacker in the old sense of the word. For more information on WatchGuard, visit https://www.watchguard.com. Contact: corey.nachreiner@watchguard.com

Subscribe to Industry Today