The Construction Industry’s Cyber Vulnerability is a C-Suite Risk

Written by: Jade Davis, Esq.

Continued technological advances in artificial intelligence, robotics, and remote and cloud-operated machinery have amplified the need for the construction industry to have a robust cyber risk strategy. As a result, cybersecurity is now firmly positioned as a c-suite risk and should be a regular topic of conversation at the Board and executive levels. By investing time and resources in creating an effective cybersecurity plan, construction companies can protect themselves from threats and have a plan ready for when the unexpected hits.

Construction stakeholders continue to deal with various new risks by updating and integrating technologies. This industry needs to be faster at identifying and addressing cyber risk. If not, threat actors will continue to use this sector’s vulnerability as a strength. What is the result? Consistent attacks.

 

Why Construction?

Construction is a high volume, low margin business with success based upon its ability to meet project deadlines and contract specifications. Digital connectivity allows the construction supply chain to facilitate accurate collaboration to improve performance. Technology has allowed us to monitor progress, logistics, health & safety, and sustainability in ‘real-time’ for increased connectivity, collaboration, and efficiency.

In the hacker/cyber-criminal world, construction companies are targets for the following reasons.

Inadequate Defenses

Inadequate firewalls or defenses against cyber-attacks (anti-virus software pre-loaded on consumer-grade computer systems and software is insufficient to thwart determined hackers).

Poorly Managed Infrastructure

Use of multiple digital systems, software, and communications devices spread across numerous job sites and offices. Even the most secure infrastructures are vulnerable because, often, company executives and even IT staff may not know about all the devices the crews use. In addition, forensic investigations uncover a lack of holistic authorization, testing, and integration of all devices under one security umbrella. Without adequate infrastructure, the weakest link/device allows a cyber-criminal to gain access and dance between additional devices.

Examples include Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition Systems (SCADA), which monitor and controls equipment and plant operations; Drones which enable job site surveillance, surveying, and access to previously inaccessible places; Autonomous Construction Machinery for remote navigation of excavators, bulldozers, backhoes, and dump trucks for higher utilization rates and lower operator costs; Robotics to assist with bricklaying and road paving, to replace highly repetitive, systematic manual processes; Biometrics which help manage and control construction sites and projects, through access control to secure areas, on-site attendance reporting, health and safety, compliance, and remote management of multiple workforces.

Remote Work

Supervisors, estimators, and other critical employees often take their laptops or tablets home at night or on the road for tradeshows, conferences, and site work. The construction industry is the grandfather of remote work. Base camps usually allow workers to access a network to transfer information through portable devices. Many locations are temporary workspaces sharing the same network security protocols used in permanent locations.

External Access

Subcontractors and vendors with access can create backdoor sources for hackers to exploit if not used correctly and securely. Employees and contractors commonly use project management software to track job status and collaborate with external vendors. Firms must inventory this data, and know who has access to what, where, why, how, and for what purpose is critical.

Outdated Technology

Old computers, operating systems, and virus protection are also threats. Eventually, Microsoft and Apple quit supporting older operating systems with security patches. Cybercriminals scour the internet looking for these vulnerabilities.

 

Addressing the Issues

In response to these known vulnerabilities, Travelers Insurance launched the Travelers Innovation Network for Construction (TINC). In February 2023, Travelers announced TINC as an online platform providing construction customers with access to industry insights and a curated group of technology providers and solutions to improve productivity and safety on job sites.

Travelers Insurance is moving its clients to its list of risk management tools vetted by its team of construction specialists to curb attacks and minimize claims. Since only 30% of construction businesses have a written business continuity plan to help them survive and recover from a cyber-attack, TINC is vital in curbing risk and educating industry leaders.

---

Cyber risk is the elephant in the room that continues to grow.

We can no longer walk around it.

---

Cybercriminals evolve and modify their techniques to attack again immediately after a cyber victim regroups after an event. Being proactive is no longer merely a best practice of doing business — it is the requirement of doing business and keeping a sustainable business. Stakeholders must be proactive in their response, looking at the risks holistically and instilling a cyber security culture in the boardroom, on-site, and everywhere in between.

 

Potential Consequences

If you’re reading and still in denial or need to report to a sleepy c-suite, let’s quickly delve into cyber event consequences.

1. Digital assets, including business plans and acquisition strategies, compromised.
2. Proprietary construction plans and designs exposed.
3. Customers, contractors, supplier lists, and pricing exposed.
4. Exposure of personally identifiable information (PII) of employees and contractors, protected health information of staff as well as facilities security information.
5. Proprietary trade secrets no longer safeguarded from competitors.
6. Liability to third parties, such as employees, clients, and regulators, arising from computer security failure and breach of private information.
7. The costs of dealing with the failure of security or breach of privacy include notification, ransom payment, forensics, legal services, data restoration, and lost income through business interruption.
8. Breach of confidential business information through storing and sharing bid and project data/specifications, owner’s processes, and project management. This access is typically granted under non-disclosure/confidentiality agreements as a part of a project and mandates contractual penalties should a breach occur. Therefore, companies must be mindful of the costs in response and remediation and penalties.
9. Bodily injury and property damage through the failure of IoT, robotics, and remote control of processes and physical security.
10. Liability for delay and business interruption caused by unauthorized access to project data and systems (e.g., financial penalties, business reputation).

 

Mitigating Cyber-Security Risk

To reduce the likelihood of a cyberattack, keep the following preventative strategies in mind.

• Create a culture of awareness and understanding throughout your organization. The first line of defense is your workforce.
• Protect your assets with policies on cybersecurity basics like using strong passwords, multi-factor authentication, encryption for sensitive data, and restrictions on using removable media.
• Train employees on best practices, including recognizing potential phishing emails and sensitive information to which they have been granted access.
• Improve supply chain management. Contracts with subcontractors, suppliers, and others are essential to mitigating cyber risk. Understanding governmental, regulatory, or private business requirements creates successful relationships and win contracts.
• Identify and assign the members of an internal and external incident response and defense plan. Ensure that everyone knows their role and duties.
• Determine contingency plans to maintain critical site work and create safety protocols to protect systems that may be endangered due to a cybersecurity breach.
• Create a plan to notify impacted parties should a data breach occur for each project. Vendors, subcontractors, and all involved in the construction project must be notified promptly should a breach occur.
• Obtain cybersecurity insurance and require vendors and others working on the project to purchase similar protection.
• Consult with the legal counsel and insurers to discuss legal and contractual obligations and coverage considerations in determining the next steps. Counsel will also collaborate with federal, state, and local regulatory authorities to ensure compliance with all regulatory requirements.

 

Disclaimer

This material is provided for informational purposes only. It is not intended to constitute legal advice nor does it create a client-lawyer relationship between Hall Booth Smith, P.C. and any recipient. Recipients should consult with counsel before taking any actions based on the information contained within this material. This material may be considered attorney advertising in some jurisdictions. Prior results do not guarantee a similar outcome.