Cyber-attacks are almost inevitable and, as their threat grows, innovators in the construction industry have a chance to outshine their competitors.
Cyber-threats are the bogeymen of the early 21st century.
Electronic devices have transformed the way we live and work. Yet there is an increasing awareness that their potential exploitation leaves people and businesses vulnerable to cyber-crime, cyber-attacks and even cyber-warfare.
In recent years the transformational potential of technology has taken hold in even that most hands-on of industries: construction. But is the industry sufficiently aware of and protected against the threats posed by this digital world?
The Department for Culture, Media and Sport’s 2017 cyber-security breaches survey reported that almost half (46 per cent) of all UK businesses surveyed identified at least one cyber-security breach or attack in the past 12 months, rising to two-thirds among medium-sized (66 per cent) and large companies (68 per cent).
However, the responses from the construction sector suggest the industry may not be taking the threat sufficiently seriously.
Mapping the threats
The government’s survey revealed that senior managers in construction were less likely to view cyber-security as a high priority than the all-sector average.
Some 41 per cent of construction firms admitted that they never updated senior managers on cyber-security, while only 35 per cent of respondents from the sector strongly agreed that their core staff take cyber-security seriously in their day-to-day work.
“We have seen instances of property purchasers being asked to send deposits to fraudulent accounts”
Hugh Boyes, Institution of Engineering and Technology
“Construction is a lot less well prepared and aware then the finance sector,” warns Hugh Boyes, cyber-security lead at the Institution of Engineering and Technology (IET).
“In the construction and property sector this type of crime is only just starting to emerge, but we have seen instances of property purchasers being asked to send deposits to fraudulent accounts. That is the start of criminals realising that this is a sector where there is a lot of money. Given the rate at which cyber-crime is expanding globally, it is just a matter of time before they find ways of exploiting our systems and information.”
The true scale of the problem is difficult to determine. Companies are understandably reluctant to publicise their cyber-security failings, so only a small number of attacks come to light.
“We don’t know about the stuff that is covered up where companies manage to control the publicity,” Mr Boyes says. “We do know that we are under a constant barrage of targeted and untargeted attacks. If you look at WannaCry [which hit NHS computers in May 2017], that attack wasn’t specifically targeted at the NHS. It just happened that they were vulnerable to that particular piece of malware.”
Cyber-attacks take several forms. The most common is phishing and its more targeted variant, spear phishing, in which the email of one of a worker’s contacts is cloned with the aim of extracting private information. Other threats include computer viruses; ransomware such as WannaCry, which locks systems until a ransom is paid; and hacking, which involves accessing systems remotely to steal or destroy data.
Niko Kalfigkopoulos cyber specialist PwC
The loss of private information – either personal details or intellectual property – presents the same considerable dangers for the construction industry as it does for other sectors.
“For companies that have been breached it is a wake-up call to realise how much impact a single cyber-security breach can have – it can be millions and millions of pounds and cause significant harm to an organisation’s reputation, client base and market share,” says PwC cyber-specialist Niko Kalfigkopoulos.
In May 2018, the EU General Data Protection Regulation (GDPR) will come into force, introducing stricter rules for protecting EU citizens’ data and a stringent fines regime. Non-compliant companies could be hit with a penalty of up to £20m or 4 per cent of annual turnover – whichever is larger.
“GDPR will have a massive impact,” predicts Steve Cooper, UK general manager at construction management software provider Aconex.
“If you are contracting with an organisation that is not GDPR-compliant then potentially both of you are in breach”
Steve Cooper, Aconex
“In the UK we have been pretty lax around data protection. It will put a more significant burden on everybody, whether they are employers or technology providers that hold people’s data. There is a lack of understanding in the market about what it means. If you are contracting with an organisation that is not GDPR-compliant then potentially both of you are in breach.”
Some cyber-risks are specific to the built environment, however. These dangers have emerged as a consequence of the adoption of BIM and the use of collaborative software platforms.
“There are two immediate things we need to think about,” says Jeremy Watson, vice-dean of engineering at University College London and immediate past president of the IET. “One is BIM, and the care that is taken of CAD drawings and who they are released to. On the other side, there is the emerging threat from the move from standard building management systems (BMS) to sensors that are linked to the internet of things.”
Prof Watson was involved in drafting the security specification for BIM Level 2. “The thing that drove [the drafting] was a major London development site where the contractors were so proud of using BIM, they were putting all their drawings on the open web and revealing details that the security services were very alarmed about,” he recalls.
Steve Cooper UK general manager Aconex
The information contained within a BIM model could potentially be of great value to thieves, terrorists, or even hostile foreign powers. “People with ill intent often do photographic reconnaissance on a target site,” Prof Watson says. “There is a limited amount they can get from that, but by going into this sort of resource it will show hidden features like service ducts that wouldn’t otherwise be available, so there was a real and immediate threat.
“Any feature touched by a BIM-modelled object needs to be modelled as well. You could have the infrastructure of a whole town starting to be revealed through the unlimited publication of BIM data. On the other hand, you don’t want to stifle innovation, so it is a delicate balance. It comes down to deciding who needs to see the drawings and when they need to see them.”
BIM Level 3 brings with it a new set of cyber-risks by incorporating real-time data into the model, supplied by a new generation of internet-linked building management systems. As director of the Petras Internet of Things Research Hub (a consortium of nine British universities), Prof Watson is considering the security implications of the move to Level 3.
“Wherever you have translated a physical link into a wireless link, there is an extra attack surface for cyber-criminals to hack into or monitor those signals,” he says. “That is a considerable concern because if we start to get negative publicity about people hacking into BMS, that could set the whole industry back.”
Locked doors, open vaults?
The latest technological developments raise the spectre of a malevolent or merely mischievous hacker breaking into a building’s systems to tamper with the controls.
That in turn makes a number of frightening scenarios possible: a burglar could shut down security cameras in order to rob a building unobserved; rapidly raising the temperature in the refrigerated unit of a laboratory could wipe out years of research; and accessing the information screens at a stadium to post misleading information could provoke mass panic. Alternatively, the threat of such actions could be used for blackmail.
A poorly secured BMS can act as a back door for hackers to access corporate systems and steal data. Prof Watson describes how IBM’s ethical hacking team, which is employed to test security, used a BMS with a weak password to access a company’s main computer system. “The installer, for reasons of convenience, had connected it to the enterprise system as well,” he explains. “The hackers were able to demonstrate they could steal data records from the business via the BMS.”
That sort of vulnerability is a consequence of the building design process, argues ISG head of technology Paul Cook. “The way the different teams work is very siloed and cyber-security problems come out the back end,” he says.
“You need a master systems architect who stands across all the disciplines, so the guy designing the network sits alongside the guy designing software, [as well as] the guy who designs the M&E systems. Then there is no open back door because one system is talking a different language to another. All the systems are built around each other so you design-in security.”
Paul Cook head of technology ISG
Long supply chains of subcontractors present an obstacle to building greater cyber-crime awareness and resilience, argues Schutte Consulting managing director of legal Sarah Schütte. She observes that while most main contractors and large subcontractors have cyber-security policies, as well as the training and equipment in place, many smaller subcontractors do not.
“Main contractors will have no choice in terms of using data and technology to deliver the increasingly large and swift outputs their clients are demanding, and they need good cyber-security to mitigate some of that risk at their tier one level,” she says. “However, their supply chain is not geared up to do it because it doesn’t have the investment and the cashflow. Solving that will require investment from the top so that those lower in the supply chain can piggyback on somebody else.”
Aconex’s Mr Cooper also notes that some contractors struggle to stay up to date with the latest and safest technology. “One of the challenges for our industry is that it is highly fragmented and a large volume of the supply chain is [made up of] very small companies who don’t have an IT person,” he points out. “They might be working and living with the same laptop and browser they had five years ago, without upgrading it.”
As yet there is only a limited regulatory framework around cyber-security and the built environment. Some public contracts require suppliers to be certified under the government’s Cyber Essentials scheme, which aims to help smaller businesses protect themselves against cyber-attacks. But in most commercial arrangements contractors are only expected to abide by the requirements of their individual client.
However, the environment is set to become more regulated as early as next year. As well as the introduction of GDPR, May 2018 will see the EU Networks and Information Systems (NIS) directive come into force. It requires improved cyber-security for the operators of ‘essential services’ and will potentially apply to construction projects in sectors like energy, transport, water, banking, finance, healthcare and digital infrastructure.
“The first companies that [embrace cyber-security] and ask the difficult questions will really outshine their competitors”
Niko Kalfigkopoulos, PwC
For those companies keen to ensure their cyber-security practices are up to scratch, Ms Schütte recommends studying ISO 27001 – the international best practice standard for information security. “I would definitely advocate people looking at the ISO and deciding whether what is needed to achieve accreditation is worthwhile for their organisation,” she says.
Enhanced cyber-security can have benefits beyond protection from hackers. “Insurers are very interested in that, because gaps in robustness are risks,” Ms Schütte says. “That contributes to having a good risk profile for the business and a saving on the bottom-line cost of insurance.”
PwC’s Mr Kalfigkopoulos points to another potential upside. “Cyber-breach in the construction sector is about when it will happen, not if it will happen,” he argues.
“Construction companies have a real opportunity to come forward and embrace cyber-security as a very important aspect of business. The first companies that do that, and ask the difficult questions, will really outshine their competitors.”
Construction and infrastructure-related cyber-attacks
In November 2017 Jewson admitted it had discovered a “foreign piece of code” encrypted into its website, which had potentially compromised the personal data of up to 2,000 of the UK merchant’s online customers.
An investigation into the power cut that hit the Ukrainian capital Kiev in December 2016 concluded that the blackout was caused by a cyber-attack – possibly a test run for advanced grid-destroying malware. The incident followed a similar but larger outage in 2015, which was blamed on the Russian security services.
One of the largest US contractors, Turner Construction, fell victim to a ‘spear phishing’ scam in 2016 when an employee sent workers’ tax details and social security numbers to an email account set up by the fraudster.
In 2015 €17.2m was stolen from one of the subsidiaries of Finnish crane-maker Konecranes. The company said perpetrators used identity theft and other methods to induce the subsidiary to make unwarranted payments.
Japanese construction machinery manufacturer Komatsu was forced to issue a warning over a fraudulent website in Ghana in 2015. Posing as an official site, it was being used to collect deposits from applicants for fictitious jobs.
In perhaps the most notorious incident of its kind, Chinese hackers stole the blueprints of the new Australian intelligence service HQ in 2013. The attack took place through the computers of an unnamed construction contractor, exposing building layouts and the location of communication and computer networks.