Adoption of technology makes construction industry top target of cyber attacks
- Construction is the # 1 industry affected by ransomware, according to an analysis of 1,200 companies in 35 different industries by NordLocker, an encryption software company based in the UK and the Netherlands. Ransomware is a computer virus that supports target device until the victim pays a fee to regain access, usually through cryptocurrencies.
- Victims of construction ransomware attacks ranged from a group of Asian-based construction engineering companies consulting on projects estimated to be worth $ 20 billion a year to small family businesses, like a roofing company in Texas, according to the report.
- Industry experts have said construction companies are most vulnerable to loss of funds due to email communications, malware, ransomware and, more recently, “siegeware,” which specifically targets building technology. intelligent.
The construction industry is an increasingly attractive target for hackers. Recent examples include Bouygues Construction, a French entrepreneur, victim of a ransomware attack in 2020. This same gang of hackers, Maze, hit a canadian building contractor before his attack on Bouygues.
While large companies generate more revenue to attract hackers, small businesses in the construction industry remain equally attractive targets for hackers, according to the NordLocker report.
This is because these small businesses generally don’t have the same cybersecurity controls in place as large businesses, making them easier targets for ransomware attacks, according to Oliver Noble, cybersecurity expert at NordLocker.
Bobbi Bookstaver, director of information security at Boston-based Shawmut Design and Construction, said construction companies need to have a plan in place before they become the next target.
As part of its cybersecurity strategy, Shawmut conducts extensive training with every employee when they are hired, throughout the year, and again if they click on a phishing simulation to ensure they understand how. identify a suspicious email and what to do about it, Bookstaver said. .
“Without a single solution to prevent an attack, the defense strategy would have to combine technology with a robust communications campaign to raise awareness and educate and provide the tools to act quickly in the event of an attack,” Bookstaver said. “Proactive preparation and a detailed cybersecurity strategy based on cutting-edge technology, best practices and rigorous training programs create a cutting-edge defense strategy. “
As more buildings incorporate technology, they also become targets, said Katell Thielemann, vice president of research at Gartner, a technology research and consultancy firm based in Stamford, Connecticut.
“It is very likely that we will see the emergence of siege software as a result of the current ransomware outbreak,” said Thielemann. “Indeed, as soon as buildings are connected, they become cyber-physical systems. And construction companies and building owners now face a whole continuum of cyber and physical risks and threats. “
In other words, cybercriminals are now mixing the concept of ransomware with the hijacking of building automation systems. Video cameras widely used in buildings are “notoriously among the most vulnerable systems,” Thielemann said.
“IoT devices – asset tracking, workplace security, machine control, wearable devices, etc. , a California-based IoT security provider. “Special attention should be paid to surveillance devices, such as IP cameras, as cybercriminals can use these devices for reconnaissance operations to observe behavior, examine material and plan attacks.”
Other emerging threats are also on the horizon. This includes thinking about how construction sites can prevent unmanned drones from exfiltrating data or interfering with work on site. If these devices are connected to GPS, entrepreneurs should think about how they can prevent jamming or identity theft, Thielemann said.
“Often, executives in asset-centric industries see cyber risk as something that only tech-centric or e-commerce-centric companies should worry about,” Thielemann said. “But they should take a step back and think about how their business would operate without connectivity. All of those assets are now cyber-physical systems and they’re at the heart of everything they do.”