Dive Brief:
- Construction is the No. 1 industry hit by ransomware, according to an analysis of 1,200 companies in 35 different industries by NordLocker, an encryption software firm based in the U.K. and the Netherlands. Ransomware is a computer virus that takes over the target device until the victim pays a fee to regain access, usually through cryptocurrencies.
- Victims of ransomware attacks in construction ranged from an Asia-based group of construction engineering companies that consult on projects worth an estimated $20 billion annually to small, family-owned enterprises, such as a roofing company in Texas, according to the report.
- Industry experts said construction companies are most vulnerable to loss of funds through email communications, malware, ransomware and, most recently, "siegeware," which specifically targets smart building technology.
Dive Insight:
The construction industry is an increasingly appealing target for hackers. Recent examples include Bouygues Construction, a French contractor, falling victim to a ransomware attack in 2020. That same hacker gang, Maze, hit a Canadian construction contractor before its attack on Bouygues.
While large companies generate more revenue to attract hackers, small companies in the construction industry remain just as appealing targets for hackers, according to the NordLocker report.
That's because these smaller companies usually do not have the same cybersecurity checks in place as larger businesses, making them easier targets for ransomware attacks, according to Oliver Noble, cybersecurity expert at NordLocker.
Bobbi Bookstaver, director of information security at Boston-based Shawmut Design and Construction, said construction firms need to have a plan in place before they become the next target.
As a part of its cybersecurity strategy, Shawmut conducts extensive training with each employee upon hiring, during the year, and again if they click on a phishing simulation to ensure they understand how to identify a suspicious email and what to do about it, said Bookstaver.
"With no singular solution to prevent an attack, the defense strategy should pair technology with a robust communication campaign to drive awareness and education and provide the tools to act swiftly in the event of an attack," Bookstaver said. "Proactive preparedness and a detailed cybersecurity strategy built on industry-leading technology, best practices and stringent training programs create a leading-edge defense strategy."
Facilities at risk
As more buildings have technology built into them, they are also becoming targets, said Katell Thielemann, research vice president at Gartner, a Stamford, Connecticut-based technology research and consulting company
"It's very likely that we will see the emergence of siegeware following the current rash of ransomware," said Thielemann. "This is because the moment buildings become connected, they become cyber-physical systems. And construction companies and building owners now have to face an entire continuum of cyber and physical risks and threats."
In other words, cybercriminals are now mixing the concept of ransomware with hijacking a building's automation systems. Video cameras widely used in buildings are "notoriously some of the most vulnerable systems out there," said Thielemann.
"IoT devices — asset tracking, worksite security, machine control, wearables, etc. — are typically the most vulnerable, as these devices often were not designed with cybersecurity in mind," said Bud Broomhead, CEO and founder of Viakoo, a Mountain View, California-based IoT security provider. "Special attention should be paid to surveillance devices, like IP cameras, as cybercriminals can use those devices for recognizance operations to observe behaviors, examine materials and plan attacks."
Other emerging threats are also on the horizon. These include thinking about how construction sites can prevent remotely piloted drones from exfiltrating data or interfering with site work. If these devices are GPS-connected, contractors should think about how they can prevent jamming or spoofing, said Thielemann.
"Often, leaders in asset-centric industries think of cyber risks as something only technology or e-commerce centric businesses should worry about," said Thielemann. "But they should take a step back and think about how their business would work without connectivity. All these assets are now cyber-physical systems and they are core to everything they do."