By Nathaniel C. Gravel, CISA, CISM, CRISC
Forget ransomware. The latest cybersecurity threat could compromise the integrity of construction materials, creating the danger of structural collapse.
According to an article on the Cybersecurity Dive website, online programs and automated systems used to control the manufacture and testing of construction materials have become targets for cyberattack.
The list of potential targets includes automation systems and programs used during the mixture and measurement of materials or chemicals going into a manufacturing process, programs that manage processes that go into the mixture and measurement of construction materials, and automated programs used to test the structural integrity of components are all vulnerable to cyberattacks. Examples presented include control systems used to mix concrete and automated systems used to test surface hardness, load testing, and surface absorption.
“Material failure is a real possibility if the systems become an attacker’s target,” wrote the article’s author, Sebastian Obando. “The processes that go into the mixture and measurement of construction materials are vulnerable to cyberattacks because they use internet- and cloud-based technologies that have minimal defense parameters.”
If these automated systems are compromised by cyberattack, essential components such as concrete, steel and other materials could be structurally weakened and lead to catastrophic failure. Obando believes “threat actors” are targeting the construction industry because “it’s a known laggard in cybersecurity.”
More Direct Threats for Construction Companies
While the potential for cyber criminals to tamper with the integrity of materials is an industry-wide threat, construction companies face more direct and immediate cyberattack dangers. According to a recent Forrester survey, more than 75% of respondents in the construction, engineering and infrastructure industries had experienced a cyber-incident within the last 12 months. The two most common types of cyberattack were social engineering attacks and ransomware.
Social engineering involves cyber criminals impersonating senior management or vendors through compromised email accounts, commonly known as “spear phishing.” The goal is to persuade victims to pay false invoices or share sensitive information on employees, vendors or customers that can be monetized by being resold or used to create fake accounts.
Ransomware attacks “lock out” a business from accessing its own computer system until a ransom is paid. Large ransomware attacks, such as last year’s shutdown of the Colonial fuel pipeline, make headlines because of their high profile and high cost.
But most ransomware attacks are made against much smaller businesses who lack the resources or resolve to properly invest in effective cybersecurity defenses. The average ransom to regain control is approximately $130,000. But that does not include the costs associated with downtime – an average of 15 days –the loss of trust, and the damage done to a company’s reputation.
What steps can you take to defend your construction business against the looming threat of cyberattack? A simple firewall no longer offers the protection necessary to fend off sophisticated hackers. A layered defense that begins at your networks “end points,” constantly monitors the system for unauthorized users, and responds quickly to intrusions is required. Even more important is training your team to be alert for and recognized social engineering attacks like phishing and spear phishing. It is estimated that 90% of data security compromises are the result of human error. We are the weakest link in the chain.
Nathaniel Gravel is a cybersecurity expert and consultant with Gray, Gray & Gray, LLP, a consulting, accounting and business advisory firm based in Canton, MA. He can be reached at ngravel@gggllp.com.