The construction industry is undergoing a digital transformation, and construction companies have become an increasing target for cyberattacks.
Digital innovations, such as artificial intelligence (AI), and Building Information Modelling (BIM) can help ensure projects remain on time and under budget, but increasing digitalisation presents challenges as it increases the attack surface area for cyber hackers.
A 2024 GlobalData poll revealed that 73% of respondents said cybersecurity was either already disrupting their industry or would do so in the next 12 months. Despite this, according to the UK government’s Cyber Security Breaches Survey 2024, only 20% of construction firms have board members taking responsibility for cybersecurity.
Recent high-profile attacks on construction companies, such as the 2020 cyberattacks on UK-based BAM and Interserve, serve as a stark reminder that cyberattacks can have lasting operational and reputational impacts. Both targeted companies had recently built the Nightingale Hospitals, the temporary hospitals set up by NHS England for the Covid-19 pandemic. In a devastating year for high-profile cyberattacks on construction companies, Bouygues was also targeted by a cyberattack in 2020. It took all its information systems offline as a precautionary measure.
A rapid growth in data usage, and dispersed data from a mobile workforce across many locations increases vulnerability to cyberattacks. These challenges, alongside increased security threats—more complex ransomware, phishing attacks, and growing supply chain risks—mean that construction companies are under continual security pressure. Managing these challenges presents significant cost management issues, especially as the construction industry remains a high-volume, low-profit industry.
Construction vulnerabilities to cyberattacks
Construction companies’ supply chains are vulnerable to attack. The last few years have seen a series of supply chain attacks. In such attacks, rather than targeting a third-party vendor’s vulnerabilities as a way into another company’s network, attackers deliberately aim to exploit the trust that exists between legitimate organisations in normal business operations. Supply chain partners are often granted the right to use and manipulate areas of a company’s network, applications, or sensitive data. This means attackers only have to penetrate the third party’s defences to infiltrate the company’s system.
Cyberattacks are likely to exacerbate any financial difficulties due to time lost on projects, extortion, or regulatory fines. Cyberattackers who gain access to a company’s network may be able to steal and potentially sell intellectual property. Cyberattacks can also lead to data breaches and supply chain disruption. Any cyberattack is likely to cause financial damage and lasting reputational damage.
According to the UK government’s Cyber Security Breaches Survey 2023, just over one in ten businesses say they review the risks posed by their immediate suppliers (13%, vs. 11% of charities). More medium businesses (27%) and large businesses (55%) review immediate supplier risks. The latter result is up from 44% of large businesses in 2022.
A 2024 Q1 poll by GlobalData revealed that the most common cybersecurity attack concerns for companies are phishing and spear-phishing, ransomware, and ransomware attacks. According to data published in a 2022 report by Advisen, the most common construction cyber losses by type are unauthorised contact or disclosure, malicious data breaches, and ransomware. Despite only accounting for 10% of cyberattack losses, ransomware is a growing threat concern for construction companies.
Cybersecurity faces an AI challenge
The prospect of offensive attacks using AI is increasing cybersecurity budgets as organizations try to understand the impact of generative AI on their security. The construction sector is particularly vulnerable to cyberattacks because it is rapidly incorporating new technologies, resulting in a larger attack surface for hackers to exploit. The integration of AI increases this attack surface area due to novel attack routes such as prompt injection, model extraction, and dataset poisoning.
AI also offers multi-faceted defensive capabilities: many AI cybersecurity techniques involve supervised machine learning models trained on huge volumes of labeled attack datasets and intelligence, enabling them to identify a threat and respond to it swiftly. However, learning how to counter AI-led attacks will take time.
In January 2024, construction company Maire Tecnimont implemented the Vectra AI Platform, which is a network detection and response (NDR) solution that significantly improved its cyber-attack detection and response capabilities through artificial intelligence and machine learning. Vectra integration has led to a significant reduction in false positives and alert volume.
In April 2024, Accenture and Google Cloud announced an expansion of their global partnership to help businesses better protect critical assets against persistent cyber threats. Together, they are providing construction company Lendlease with cyber detection and response. capabilities that make use of Google Cloud’s generative AI.
What can construction companies do?
Policies such as zero-trust access, a security model that uses strict identity verification for every person or entity attempting to access an organization’s network resources, regardless of whether the person or entity is in the office, bound by the network perimeter, or accessing the network remotely, can drastically improve a company’s cybersecurity posture.
Due to the number of construction sites being worked on at any one time, it is essential to have a decentralised cyber policy during construction. A decentralised cybersecurity approach refers to a strategy that distributes cybersecurity measures across multiple locations, devices, and systems. In addition, secure supply chain management, companywide cybersecurity training, cyber insurance, and following government regulations will help to reduce the fallout from a cyberattack incident.
The European Commission, the US Securities and Exchange Commission (SEC), and the US Senate are stepping up regulatory efforts. The European Commission is expected to adopt draft regulations to establish a European cybersecurity certification scheme (ECCS). This will cover a broad range of IT products with security components such as smartphones, bank cards, and routers. A new standard proposed by the US Securities and Exchange Commission (SEC) in March 2022, effective December 18, 2023, requires public companies to disclose material cybersecurity incidents within four business days, along with periodic reports about their cyber-risk management plans. Therefore, companies with poor cybersecurity management are more likely to receive regulatory fines after data breaches or data privacy investigations.
Construction companies should view cybersecurity on an equal footing with physical security and ensure chief information security officers (CISOs) are on company boards. This will also help companies navigate increasing regulatory scrutiny. The bottom line is that cybersecurity attacks are inevitable, so construction companies looking to improve their cybersecurity must be proactive to remain resilient.