Construction IoT Cyber Risk
WHY THIS MATTERS
The construction industry is experiencing a rapid digital transformation that depends on the Internet of Things (IoT).
The IoT has created numerous benefits in efficiency and convenience from devices, equipment, and systems used in planning, tracking, and monitoring construction projects.
Since IoT cyber risks evolve as rapidly as an emerging technology, construction companies need to mitigate security risks to retain the benefits of the IoT.
Cyber risk awareness should be an "all hands on deck" approach – from executives to managers, to the crew on construction job sites.
The Internet of Things (IoT)
In its annual survey, Business Insider projects that there will be more than 41 billion IoT devices by 2027, up from 8 billion in 2019. The survey reveals plans to support emerging tech such as 5G in IoT products and services in 2020, and the critical role of AI in data management efficiency.
Digital transformation is trending across all industries, connecting our modern-day devices to the Internet, making the IoT market on pace to grow over $2.4 trillion annually by 2027.
IoT in the Construction Industry
The Internet of Things (IoT) is dramatically changing operations in the construction industry. Some reports indicate that the IoT market share in construction will reach $16.8 billion by 2024.
The benefits of IoT in the construction sector need to be balanced with an awareness of the cyber risks due to the expanded cyberattack surface.
Deadlines, targets, and budgets matter in construction. IoT tech can improve productivity by ensuring more efficiency and readiness.
One solution is IoT-enabled tags equipped with sensors (without the physical presence of a team member) that locate materials or equipment. Sensors create a digital real-time job site map, updating it with potential risks as they arise. For example, notifications will be created when a site has poor air quality or when crews get too close to a piece of machinery.
IoT Security Risks in Construction
The benefits of IoT in the construction sector should be weighed against potential cyber risks.
Monitoring a construction site raises safety and security challenges. Risks include theft or loss of equipment and material as well as theft or loss of critical data, corporate intellectual property and personal information of clients and employees.
Construction companies need to protect their systems and devices from a multitude of cyber threats.
Limiting Authorized Access in a Decentralized Network
The decentralized network on a construction project involves multiple companies and their crews on deck at construction sites.
Limiting authorized access is a critical part of digital transformation.
Companies need to limit authorized access to valuable information. For example, confidential data (e.g., bids, submittals, blueprints, drawings, punch lists, budgets, and personally identifiable information (PII) of employees) need not be put into the hands of the entire team via IoT devices.
"All hands on deck" does not mean all hands sharing and accessing critical intellectual property and information.
Human Error is the Most Common Cause of Cloud Data Breaches
Reports indicate that Gartner estimates up to 95 percent of cloud breaches occur due to human error, such as misconfiguration. These errors or misconfigurations may lead to the failure of software patching, or weak firewalls, that provide cybercriminals unauthorized access to data stored in the cloud via user login credentials.
According to security researchers, hackers have penetrated cloud computing networks of some 60 percent of top US companies, with virtually all industry sectors hit. Notably, when attackers gain access, this often leads to "lateral expansion"—such as spamming or phishing to get even more in-depth access to networks, and "large credential dumps" that can allow more cybercriminals to access the compromised networks.
Island Hopping to Steal Valuable Client Information
Cybercriminals are on the lookout for your supply chain. Fifty percent of cyberattacks involve island hopping as attackers seek to own and access your entire system.
Your essential client list is valuable to cyber thieves. If hackers can island-hop by using your subcontractors or suppliers to get to the prize – your business information – they will do so.
Social Engineering for Credential Theft
Cybercriminals are determined to steal employee credentials via social engineering, creating fake websites that employees log in to, or calling employees pretending to be someone from IT support, or sending spoof emails that trick employees into changing banking account details for wire transfers, bill payments, or payroll. Once the hacker identifies who moves money, and how, they initiate fraudulent funds transfers to fake bank accounts – often resulting in all or most of the money irreversibly disappearing.
The same holds regarding your subcontractors or third-party vendors. Virtual private network (VPN) credentials could be accessed via a hack into your subcontractor's network, allowing them to load malicious software into your network and steal valuable data assets.
The Rise of Maze Ransomware Attacks on Construction Companies
Ransomware is a form of malware that effectively holds a computer system hostage until a "ransom" fee is paid (commonly in Bitcoin). Most ransomware attacks result from opening an infected email attachment or visiting a malicious website, which will then install malware, a worm, or Trojan horse. Once the systems and files are locked (encrypted), a decryption key is needed to regain access, which is provided after the ransom payment.
Recently, Maze ransomware attacks have impacted construction companies involved in building NHS Nightingale Hospitals (used for emergency COVID-19 treatment) in the UK, defense contractors in Canada, and the US, and a construction giant in France.
Bring Your Own Device (BYOD)
If your company allows employees to bring their own IoT devices to a job site, a corporate office, or while working from home, you need a BYOD security policy.
As reported, cybercriminals are targeting phishing attacks on BYOD devices because the way emails appear in Microsoft Outlook on a desktop is very different from how they look on a smartphone. Hackers can optimize the subject line and to/from bars in a way that is easier to spoof. Once one device is hacked, the thieves are inside the door.
Cloud-Based Construction Management Software
If your company uses Construction Management Software (CMS) to coordinate planning between architects, engineers, contractors, and subcontractors, then you are holding valuable data in your CMS that is attractive to cybercriminals. Even with the security measures provided by CMS providers, unauthorized access to your data is a cyber risk.
A dispersed workforce and multiple entities with access to project data and plans mean that security controls of every aspect of a project may not be feasible. One person, one device, one set of login credentials (username and password), can unravel your cybersecurity efforts.
Defending Against Cyber Threats
- Train staff regularly on spotting potential threats and malicious emails. Human error is a significant cause of data theft, ransomware, and funds transfer fraud in the form of fraudulent, spoof, or phishing emails.
- Backup sensitive and critical data regularly and utilize unique password protection for granting authorized access to data and systems.
- Enable remote system wiping on mobile devices and computers for when items are lost or stolen.
- Enforce secure, unique passwords and regular changes, including on firewalls and routers.
- Prohibit the use of default passwords on IoT devices.
- Implement network-level security to authenticate individual IoT devices.
- Implement multi-factor authentication (MFA) for remote access to Microsoft365 products. Fraudulent emails often trick employees into entering their login credentials. Using MFA can prevent outside threat actors from obtaining this data, even if they have your password.
- Implement 2-factor authentication (2FA) for wire transfers over a certain monetary threshold and for international funds transfers. Threat actors often exploit when key personnel are out of the office (e.g., on a long holiday weekend), making it more difficult to authenticate. Setting up clear authentication protocols for large or foreign transfers with your bank can help prevent or recover fraudulent wire transfers.
- Third-party vendor risk assessments will help you ensure their cyber hygiene to prevent them from inadvertently allowing access to your systems or network.
- Cybersecurity updates on all IoT devices should be part of your regularly-scheduled cyber due diligence.
- Establish and conduct annual tests of your Incident Response Plan (IRP) that includes Business Continuity and Disaster Recovery in the event of a breach.
Your cyber insurance support network will help you with your IRP, with the goal being a prompt restoration of your business operations and systems with less financial impact.
The Value of Incident Response Planning
According to the Ponemon 2020 report, the highest cost saver for businesses was Incident Response (IR) preparedness. The average total cost of a data breach for companies with an IR Team that also tested the IR plan (using tabletop exercises or simulations) was $3.29 million, compared to $5.29 million for companies that did neither – meaning no IR plan and no IR team. This $2 million cost difference is an increase from the $1.23 million cost difference in the 2019 study.
If your business does not have an IR plan or team, here are some key questions:
- What if your construction project does not detect or prevent a cyberattack?
- Are you prepared to respond to a real or suspected cyber incident?
- Have you analyzed and budgeted for the cost to respond?
- Do you have a team assembled to respond?
- Have you conducted a dry run via a tabletop exercise?
If you do not have a Stand-Alone Cyber Insurance policy, you should consider the value added by IR coverage and support.
The Cyber Solution: Stand-Alone Cyber Insurance
Your construction company can survive disruption to your IoT devices and systems that impact your business operations with the help of Stand-Alone Cyber Insurance to protect your bottom line:
- If you suffer a data breach, your business will need to stop the breach, conduct a forensic investigation, notify all those impacted, recover or restore your data, use public relations to maintain your brand, and possibly defend third-party liability claims or lawsuits for damages by injured parties.
- If you suffer a ransomware attack, you can obtain support in negotiating the ransom demand, and be compensated for the ransom payment (made with the prior written consent of the insurer).
- If you experience business interruption from a cyberattack, you can be compensated for lost profits, and extra expenses such as payroll, during the downtime (after a brief waiting period).
- If you experience funds transfer fraud, you can obtain support in recouping some of the funds as well as compensation for the funds that are not recovered.
Stand-Alone Cyber Insurance is an integral part of your cyber risk management planning. You need not go it alone when looking to reduce the financial loss from a cyberattack.
- Construction companies are taking advantage of the benefits of IoT tech. At the same time, they are attracting cybercriminals who target vulnerabilities to pursue and steal valuable data.
- Cyberattack vectors are ever-evolving, dynamic, and varied – which allows hackers to bypass current cybersecurity defenses. Once a BYOD device is hacked, stolen, or lost, the thieves are inside the door.
- Construction companies are susceptible to cyberattacks, even with cybersecurity measures in place. Human error can and does override cybersecurity measures.
- Stand-Alone Cyber Insurance is a Win-Win -- you win by investing in the services provided, and you win by investing in the coverage provided.
Contact Cyber Armada today to review your company's potential financial loss from a cyberattack, including IoT cyber risks. Contact us at 888.727.6232.
Please watch for our next article on Bring Your Own Device (BYOD) risks.