OFFICIAL PUBLICATION OF THE UTAH ASPHALT PAVEMENT ASSOCIATION

Purchase Ad Space

Pub. 6 2024 Issue 4

ISSUE HOMEPAGE

Cybersecurity and the Construction Industry

Picture of By the Utah Asphalt Pavement Association

By the Utah Asphalt Pavement Association

The U.S. depends on the construction industry for everything, from new homes to the infrastructure the country needs to function every day. In addition to keeping its physical assets safe, the industry must keep its digital assets safe, too. This article is an overview of cyber risk throughout the construction industry, an overview of attacks and suggestions for preventing them. 

The Basics

Cyberattacks are nothing new. For years, contractors have been targeted by data breaches, phishing theft, ransomware attacks and theft of sensitive information. In recent years, cyberattacks have begun to include industrial espionage and disruptions related to geopolitical struggles. The stress and financial burdens from a large-scale ransomware event can be severe. It can also damage your brand.

Why is the construction industry such an attractive target for criminals? 

  • Many contractors don’t invest in cybersecurity infrastructure because they don’t see it as a need. Engineering and construction companies are often already operating on narrow margins, and they also don’t want to spend money and time on something that seems unnecessary. But any company that ignores cybersecurity leaves itself open to a potential attack. Cybercriminals look for easy targets and the potential for a big payoff. That description fits far too many construction companies.
  • Some attacks are politically motivated attempts to get sensitive information. If nation-states want information about infrastructure, intellectual property or public works, the construction industry is a weak link. Cybercriminals are motivated to look for proprietary information and intellectual property. This can include security information and construction plans and designs.
  • New technologies can be risky. Engineering and construction services have been quick to use technologies that increase efficiency, productivity and connectivity, such as advanced analytics, artificial intelligence, cyber-physical systems, drones, machine learning and robotics. Entire new industries, such as Building Information Modeling (BIM) and the Internet of Things (IoT), have become part of the construction industry. For example, BIM was valued at $7.9 billion in 2023 and could be worth more than $25 billion in 2030. Companies see the chance for improved safety, sustainability and service but sometimes overlook cyber and data privacy risks. 
  • The construction industry often uses a temporary workforce. Vetting and training subcontractors and temporary employees presents a challenge, but not vetting and training them gives cybercriminals another way into your business.
  • Legacy systems can give cybercriminals an easy in. Operating systems that are no longer being supported have known vulnerabilities and no patches to fix them. It can be impossible to recover data encrypted by cybercriminals on a legacy operating system. 
  • Doing business with third parties creates additional vulnerability. By its very nature, construction involves collaboration. The stakeholders and operations include architects, engineers, subcontractors and vendors, and everyone is often connected to a common network. A cybercriminal who accesses a vulnerable network can cause potential data breaches. The result is expensive in terms of money and damaged reputations, and there may also be consequences related to regulatory noncompliance.
  • Lack of industry regulations about cybersecurity is still an issue. Banks and financial services have been required to follow strict rules for decades. The same hasn’t been true for the construction industry, but that has changed. If a contractor wants to bid on federal works projects, they are often now required to show what they have in place to provide cyber security and protect data. Increasingly, contractors are expected to be familiar with the National Institute of Standards and Technology (NIST) Cybersecurity Framework and to comply with Cybersecurity Maturity Model Certification.
  • Regulations and cybercrimes have become global. Businesses must pay attention to more than just national regulations. Companies that want to compete on a global level must also know about any applicable regulations and penalties. Even if companies choose to operate locally instead of nationally, they must still deal with persistent, increasingly sophisticated global attacks.

Likely Targets

Common cybersecurity threats in the construction industry include the following: 

  • Data breaches: Client information, financial information, intellectual property and project designs are all at risk. Cybercriminals hack systems, use malware or engineer attacks that take advantage of social norms. 
  • Supply chains: Every entity in supply chains can be a potential point of entry for cybercriminals. Once in, they can disrupt operations, find sensitive information or take advantage of networks.
  • IoT devices: Drones, sensors and wearable technology sometimes lack security and can be exploited by cybercriminals to manipulate data or gain unauthorized network access. 
  • Ransomware: Encryption is easier than decryption, and even if files can be recovered, it takes time. Cybercriminals use software to encrypt important files and demand a ransom to decrypt them. Noncompliance can cause missed deadlines, and that interferes with getting paid for work.
  • Physical attacks: In addition to the risks any site has of unauthorized access, theft and vandalism, cybercriminals can also choose to access control systems or target HVAC.

The Short List of Cybersecurity Measures

The following list presents a starting point for companies within the construction industry. You can do more than the following, but you should not do less. 

  • Follow cybersecurity regulations and standards. The NIST Cybersecurity Framework or the General Data Protection Regulation (GDPR) can help you set up the policies and practices for an effective and comprehensive cybersecurity program.
  • Think about possible security risks that may have been created when digital solutions have been implemented.
  • Schedule regular and robust data backups. That way, you can restore essential data when necessary. 
  • Protect equipment and materials by using a physical security system for construction sites. Include access controls, perimeter fencing and surveillance cameras. 
  • Work with vendors and subcontractors to reduce risks by talking about prevention and including cybersecurity standards and clauses about data protection in contracts.
  • Safeguard confidential information and trade secrets by using data breach prevention strategies. Encryption protocols, firewalls and intrusion detection systems may deter unauthorized access and malware attacks.
  • Provide robust phishing simulations to train rain employees. They should understand why data protection matters, know how to create strong passwords and recognize a phishing attack. Cyber insurance carriers may offer employee training as part of your insurance policy.
  • Use multifactor authentications for all accounts and webmail, especially those involving remote access.
  • Make social engineering fraud more difficult to carry out by having strict dual controls with callback requirements. This can prevent cybercriminals from modifying accounts and changing invoices. 
  • Ensure the company can locate and wipe equipment that is lost or stolen by using endpoint detection and response (EDR) and mobile device management (MDM).
  • When software is installed or updated, including with patches, use software sandboxing so that the work will be done in a controlled environment. Also, monitor systems regularly for signs that a breach has occurred. 
  • Back up critical systems and databases. Look for proven and protected systems that have been tested and are segmented and protected.
  • Write an incident response plan for your business, test it and update it once a year. The plan should include a list of resources and tasks, strategies to use ahead of time and ideas for public relations scenarios. 

The days when cybersecurity was only a concern for larger corporations are over. Every business is a potential target. Developing a cybersecurity defense plan is crucial to business continuity. Sadly, it’s not a question of if but of when and how bad. 

 

Get Social and Share!

Sign Up to Receive this Publication in your inbox

More In This Issue

Navigation

UAPA-logos-site-identity

26 S. Rio Grande St., Unit 2072
Salt Lake City, UT 84101
Phone: 801.984.8192
Fax: 801.566.0708

The newsLINK Group logo

1345 East 3900 South, #206
Millcreek, UT 84124
Phone: 801.676.9722
Fax: 801.742.5806

Copyright © 2025 On The Road Magazine

Created and Managed by The newsLINK Group LLC

Privacy Policy