Cyber Risk and the Construction Supply Chain

By Matthew McCabe (Marsh), James Tullett (Marsh), and Alexis Bradshaw (Marsh)

Please note that this article was written with SecurityScorecard, a Marsh Cyber Catalyst Partner.

While all organizations encounter cyber risk, firms in the architecture, engineering, and construction (AEC) industry face a heightened challenge. With its complex ecosystem of collaborating companies that depend upon the continued integrity of their peers’ digital systems, the industry faces threats at all levels that can cascade throughout operations.

In fact, the construction industry ranked third amongst North American industries for reported ransomware attacks in 2020, with 13.2 percent of firms reporting at least one attack. Whist it is promising to note that the industry as a whole increased its cybersecurity spending by 188 percent between 2018 and 2019, a 2020 survey by the UK government found that only 70 percent of domestic construction firms considered cybersecurity a high priority, as compared to 80 percent for the average business. This suggests that there is some room for improvement across the industry when it comes to protecting operations from cyberattacks.

Cyber risk in the AEC supply chain

Over decades, the AEC industry has developed into a complex network of owners, developers, general contractors, trades contractors, material suppliers, and third-party logistics providers. Projects may involve hundreds of suppliers and contractors and thousands of users interfacing. Technology is increasingly digitizing the industry’s supply chain and managing a constant flow of materials, services, designs, data, intellectual property, and payments. With every new digital connection, the range of potential attack points for cyber threat actors increases, in turn broadening third-party risk for contractors.

In project modeling and development, collaborative programs such as building information modeling, geographic information systems, and ubiquitous sensors are utilized to collect data to support the design, monitoring, and management of projects. These platforms allow contractors and subcontractors to exchange and revise data and specifications, predict and avoid hazards, adjust workflows and schedules, and improve designs. To deliver this connectivity, however, firms must use mutually compatible software — which can leave legacy tools on a company’s systems that need to be appropriately managed.

The growing adoption of technology can also be seen in construction activities (cameras, project management software, wearables, remote cranes, robotics, prefabricated components, modular building, 3D printed materials, etc.), as well as companies’ day-to-day operations (cloud-based platforms, etc.) and assets (sensors, remote monitoring, etc.). With each new application of technology, construction workers and all employees involved in the lifecycle of a project have to learn how to use their newfound capabilities efficiently and safely.

Ultimately, the wide-ranging use of technology represents a massive challenge for integration. Within industry, many businesses are tying together diverse technologies across cloud-hosted platforms, which can reduce costs and improve performance. With the growing use of technology, however, companies become more vulnerable to cyber threats. The security and vulnerability of each individual device factors into the whole network’s integrity. From the vantage point of a malicious actor, this combination provides a vast attack surface for cyber threats. 

Somewhere in the network, a company is vulnerable.

  1. Your subcontractors and vendors are not secure. At least, you cannot assume they will be. Despite the millions of dollars invested in security, cyber incidents have resulted from vulnerabilities in subcontractor and vendor services — an Achilles’ heel for larger organizations.

  2. Your code is not secure. Recent breaches have shown that malware can be introduced through compromised open-source code or patch updates, or even through compromised security certificates intended to validate an update. Despite the protections on your perimeter, your organization remains vulnerable.

  3. Your people are not secure. Malicious insiders, with access to systems and the motivation to do damage, create challenges that are tough to overcome. More often, employees haunt organizations with continued bad practices, such as using weak passwords, clicking on phishing emails, and succumbing to social engineering. In the construction industry, the workforce can be seasonal and fluid, with many employees working in the field — using laptops, smartphones, and tablets — rather than in office environments. The reliance on subcontractors can also present unique challenges, including cyber training. Moreover, the completion of any project typically involves dozens of companies and their employees sharing vast quantities of confidential data, including bids, blueprints, employee records, and financial information.

How can AEC companies overcome this risk?

  • Know your user. Multi-stakeholder collaboration is a must for the AEC sector, so tight access controls should be as well. Multi-factor authentication has become a “must-have” protection requirement by cyber insurance policies given its for effectiveness in preventing access by unauthorized users. In addition, companies should stick tight to the principle of least privileges, giving access to systems and data only as far as job responsibilities require. Furthermore, the number of highly privileged users should be limited to as few as possible and their access monitored for misuse.
  • Raise attention to end-of-life software. AEC companies frequently find themselves compelled to use servers that run unsupported software in order to fulfill specific regulatory requirements or demands from clients. Project leaders should be made aware of the risk accepted through those contractual engagements, and where possible have the client accept that risk. End-of-life software should receive compensating controls, including being firewalled off from the enterprise system.
  • Closely monitor third-party risk. Due to the long and complex supply chain associated with AEC companies, understanding the security posture of your vendors and contractors will help you understand your inherent risk. Fully evaluating all of your vendors continuously can be difficult if not impossible, but there are methods, such as security ratings, that provide a good start for understanding and comparing the security environments of your third parties. Assess the cybersecurity processes of any third parties that access or retain critical data and engage with them to improve as necessary to reduce your own risk. As appropriate, the security programs of critical vendors should be periodically reviewed in depth and continuously monitored to identify potential issues before they become a problem. Seek to build favorable hold-harmless agreements and right-to-audit clauses into contracts with third-party vendors. AEC companies should establish procedures to evaluate any third-party service providers and review their agreements, limiting as much liability to your company as possible, as well as assess their cybersecurity processes. Ideally, evaluate vendors based upon their security practices and avoid those that have low standards and poor practices. Reviewing security scores as a part of your procurement process may be advisable.
  • Train employees and others on how to identify, avoid, and report potentially malicious activity on corporate networks. The construction industry is heavily decentralized, involving a large number of stakeholders. Without thorough, regular training and buy-in from all personnel, even the most robust cyber risk management plans can be rendered ineffective. Businesses should also implement strong internal controls, including mandating complex passwords and resetting passwords quarterly.
  • Regularly review and update firewalls and security patches. Despite the added expense, investing in a robust set of firewalls that require user authentication can be beneficial. Businesses should also institute secure file sharing, advanced email and web filtering, and separate Wi-Fi networks for subcontractors, architects, and engineers.
  • Back up critical data and applications. Laptops, smartphones, tablets, and portable media devices — along with emerging technologies that are often present on construction sites, such as wearable devices — can quickly fall victim to ransomware. Companies should back up data and applications and segment them from the live network through offline storage.

Cyber risk can take many forms. As construction companies increasingly adopt a wider range of technological solutions, they will also need to take more deliberate steps to protect themselves from undesirable outcomes.