Most sectors are embracing new technologies and adopting new digital ways of working, but the construction industry is going through an unprecedented cultural shift. This means that the construction industry and its supply chains are at risk of being impacted by cyber-crime.
That’s why it’s more important than ever to understand how your organisation might be vulnerable to cyber attacks, and what you can do to protect it.
The consequences of poor cyber security should not be underestimated. Attacks can have a devastating impact on finances, the construction programme, your business reputation, supply chain relationships, the built asset itself, and people’s health and wellbeing.
Minimising the risks is therefore of prime importance.
What are the risks?
The three key stages in the construction industry (design, construction and handover) all involve extensive digital workflows, so all of them are at risk.
Many smaller and medium-sized businesses feel that cyber security is a problem for other people, so they’re less keen to invest time, money, and training into what they perceive as an unlikely threat. Some don’t even think they need cyber liability insurance.
We’re here to remind you that all three of your workflows are at risk, but to reassure you that taking preventative action can be much easier than dealing with an incident afterwards.
In terms of what’s at risk, it’s everything from the computers, phones, and tablets used to access emails, to the essential software used to process and store information, to sophisticated site equipment and digital-based systems installed within buildings.
Throughout the entire construction process, you’ll need to manage and protect your business information (including client, staff, and project information).
Here’s an outline of your responsibilities throughout the three key stages of construction.
Stage 1 – Design
As you’ll know, the design stage is the process of developing the project brief so the building can be constructed. Much of this is carried out digitally, and you may use different software during the design process, such as:
- Computer-aided design (CAD) and 3D modelling packages.
- Collaboration tools for sharing project information.
- Simulation packages to help with structural and other specialist engineering disciplines.
- General IT systems for storing and sharing information and data (either locally or on a business network).
You’ll need to ensure you’re looking after your critical systems, documents, and data, and implementing effective engagement and training on how to mitigate the risks. After all, humans are the weak link in many areas of security.
It’s also really important to make sure that the software is always kept up to date. Applying these updates (a process known as patching) is one of the most important things you can do to improve cyber security.
On some construction projects, you may join or create a Common Data Environment (CDE) with other businesses. These environments include large amounts of project information with access given to third parties. You should implement a ‘need to know’ process, where access is only granted for the information that’s required for that task, and ensure staff are removed when they finish the project or leave the business.
Stage 2 – Construction
Compared to the design stage, activities during the construction stage usually require a larger workforce, more materials and equipment, and more interaction with third parties. As the complexity and scale of a project increase during construction, you will naturally focus on project deliverables and deadlines.
But it’s important not to overlook security at this stage of the project. In particular, securing construction sites and high-tech equipment is vital. The use of high-tech equipment to survey buildings or sites is becoming increasingly common, and drones and GPS equipment can create detailed models and visualisations.
This sort of equipment can be a target for thieves, both for resale and especially if they store site, project, or sensitive data. While some equipment may not be especially expensive to replace (for example a camera or GPS device), the data stored on them could be very valuable to a cyber attacker. You should secure surveying tools, cameras, tablet computers, lifting equipment, etc, to prevent the items and any data stored on them from being stolen. CCTV and other security technologies provide significant defence against theft.
The IT equipment used on construction sites is often different from equipment kept in offices. For example, the premises themselves may be less secure, or there might be limited space to securely house your IT equipment. There may be restricted access to your business’ networks or services or intermittent internet connection. These factors may make it more difficult to access and secure your data.
You should also consider what personal data is stored on a construction site. For example, details of individuals and their emergency contacts, biometric data, and health and safety incident reports. Remember that this information is personal, covered by data protection legislation, and needs to be protected accordingly. You’ll need someone to manage your GDPR and have a good understanding of the implications for your cyber security.
Stage 3 – Handover
When the project is complete, there may be installed building management systems (for example BMS, BACS, BEMS, and IACS). It’s important that these systems are carefully handed over to the client so that they can continue to secure the building and any digital-based systems it might contain.
The installed systems will depend on a project’s nature and use, but may include any combinations of the following:
- Lighting automation and control.
- Heating, ventilation, and air conditioning (HVAC).
- Fire, smoke detection and alarms.
- Motion detectors, CCTV, security and access control.
- Lifts and escalators.
- Industrial processes or equipment.
- Shading devices.
- Energy management and metering.
It’s extremely important that these are fully documented, and all details of installation, operation, and maintenance are included in your handover to the client or building operator. These details should include any steps taken to secure the systems as well as any steps or documentation required to maintain the security of these systems throughout their lifetime. You’ll probably need to keep information relating to the project after it’s been handed over for insurance purposes. For more detailed information on this refer to the CPNI’s guidance on releasing documents.
How can you mitigate the risks?
For more advice on cyber security for small businesses, read the National Cyber Security Centre’s information for small businesses. Alternatively, speak to us at Compex IT, as we have extensive experience in working with construction businesses to help them mitigate the risks of cyber attacks.