Historically, construction has not been high on the list of targeted industries by cyber attackers, who have typically chosen other industries which are more financially lucrative. However, in recent years, we have seen a step change, with several high-profile successful cyber-attacks within the construction industry causing delays, business disruption, financial impact and reputational damage.

Investment by construction companies in cyber defences has typically lagged behind other industries. This is largely due to fewer mandatory regulations and guidance, and partly due to lack of compelling board level business cases to invest in cyber defences, when the chances of getting attacked were relatively low.

Attackers now view construction as an easier target when compared to other industries as their cyber defences are not as mature. Therefore, the effort and cost on the attackers’ behalf to launch a successful cyber-attack is far reduced. Additionally, financial rewards for the attacker are becoming more lucrative as many construction firms embark on digitisation programmes and introduce new technology. This includes, for example, the Internet of Things (IoT), which monitors the real-time health and performance of their resources. These initiatives are rapidly increasing the firm’s digital footprint and consequently their attack surface, giving the attacker more opportunity to launch cyber-attacks.

Here we will explore the top five common cyber-attacks faced by the construction industry, provide examples of real incidents that have occurred and discuss what we can do to reduce the risk of a successful cyber-attack.

Five Common Types of Cyberattack Facing the Construction Industry

Ransomware

a) For Financial Gain

First on our list of common cyberattacks in construction is Ransomware. This is a type of malicious software used by attackers that typically infects computer systems and encrypts files, making users unable to use or access encrypted files until a ransom is paid. The software can be installed in several methods, such as an employee opening legitimate looking emails with malicious attachments, unpatched or vulnerable software, or by visiting a legitimate website whose security has been compromised, hiding malicious scripts.

The ransomware threatens to publish sensitive data unless a ransom is paid, leaving the firm unable to recover the files without a decryption key. The attacker is typically difficult to trace and prosecute, as they use digital currencies such as Bitcoin and other cryptocurrencies for the ransom demand.

The impact of ransomware is not simply limited to the payment of the ransom and associated clean-up costs, but may also include reputational damage.

b) To cause Disruption and Delay

Ransomware can also be used by an attacker, with the primary goal to disrupt business operations by denying users access to systems or equipment, rather than demanding a payment. The attacker infects computer systems using the same methods described in 1.a. above.

The impact of such an attack could hinder the construction firm’s ability to meet a project deadline, which may incur contractual financial penalties and lawsuits.

Business Email Compromise (BEC) for Financial Gain

BEC can also be known as whaling, spear-phishing, or CEO/CFO fraud. The attackers perform research on the victim firm and then target employees with access to company finances. The method of attack is where the attacker fraudulently accesses company funds by sending an email purporting to be from a legitimate sender, such as a customer or trusted company executive. The emails typically pressure employees to act quickly, and request funds be transferred to the attackers’ bank account to pay an invoice, for example.

Data Breach of Intellectual Property or Personal Data

Construction companies often hold and work with highly sensitive information such as blueprints, or schematics in their Building Information Modelling (BIM) system. A breach of these systems, other technology devices, or vendor supply chain could result in major reputational damage and potential regulatory fines and lawsuits where personal data is involved.

Supply Chain Attacks

Complex projects in the construction industry pose a particularly high risk to cyber-attack, as they often involve multiple entities such as suppliers, contractors and partners. These entities, if compromised by an attacker, can then be used as a platform or conduit to launch attacks against the target firms’ systems and employees. The attacks are usually less likely to be detected due to the trusted relationship between the parties.

Potential impacts are wide-ranging, from disruption, delay, financial loss and reputational damage.

Insider Attacks

Insider threats include, malicious insiders, disgruntled employees, reckless third parties, insider agents, careless employees or compromised employees.

Potential impacts are wide-ranging as described in 4. above.

Recent Cyberattacks in the Construction Industry

Over recent years, there has been an evident upward trend in the amount of cyberattacks or cyber security threats in construction. Just some examples of this occurring include:

Bird Construction – Ransomware for Financial Gain

Bird Construction, a Canadian construction company, suffered a ransomware attack. The attackers were demanding payment in cryptocurrency (the amount equivalent to approximately 9 million CAD) as payment to prevent the attackers releasing stolen personal information.

Royal Bam Group – Ransomware to Cause Disruption and Delay

Attackers found a vulnerability in the firm’s website that enabled them to access the firm’s corporate network. From there, the attackers used tools to encrypt the firm’s files – stopping the company from accessing them. The hackers then started sending messages, demanding payment for the firm to gain access to its own files.

Solid Bridge Construction – BEC for Financial Gain

BEC attacks tend to be less widely reported by firms that have fallen victim, largely due to reduced regulation to mandate reporting of such incidents. One reported incident however occurred when Solid Bridge Construction, a company which helps develop large scale commercial projects, based in the city of Huntsville, Texas, was subject to such an attack.

One of the companies that Solid Bridge worked with is Chance Contracting LLC, based in Pinehurst, Texas, who are involved in the construction of road surfaces for large commercial construction projects.

Solid Bridge received an email claiming to come from Brett Chance, the owner of Chance Contracting. The email claimed that Chance Contracting was having “issues” receiving check payments and asked that a payment could be sent to a different address – one located in Washington.

Solid Bridge duly sent a check for $210,312.00, believing it was making a payment in response to a legitimate invoice from Chance Contracting. The payment was in fact sent to an attacker email address that looked very like, but not quite the same as, the one used by the genuine Brett Chance of Chance Contracting.

How to Reduce the Risk of a Cyberattack in the Construction Industry

There is no one silver bullet for business leaders of construction firms to reduce the impact of cyber attacks. However, important factors in reducing cyber risk include top level management support, fostering a cybersecurity culture across the firm and conducting thorough risk assessments.

Here are some key steps that can be taken in order to prevent and minimise the impact of any construction cyber attacks:

• Conducting risk assessments: A risk assessment should be performed to identify the cybersecurity risks applicable to a particular firm due to its unique operational environment and activities. Risks should be quantified and explained in simple language to top level management to ensure business cases can be understood, reviewed and approved.

• Implementing a cybersecurity strategy: A comprehensive cybersecurity strategy and implementation plan helps ensure that the firm has the most appropriate people, processes and technology in place to help mitigate cyber risks.

• Planning for incident response: Firms should also have an incident response plan that is regularly tested to ensure the impact of a successful cyber-attack is minimised.

• Cultivating cyber awareness: Instil a proactive cyber awareness culture across all levels of the organisation. Educate employees on cybersecurity best practices, empowering the entire workforce to contribute to cyber resilience.

Expert Construction Dispute Support with HKA

With a rich legacy spanning more than 40 years in construction and engineering, HKA stands as an industry-leading global consultancy. Our extensive service portfolio covers dispute resolution, claims consultancy, advisory support, and construction expert witness services. 

Throughout every phase of a project, we deliver comprehensive analysis, guidance, and support tailored to your specific case. Our expertise serves a diverse clientele, including owners, contractors, subcontractors, law firms, and government agencies, addressing their individual needs with precision.