Article written by Tom Sawyer and Jeff Rubenstone and appears on enr.com
Cybercriminals find the construction world a rich phishing ground with fat prey and soft targets
At the end of April, just as St. Ambrose Roman Catholic Church in Brunswick, Ohio, neared the close of a five-month-long, $5.5-million renovation, Father Bob Stec, the parish pastor, was surprised to hear that the contractor, Marous Brothers Construction, Willoughby, Ohio, had not received a $1.7- million payment.
“We were paying our bills. At some point somebody was able to get into our email system and in the course of that, changed the routing numbers for the wire transfers,” the pastor told local reporters. The $1.7 million disappeared.
The story follows a typical pattern of cybercrime impacting construction, starting with the use of email to divert funds, which vanish. But it also fits a pattern of victims declining to share details about how it happened. Neither Stec nor Marous Brothers responded to multiple requests from ENR to recount what happened. Most construction victims of cybercrime, including Turner Construction Co.—which had sensitive personnel data stolen in 2016—offer limited descriptions of the incidents and stress the steps they have taken to remediate. To be fair, the Federal Bureau of Investigation is on the case of the church building fund loss in Ohio, which means all parties have been told to clam up. But when it comes to spreading the warning to others, secrecy often prevails.
Contractors, construction managers and owners worry about cybercrime, and with good reason. Their complex projects, with myriad data exchanges among partners and subs, regulators and suppliers, software and systems—and now the internet of things—are tempting targets for hackers. The specific risks are too many to name and evolve constantly. They run the gamut from stolen or locked data to financial theft, sabotage, and destruction of hardware and equipment.
“Hacking is not just something happening in a distant land or like it is in the movies,” says Greg Young, vice president of cybersecurity at computer security firm Trend Micro. “Hacking today is not just getting free long-distance calls, it’s all about money.”
Young says that many hackers are trained for cyberwarfare by state-sponsored agencies and then go into business for themselves. “These guys are not paid well, so they go off at night and do ransomware, they do for-hire work. If someone wants something to fail, it’s easy to hire super capable hackers,” Young says.
Phil Weaver, senior director of IT at Warfel Construction, a $250-million, 300-employee construction firm based in East Petersburg, Pa., thinks the industry is unprepared. “I don’t think GC’s and CM’s are worried enough about the impact a cyber incident can have,” he says. “I think there is just a lack of understanding or realization that it can happen to us.”
John G. Voeller, retired senior vice president, chief technology officer and chief knowledge officer for Black & Veatch, has a very big picture view, having been drafted over the years by think tanks and the government to help scope risk to critical infrastructure. And from where he sits, the view is bleak.
“Some construction executives are worried, but too large a number of them do not understand the situation well enough, and their risk managers are too often not technical enough, or connected to their [chief security officer] strongly enough, to really see how many holes there are in their dike—and how few thumbs they have that are effective,” Voeller says. “They do not realize how precarious their situation is.”
Voeller points to the growing activity of state actors and cyber warfare agents, whose tentacles are infiltrating industries and utilities, and whose actions are beginning to move from disruption to outright destruction.
At the moment, many security experts are focused on phishing attacks like the one at St. Ambrose and their potential to put companies out of business. “Phishing is the biggest risk because there are many financial transactions conducted over electronic communications,” says Everardo Villasenor, construction IT leader and chief information security officer at DPR. “Cyberattacks occur where there are bigger opportunities for financial returns.”
David Sheidlower, chief information security officer at Turner, notes the FBI reports that more than $1.2 billion was lost to email-centered crimes against businesses in 2018. “So, we know the risk is real,” Sheidlower says. “That’s why Turner devotes such a high level of attention to raising awareness of the risks among our employees and our partners.”
A cybercrime is often a trigger to action. In March 2016, a Turner employee fell for a phishing email and sent tax information on current and former employees to a fraudulent email address. “We notified federal, state and local law enforcement and involved legal, law enforcement, information technology and security experts,” says Chris McFadden, vice president for communications. “We secured identity monitoring services at no cost to all impacted employees, including their spouses or partners, for an original term of ten years. Since then, we expanded coverage to all Turner employees, who now have access to identity protection services, which are designed to recognize signs of unauthorized use of personal information and help our people respond.”
Turner also has put in place an employee resource site with answers to commonly asked questions, data security tips and links to training material and available external resources on the subject of cybersecurity and protecting personal information. The company also has a cybersecurity awareness outreach program for companies it does business with to arm them with information.
What To Do
Aon’s Takaoka says a security assessment should come first. “Understand and have a third party come in and provide some guidance, based on your business [and] the size of the company, and come up with recommendation around the biggest areas of weakness,” he says. “Construction companies need to consider remediating these areas and do it in a risk-based fashion. It’s mostly about reducing the opportunities for damage, not eliminating them, and being ready if it does happen.”
Takaoka says contractors should make sure the basics, such as updating software, enforcing password policies and restricting approval rights and administrative privileges, are executed. “You stop forwarding emails to the outside, which is very simple and it doesn’t cost.” He also adds that they should get cyber liability insurance, “and if you work on anything, work on your backups. Make sure you have a good backup, retain a good incident-response provider and consider retaining outside counsel.”
Clients will gain confidence in contractors who manage cyber risk well, Takaoka adds. “That’s the reason you do that assessment by a third party, and share the results—which is basically a review of your processes and controls—and you provide that to the client. Either have that assessment done yourself, or expect that as time goes on customers are going to have third party assessments done of you.”
Turner’s Sheidlower says many owners have robust cyber risk management programs and review Turner’s cybersecurity protocols, which he says “mitigates the risk of attack on systems and information through a comprehensive approach to the technical, physical and administrative controls—coupled with training and policies that serve to raise awareness on a range of issues amongst the people who access and control the flow information.”
Sheidlower adds that controls are available to firms of all sizes, and those include staying current with updating software patches, requiring multifactor authentication and installing anti-malware software on all endpoints.
“Contractors should emphasize identifying information assets, finding vulnerabilities, employing protective and detective controls and, finally, having a plan for responding to incidents in an effective manner,” Sheidlower says.
“On the tech side, patching vulnerabilities is really the easiest way not to be the low-hanging fruit,” adds AXA’s Roth.
When asked if large operations have a better shot at secure operations than small and medium sized contractors, responses varied. Voeller’s quick observation was “obviously not when the largest in the world have been hacked and damaged, from Lockheed to Google to Facebook to the NSA.” Disaster recovery service vendor Unitrends claimed that security is attainable with the right tools.
In its description of services, Unitrends recommends a multilayered approach, but claims that “adding multiple layers to cybersecurity may look like you are adding many man-hours of labor to your already overworked IT department, [but] that does not have to be the case.” It says multilayered solutions can run and report findings automatically. “The only additional labor required is when a negative finding is discovered. Plugging an open security hole is labor you should be happy to invest,” the company says.
“The biggest issue I see here is small and medium-sized businesses don’t have the capital to properly address these issues, until they have a breach,” says Warfel’s Weaver. “For many SMB companies, they are much safer in the cloud than in their own environment,” he says, adding, “We are one of the SMBs I am talking about, but I like to think we are at least trying to do it right.”
DPR’s Villasenor says “Cybersecurity is scalable if companies start with simple controls and evolve with a good strategy. An evolving cybersecurity practice requires more investment, but based on the cyber threats, the ROI is there. Companies of all sizes have the opportunity to succeed on securing operations.”
Villasenor says DPR—a contractor with $6 billion in revenue and nearly 6,000 employees—uses collaboration platforms offered by service providers operating in compliance with privacy and security standards, including NIST, ISO-27001, CSA, HIPA, SOC and others. He says contractors need to adhere to cybersecurity best practices, such as those promulgated by the Center for Internet Security, a nonprofit that “works to identify, develop, validate, promote, and sustain best practice solutions for cyber defense and build and lead communities to enable an environment of trust in cyberspace,” according to its mission statement.
Villasenor recommends starting with the first six of CIS’ top critical security controls, which include making an inventory and securing control of hardware and software, continuous vulnerability management; controlling the use of administrative privileges; securing the endpoints; and maintaining, monitoring and auditing network activity.
But Villasenor adds, “You have to enforce cyber awareness training. One of our biggest threats is our own people. They can become victims very easily.”
DPR uses a third-party security awareness training service, ProofPoint, also known as Wombat, for training software and materials, but schedules and runs its own sessions in house. Wombat’s tools include a phish alarm button that email users can click to automatically report suspicious email to IT, but it also includes a system to check whether the sender has already been checked and added to a whitelist of trusted sources. That can save IT from being inundated with false alarms. Phishing can also be reported directly to Microsoft 365, Villasenor says. “They react very quickly. The best thing is to always report such incidents.”
“You are only as good as the weakest link,” notes Weaver. “It’s why so many of the megabreaches you read about started with a third party connection. People, processes and technology: I always oversell the people side. You can have the best controls in place, but if you don’t have comprehensive security awareness and training, you are a sitting duck.”
But Black & Veatch’s Voeller points out that addressing unsafe personnel practices is not a simple matter. People change jobs and there is no motivation or reward for dealing with the drudgery of methodically cleaning up their digital traces.
“In the future, people using data will be bonded in the same manner that we bond people handling money,” says Voeller. “As you hear the calls for regulation, be aware that I have been campaigning with major cyber leaders for making major data holders and creators to be treated as regulated utilities in the same manner as power, water and telecom. It is an essence of life, just like water, power and communications. Credentials will follow.”
Insurance broker Aon produced a U.S. Construction Industry Risk Outlook Report in February that claims cyber insurance options for construction are improving and, from the contractor’s standpoint, it is a buyer’s market.
The Aon report suggests “this is a good time to lock in baseline competitive pricing before any hardening of pricing occurs.” It says many construction-related firms are purchasing their first cyber policies because they are implementing technology to stay competitive and drive revenue, or are contractually obligated to have coverage, or their boards of directors are requiring it.
The report notes the ironic benefit that, despite the construction industry being hit with more ransomware leading to complex network business interruptions and rising incident response expenses, the resulting claims and loss data is leading to expanded coverage offerings and improved actuarial data for loss modeling purposes. “The stratification of risk enabled by improved data and analytics leads to better outcomes for the best specific risks,” the report states.
The report says this has led to average premium rates for cyber insurance dropping, on a year-over-year basis.
Takaoka says the end result is that “in ransomware situations there seems to be plenty of coverage. [Insurers] will pay ransom, and it’s pretty well known, but with wire fraud, it kind of depends.”
“Cyber insurance is a great risk transference tool,” says Weaver. “It comes in very handy if you have an incident. There are many regulation, notification, legal, and fine costs. Also, it provides you with training, policies and resources to prevent an incident.”
But looking across the whole construction industry, sources have a bleak view of the industry’s level of cybersecurity maturity, to borrow a term from Aon’s Takaoka.
While DPR’s Villasenor is confident that his company’s processes are performing well, on a scale of 1 to 10, he gives the industry as a whole dismal marks. “[Construction’s] cybersecurity score is low, perhaps 3 on a 10-point scale,” he says. “Many firms see cybersecurity as slowing operations or a high overhead cost versus perceived return on investment. Unfortunately, it has taken serious incidents for firms to truly understand the threat.”
Warfel’s IT director Weaver was even less sanguine. “Two,” he says. “I think it’s worse than most people know.”