Klaus Gheri, Vice President Network Security and General Manager at Barracuda Networks, discusses the best ways to combat cyberthreats using technology in the construction sector.
What are some of the unique cyberthreats to the construction sector and why?
Decentralisation: By nature, most construction companies are highly decentralised. There are many stakeholders involved in construction projects that are highly dependent on mobile devices and laptops, offering multiple access points to networks and creating vulnerabilities if they are not all adequately protected and trained on cybersecurity.
Connected Industrial devices like construction cranes, asphalt pavers: The fourth industrial revolution is slowly creeping into the construction sector, with permanently connected and autonomously operating heavy machinery. Obviously, these need to be properly protected from malicious threats.
Confidential information: Although construction companies do not host the type of personal information hackers find desirable (e.g., credit cards or financial records), they still have access to clients’ confidential information. Compromised intellectual property such as building specifications and architectural drawings can provide a roadmap for criminals to gain access to valuable personally identifiable information including financial accounts and employee data. Just like any other company, if you have access to this type of confidential information, you’re vulnerable to the common forms of cyberattacks.
Business interruption: As in any industry, cyberattacks can result in costly business interruptions for construction companies. A delay in construction projects can be quite costly, up to the point where the contract is revoked and passed to a competitor. This potential disruption must be built into the preventative measures of a risk management plan for construction projects.
How is the construction sector rising to the challenge of combatting these threats?
In an increasingly digitised and connected world, cybersecurity needs to be considered at all stages of a firm’s operation. The construction industry as a whole is unfortunately known to be rather slow at adopting new technologies. Countless studies and surveys over the years have shown that business owners continue to under invest in technology. While it may seem daunting, cybersecurity can be approached and managed in surprisingly the same way as many other risk factors. Luckily, we’re seeing large construction companies already stepping up.
Can you outline any use cases of how technology is being used to mitigate threats?
Mobility: Just as the fact that construction is carried out in a variety of sites and locations represents a physical risk. Bases can often be temporary locations such as onsite cabins and trailers, with workers connecting to business networks and systems via laptops, tablets and smartphones. Nevertheless, security must not be any laxer than it would be in a permanent office, especially if there is a ‘bring your own device’ (BYOD) policy in place, which allows workers to access critical systems on their own devices. It is important to have a policy that requires passwords and other validation, while mobile devices should be assessed for vulnerabilities. Besides the regular antivirus and VPN on the devices, a better good solution is a small and easy to manage security extension with built in Wi-Fi that effectively forwards all traffic for inspection, covering the whole temp site.
For machine connectivity: The above functionality is available in an ultra-small form factor to fit into literally any industrial good, making sure the latest security standards are enforced on every device.
Would you offer any best practice advice for dealing with threats in this industry?
There are some relatively simple steps that construction companies can take to reduce the risks of cybercrime.
All networks, even temporary construction sites, should be protected with security software and firewalls. Setting up your own password-controlled Wi-Fi on site rather than logging into other parties’ networks can also help you limit the potential risks to which you are exposed. There are solutions that combine easy to manage Firewall and Wi-Fi and can be deployed within minutes, even by untrained personnel.
Advanced email and web filtering should be required on all business networks. The number one distribution vector for malware, even in 2019, has been malicious email. This can not only prevent employees from accessing inappropriate content at work, but also restrict access to potentially harmful websites. Advanced Threat Detection functionality (ATD) should scan all email attachments and links before they reach the user. Email protection and Advanced Threat protection are typically outside the realm of smaller devices protecting remote sites or heavy machinery. To apply the same consistent levels of protection, a public cloud-based service scales across thousands of sites and hundreds of thousands of users with a single unified control panel.
All technical achievements aside, simple human error can render any investment in cybersecurity useless. It is therefore important to define, communicate, train and test robust policies to ensure that everyone in your organisation follows best security practices. In today’s cybersecurity arms race, it’s virtually impossible to guarantee immunity, but it is possible to drastically reduce your risks and make recovery as seamless as possible by automating backup and restore functionality for your data.
Are there any trends or future trends that CISOs working in the sector should prepare for?
Don’t neglect the public cloud and don’t be shy seeking expertise from the outside. Much like the future building owners don’t do the actual work themselves but contract out to specialists – you make use of the expertise of security service providers. This might go hand-in-hand with deploying new public cloud-based infrastructures.