In 1990, I read an exciting book titled The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage. The author, astronomer Clifford Stoll, managed computers at Lawrence Berkeley National Laboratory (LBNL) in California. He was tasked with resolving an accounting error of 75 cents in the computer usage accounts.
The tedious process eventually led him to disclose a German hacker who had gained access to U.S. military secrets through LBNL’s computers. He had been selling information to the KGB for years.
Today’s threat landscape in construction
The LBNL incident was one of the first—if not the first—documented cases of a computer break-in. Fast-forward to today and cyber-attacks are an everyday phenomenon that occurs more often in construction.
A 2023 survey by Dodge Construction Network, in collaboration with content security and management company Egnyte, found that 59% of AEC firms had faced a cybersecurity threat within two years.
General contractors were the most affected, with 70% experiencing a threat and 30% dealing with a ransomware attack during that period.
Recent cyber incidents
Some examples of construction-related cybersecurity incidents include:
- Two ransomware attacks in 2022 on Finland-based companies, Vahanen Group, an engineering firm, and Uponor Corporation, a manufacturer
- A ransomware attack on Skender Construction, a Chicago-based general contractor, in 2024
- AI deep fake scam on ARUP allegedly led a staff member to transfer $25 million to Hong Kong bank accounts in 2024
- Spying malware distributed through the website of a professional association of the South Korean construction sector
Why construction is an attractive target
I can think of several reasons construction can be an attractive and lucrative target for malicious actors:
- Construction projects involve dozens or hundreds of companies that vary in tech maturity and security awareness. The weakest link can open the channel to valuable information.
- Email is still the predominant digital communication method and the primary source of phishing and other attacks. If anybody introduced our email tech, it would be deemed impossibly insecure.
- Construction project teams create and share information that has market value to some malicious actors. Designs of critical infrastructure, plans for a new production plant, or information about locations of sensitive equipment can be accessed through AEC firms’ computers.
One security expert told me that for some organizations, even seemingly harmless information can become valuable over time when connected with other data.
Prevent, protect, and prepare
Studies have shown that the construction sector is behind other industries in cybersecurity. However, in the Dodge survey, 72% of architects, engineers, and contractors claimed to have a moderate or higher degree of preparation for an attack that would cause them to lose access to documents.
The problem is that in a heavily networked industry, a cyberattack on one company on a project can impact several others, including the client. As general contractors are mainly responsible to the client, they should do due diligence on their partners’ cybersecurity. I don’t know how commonly CGs include related provisions in the contracts.
Anyway, we need to ramp up cybersecurity in this sector. Craig Yeack from Bulk Construction Materials Initiative suggests that construction businesses consider cybersecurity a funnel of three Ps: prevention, protection, and preparation. Prevention is the largest piece at the top.
PS. While I wrote this piece, I remembered a trip to Washington, D.C., in the early 1990s. I mentioned Cuckoo’s Egg while visiting an architect who lived there. To my great surprise, he knew the author personally. Not six, but one degree of separation this time!
View the original article and our Inspiration here
Leave a Reply