51����

When thinking of desirable targets for cybercriminals, the construction industry probably isn’t top of mind. However, while a construction company may not have as many credit card numbers stored, they’re a rich source of information that hackers, scammers and other unsavory players can leverage. 

The data centers, labs and other notable projects on which teams work have plenty of data that entices threat actors. Often, the construction company isn’t the direct target. Instead, it serves as the conduit hackers use to get to sensitive information.

This exposure grows as the construction industry increases its reliance on digital tools. As companies use building information modeling (BIM), for example, they create a data-rich tool to guide the project. But that model is also ripe for picking by threat actors. As a result, any company deploying BIM absolutely needs to be thinking through its cybersecurity approach.  

The Pressing Need for Cybersecurity in Construction

have deemed cybersecurity in BIM critical — and for good reason. 

As released in conjunction with an Associated General Contractors of America (AGC) event put it, “The construction industry is one of the leading industries impacted by data security incidents.” The Construction Management Association of America the construction industry “more vulnerable than ever to cyberattacks.” Between 2019 and 2020, found that construction saw an 800% increase in data breaches. 

Other historically targeted industries have already done the work of strengthening their defenses against cyberattacks. Since the construction industry is relatively new to its technological adoption process, hackers assume (often rightly so) that the maturity around cybersecurity isn’t there. 

On top of all of this, data breaches can violate regulations. That means that in addition to facing the cost and brand tarnishing, a cyberattack can expose construction companies to fines and other penalties. 

With BIM, exposure grows. Suddenly, companies have a single package of essential data that cybercriminals could access. It will certainly give them information about the layout of the building, and probably includes details about infrastructure and security systems, too. If the model includes data about the structure’s Internet of Things (IoT) setup, it can give threat actors a way to plug into the building and lurk there, gathering data over time. 

In short, as companies deploy more technology, it’s increasingly pressing to harden the security layers of those technologies. 

Construction Cybersecurity Case Studies

A couple of notable incidents underscore the importance of bolstering cybersecurity in the construction industry. 

The first is the well-known Target data breach. This massive fallout originated not from Target’s internal systems, but sent to an HVAC contractor Target used. With that malware in the contractor’s system, the hackers got access to credentials to Target’s contractor portal. By uploading a web shell there with hidden operating system commands in it, the threat actors were able to access Target’s servers. 

The resulting breach compromised 70 million customers’ personally identifiable information (PII), along with the credit card information of 40 million customers. Target paid $162 million for the fallout. 

Another example illuminates how much data exposure can compromise construction project outcomes: At a large AEC conference, a national intelligence official shared a story. He said that because of a temporary exposure of the BIM model, stakeholders on the project had to tear up and reroute fiber optics and other utilities. Undoubtedly, this lengthened the project’s schedule and added costs. 

The Difficulties of Cybersecurity in BIM

With BIM, securing data gets increasingly difficult. That’s because the model is often shared with a range of stakeholders, and may even be moved from one BIM platform to another. This can be true even if the stakeholder won’t necessarily do anything with the model other than look at it. The owner might want model access to track project progress, for example. 

In any case, that external data flow increases the risk for exposure. BIM is so much more than just a 3D model. It can have a wide range of data attached, from spec sheets and requests for information (RFIs) to IoT and reality capture data. If an unsavory player wants to learn about that building — or embed themselves in it — BIM gives them an excellent access point. 

To make matters worse, threat actors can attempt to gain access to the model in a number of ways, including:

• Viruses, or malicious software programs that can spread from one device to another
• Ransomware, which cybercriminals use to hold data hostage until they receive payment
• Man-in-the-middle (MITM) incidents, during which threat actors intercept communications and act as a secret intermediary, allowing them to gather data and even send false data back and forth — in some cases, the MITM can conceal money transfers inside what looks like a normal set of transactions
• Subscription bombs, which flood information to a user’s inbox in an attempt to hide other activities, like an electronic transfer
• Phishing, when cybercriminals send fraudulent emails that look like they’re from a reputable source — like the company’s bank or vendor — in an attempt to get people to unwittingly hand over sensitive information
• Spear phishing, which works like phishing but instead of targeting a broad group, targets individuals or a handful of people with personalized information that’s most likely to engage them

Today’s cybercriminals are much more sophisticated than many people think. They’re also patient. They may worm their way into a system, then silently wait for months or even years until information they can leverage is revealed. 

That’s particularly true when they stand to see significant gain from the cyberattack. As digital attacks on infrastructure , construction professionals need to be aware of and proactively defend against risk. If the hacker can use the construction company to access information about water treatment plants or power grids, the issue can escalate from a data breach to something even more serious. 

Building Better Cybersecurity in BIM

To defend against the wide range of risks facing BIM data, construction companies need to take action. 

They can’t rely on their individual team members to protect the data. Malware and threat actors are getting increasingly advanced. 

Plus, BIM managers and other virtual design and construction (VDC) stakeholders are already having to move quickly. As construction schedules get shorter and budgets tighten, they need efficiency. As a result, cybersecurity needs to be built in. 

Here are a few channels companies can tap to harden their security processes in ways that don’t excessively burden their team.

Partnership with Vendors

Before introducing a new technology at the company, stakeholders need to thoroughly vet that vendor and their own security layers. This partnership should continue as the company leverages the software, creating a pathway for communication.

As the vendor rolls out new features, for example, additional security measures might be required. Maintaining an active partnership helps to keep the company informed and secured. 

Collaboration Between the BIM Office and IT

BIM personnel need tools to do their work. A close collaboration with the information technology (IT) department can build the required security measures into each of those tools. Even plugins should be evaluated by IT before they’re deployed.

At the same time, IT should strive to avoid becoming an “office of no.”  Taking time to understand the needs of BIM staff can help them identify tools and processes that deliver what’s required while meeting cybersecurity standards.  

Multi-factor Authentication (MFA)

MFA adds an additional authentication layer. Instead of accessing a system with a simple username and password, for example, MFA might require the user to type in a code sent to their email or provided by an authenticator app. Implementing MFA adds a significant layer of protection to BIM platforms and any other systems the company uses. With it in place, even if a hacker gets a user’s password, they won’t be able to crack into the system. 

Role-based Access

Role-based access means only giving someone access to the data they truly need. The owner might get a role that lets them look at the model but prevents them from making any changes, for example. Or the trade contractor might get access only to the portion of the model that pertains to their work. This limits exposure.

With role-based access in place, even if a threat actor gains entry into the BIM platform, they’ll only be able to access as much data as the user whose role they breached. 

Regular Software Updates and Patches

As cyberattacks evolve, software providers continually update their systems to defend against them. That’s why consistently implementing updates and patches matters so much. Companies should automate and enforce updates and patches and have a monitoring system in place to make sure everyone is complying. If they write their own code, even for plugins, they should also take steps to continually patch the code base over time. 

Employee Training

Offering — and even requiring — periodic cybersecurity training can help companies defend against threats. At the same time, it helps employees handle the digital risks they face in their personal lives. With a lower risk of identity theft and other cyberattack-related problems, staff members are better able to focus on their work. 

Decommissioning

As projects come to a close, companies should have a plan for limiting ongoing access to sensitive data. The model may need to lead a longer life for handover to the owner, but in most instances, trade contractors can have access cut off after closeout. Companies should make this time-based access adjustment part of their decommissioning process. 

External Assessments

External providers can perform cybersecurity assessments to identify areas that need hardening. Periodic assessments help companies keep pace as digital threats evolve. 

Clearing Audit Trails

Audit trails, or records of activity over time, are important in the event of a cyberattack. Being able to trace back to the root of the issue and see every data repository the attack affected makes it easier to facilitate remediation.  

Clarifying Protocol With a Cybersecurity Policy

Any company that wants to limit data exposure as they work with BIM should create and deploy a robust cybersecurity policy. Some areas of consideration in developing that policy include the following.

Clear Processes for Team Members

An overarching cybersecurity policy informs all staff members about protocols they need to follow. It can tell them the process they need to use to set up MFA or request role-based access. It can specify data handling procedures. It should also include how to respond in the event of a data breach. 

Guidelines for External Data Exchanges

The cybersecurity policy also needs to lay out how and when BIM data leaves the company’s internal environment. If the model will be shared with a trade contractor, for example, the policy can outline steps to build safeguards into that external data exchange. That includes cybersecurity measures, of course, but it might also entail contractually captured risk shifting. I

n other words, the cybersecurity policy should spell out the data chain of custody, what’s required of each custodian and their resulting liability. 

Company-specific Safeguards

In creating an effective cybersecurity policy, construction companies need to evaluate their own unique data environments, assets and exposures. If the company creates intellectual property (IP), the policy should lay out guidelines there, too. It might set limits on what IP can be used to train AI, for example. Or if the company uses tools that are integrated into their internal network, those should be considered.

Take critical machinery like plasma cutters and milling machines as an example. If those can’t be secured, segmenting them from the data infrastructure and taking steps to limit data flow helps to mitigate risk.

Integration Eith a BIM Execution Plan

A company’s cybersecurity policy should work in tandem with their BIM execution plan (BEP). It may even make sense to duplicate cybersecurity policies in the BEP so those are an area of focus as teams get ready to deploy BIM on new projects. 

As they develop this policy, companies also benefit from thinking about the costs involved. They may decide to implement a rate for the cybersecurity required on projects that use BIM and include that in their overhead. 

Courses about construction.
For construction.

Unlock your career potential with our free educational courses on Health & Safety, Data in Construction, and more.

Balancing Cybersecurity With Efficiency

Mounting evidence points to the need for stronger cybersecurity at construction companies. Even so, it’s important for teams to balance safeguards with productivity. If the cybersecurity measures introduce hurdles and boundaries, it will slow progress. At a time when construction schedules are getting shorter, that will only create problems — and frustrate team members.

When done well, cybersecurity doesn’t create friction. It should be built into the company’s processes so that it’s invisible and painless. 

Creating this kind of smoothed and integrated cybersecurity requires companies to understand what kind of access their team members need. Spending some time thinking through user roles and how data gets exchanged helps them build effective cybersecurity processes with which employees can easily comply.External partners like cybersecurity auditors can be a huge help here. 

Fortunately, all of this work can pay off — literally. With stronger security in place, companies position themselves to land more projects. Take the Cybersecurity Maturity Model Certification (CMMC) requirement for Department of Defense (DOD) projects as an example here. Without strong, proven cybersecurity measures in place, contractors are blocked from bidding on some DOD projects. 

Owners increasingly expect robust cybersecurity, too, so investing here can give construction companies a strategic advantage. At the same time, it helps them avoid being the victim of a cyberattack — and facing the expensive, brand-tarnishing fallout that comes with it. 

Written by