Law and contract: Why digital technology is leading to increased cybersecurity risks

Despite streamlining the construction process, these technological advancements have led to an increase in cyber security risks, further reinforced by the high cash flow and high-value payments within the industry and the mere fact that many projects involve critical national infrastructure, whether in the United Kingdom or across the European Union.

Unfortunately, these factors make cybercriminals view construction businesses as prime targets for attacks.

As the construction industry becomes increasingly digitised, the amount of data and sensitive information being collected and shared electronically within organisations has grown significantly, whether that be proprietary designs or employee records, for example.

As a result, the consequences of a cyber-attack can be particularly severe for construction firms, potentially leading to significant financial losses, as well as compliance or even safety risks.

The impact of cyber-attacks also extends to reputational damage, with data breaches often leading to losing customer trust and brand loyalty.

This can have long-lasting effects on a company’s bottom line and ultimately highlights the growing importance of robust cyber readiness and security to construction firms working on important infrastructure projects.

Growing fear of cyber-attacks in construction

One example of a common type of cyber-attack on construction companies is ransomware, when a computer system is held hostage, and an attacker demands payment in exchange for restoring the owner’s access.

Recent examples of ransomware attacks on firms in the UK construction industry include:

Hackers exploited a vulnerability in a construction services company’s website to access the firm’s network and carry out a ransomware attack. As a result, the firm’s files were encrypted and payment was demanded by the attackers in order to restore access.

An infrastructure management company was hit by a cyber-attack from a ransomware group. The group leaked some of its contracts, confidential partnership agreements, financial documents and non-disclosure agreements.

Fraudulent wire transfers are also becoming more common, involving large sums of money being moved out of an account.

European legislation like the NIS2 Directive, alongside the Cyber Resilience Act, currently provides foundations to protect critical organisations and infrastructure in the EU from cyber threats (Photo: AdobeStock)

This is often due to cyber criminals’ ability to manipulate individuals into divulging sensitive information, using tactics such as sending phishing emails claiming to be a supplier and asking construction firms to update their records of the supplier’s bank details for future payments.

European legislation like the NIS2 Directive, alongside the Cyber Resilience Act, currently provides foundations to protect critical organisations and infrastructure in the EU from cyber threats, aiming to achieve a high level of common security across the EU.

However, to respond to cyber risk, the UK and EU are tightening cyber security regulatory requirements and obligations on operators, as well as their supply chain. Regulators are looking at which areas of infrastructure require additional cybersecurity protection.

The UK parliament recently underwent an inquiry into cyber resilience of critical national infrastructure in which the government’s role in setting standards and regulations for cyber preparedness were explored, following the National Cyber Security Centre’s (NCSC) recent warning that Russian aligned groups were intent on disrupting infrastructure in the UK.

The inquiry relates in part to energy infrastructure and from it, the government hope to better understand what their role should be in setting standards and regulations for cyber resilience and preparedness.

Increasing cyber security on the ground

Cyber risk can be difficult to control on a construction site, with subcontractors and temporary staff adding to the existing risk posed by the technological prowess of cybercriminals.

Therefore, contractors should look to their networks of reliance and risk assess their exposure to cyber weaknesses, including what more they can do on the ground to provide themselves with increased protection and where this protection is most needed.

This includes looking at every link of the construction chain, and asking sub-contractor partners to demonstrate sound cybersecurity practices in their tenders, for example.

In the UK, the NCSC and the Chartered Institute of Building (CIOB) have recently partnered to produce practical guidance to support businesses, including SMEs, working in construction, which can be used as a guideline for implementing cyber security measures.

This guidance includes advice on collaborating with suppliers and partners to ensure sensitive information being shared between parties working on a project is protected, and to encourage suppliers to get Cyber Essentials certification; a government-backed scheme to help organisations protect themselves from common cyber-attacks. The NCSC has also developed an e-learning package ‘Top Tips For Staff’, which can be completed online, to educate employees on cyber security.

Businesses working in construction are also urged to pay specific attention to how artificial intelligence (AI) interacts with cyber security. As more organisations, including in the construction industry, continue to explore how AI can help their businesses, cyber security risks will continue to remain a key consideration and should be kept under close review into 2024 and beyond. ce