Cyber security is well-known and highly used in the broad financial services, medical, pharmaceutical, and communication industries, among others. What is not well known is the architecture, engineering, and construction (AEC) sector is at high risk for cyberattacks. This is proven by the increase of cyber attacks on AEC small businesses over the past several years, increasing the need for cybersecurity training programs for employees.
The exposure of cyberattacks in the construction industry is amplified by the quantity of confidential and proprietary information that is stored digitally and shared across projects and their long IT chains. The risks of cyberattacks are not unique to this sector, but their impact on the construction industry is distinctive.
There are five cyberattack types specific to construction and related industries. They are ransomware; fraudulent wire transfer; business interruption (downtime); intellectual property breach; and breach of bid data.
Cyber-risk has been exacerbated with the advent of digital transformation, especially in the form of digital twins used by plants in this sector. They generate even more opportunities for cybercriminals, which has created the need for all employees – onsite, on-plant, or in-office – to be fully aware of all potential cyber threats and what can be done to counter them. A cyberattack on a company’s or plant’s digital twin can be devastating. The loss of intellectual property and assets is a real risk, as is the long-term effects on the organisation’s reputation.
WorldsView, a leading software solutions provider to the AEC sector and built environment, has introduced Terranova Cyber Security training. Terranova Security is a global security awareness training partner that offers companies programs that use a teaching framework, empowering companies to implement training programs to change user behaviour, reduce the human risk factor and counter cyber threats. The training is designed to transform a company’s employees into its most powerful cyber security assets.
Construction is generally considered a lucrative, high-cashflow business. Proofpoint®, a market leader in email security, opines that the AEC industry is the second most targeted industry for email fraud, with an average of 61 attacks per company over a three-month period.
Remote working exacerbates cyber-risk
The advent of the COVID-19 pandemic and subsequent isolation measures for personnel meant that many companies enabled remote connectivity to email, networks, and third-party platforms. Few AEC-related organisations, however, considered implementing the necessary adjustments required to protect their data and systems. One of these adjustments could have been personnel training for enhanced cyber risk awareness.
The construction industry has, by and large, avoided heavy regulation in data security and privacy laws, which may have contributed to less focus on cybersecurity than was given to other industries. Threat actors are aware of this gap, which puts companies within this industry at higher cyber risk than those who previously gave prominence to cybersecurity. Artificial intelligence (AI) has the potential to make this threat worse. Construction companies leverage AI technologies such as machine learning and robotics, among others. It is important, therefore, that these technologies have data security, privacy risk assessments, and proper controls in place.
Take digital twins for example. The integration of digital twins with existing cyber-physical (intelligent) systems increases the potential for cybersecurity attacks. This is because the bi-communication channel interlink between the digital and physical entities facilitates synchronous connection data exchange in real-time. It is, therefore, possible that any malicious update to a digital twin may be reflected in its physical counterpart. This means that a digital twin can create an additional failure point in the system, which has the potential to be exploited by cybercriminals.
It is imperative that any unauthorised modification or destruction of data or operations when processed, when in transit, or in storage, must be prevented at all costs. Secure communication between the digital twin and its physical counterpart is required to preserve this integrity, an essential factor in ensuring non-repudiation and the authenticity of commands to the system. This is necessary for the system’s secure operation and to support any incident response capabilities.
Employee training can reduce cyber risks
Terranova Security teaches employees to recognise cyber threats like phishing, ransomware, malware, and social engineering, and to learn the tactics to combat these threats. Its cybersecurity program is suited to companies of any size and can be tailored to an organisation’s specific cybersecurity needs and objectives.
Terranova Security is the Global Partner of Choice for brands like Microsoft, Nestlé; Volvo; and PepsiCo, among many other top-end brands. The product is available on an easily deployable platform in 40 global languages and offers an easy-to-build customised learning path for each of its clients. Employee participation is easily tracked and monitored internally.
Businesses that implement cyber security training for personnel experience less downtime during a data breach, have more confident, knowledgeable employees that can detect and avoid threats, and experience decreased costs associated with data leaks & other incidents.