Cyber Threats in Construction: 5 Key Vulnerabilities.

By: Christa Johnson

Dec 16, 2024 — Construction firms are often targeted for financial reasons, with attackers using social engineering to redirect vendor payments to fraudulent accounts. In some instances, compromised firms are exploited as springboards for downstream phishing attacks, where unauthorized access to email accounts enables hackers to target clients and vendors. The increasing use of digital sign-ins via mobile devices at job sites has contributed to the rise in attacks, as employees tend to be less cautious when dealing with phishing emails on the move, making them more vulnerable to such scams.

Here is a look at systems that may be vulnerable to cyber incidents.

Building Information Modeling Systems

Building information modeling (BIM) systems are a cornerstone of modern construction projects, facilitating collaboration by integrating data across various teams, such as architect, engineer, contractor, and client teams.

BIM is used for designing and managing the entire lifecycle of a construction project and storing highly sensitive data, including building specifications, schedules, cost estimates, and intellectual property.

Cybersecurity Vulnerabilities

• Data sensitivity: BIM systems store a wealth of sensitive project information, making them prime targets for cybercriminals. The theft or compromise of these plans can result in the loss of competitive advantage, project delays, or, in some cases, sabotage.
• Access points: With many stakeholders accessing BIM systems from different locations, ensuring each access point is secure becomes a challenge. Without robust identity management, unauthorized parties could gain access to project data.
• Cloud hosting: BIM systems are often cloud-based, exposing them to risks such as data breaches, misconfigurations, and insider threats. Improperly secured cloud platforms can lead to significant vulnerabilities.

Cloud-Based Collaboration Platforms

Cloud-based platforms such as document-sharing tools and project management software have become essential for construction firms, enabling seamless collaboration among teams regardless of location. These platforms handle critical business data, including financial records, client information, and project blueprints.

Cybersecurity Vulnerabilities

• Data breaches: If cloud platforms are not secured properly, they can become vulnerable to data breaches, leading to the exposure of sensitive information such as financial details and intellectual property.
• Insufficient encryption: Inadequate encryption protocols can lead to the interception of data in transit, compromising communication between teams and external partners.
• Third-party risks: Many cloud-based platforms have integrations with other third-party services, each of which introduces additional risk vectors.

Operational Technology Systems

Operational technology (OT) systems control the physical aspects of construction projects, including heavy machinery, HVAC systems, and automated equipment. With the construction industry embracing Internet of Things (IoT)-enabled devices and smart machinery, these systems are increasingly reliant on network connectivity.

Cybersecurity Vulnerabilities

• Remote attacks: OT systems are often interconnected, so a cyberattack on one machine can cascade across the network, potentially shutting down entire job sites.
• Weak segmentation: In many cases, OT networks are insufficiently segmented from IT networks, which can lead to vulnerabilities crossing from one network to another.
• (IoT) risks: Internet-connected construction machinery and sensors are susceptible to hijacking or manipulation, which could lead to physical damage, worker safety risks, or sabotage.

Third-Party Vendors and Supply Chain Risks

Construction projects depend on a complex ecosystem of vendors, subcontractors, and supply chain partners. Each third-party vendor that has access to project data or systems introduces new potential vulnerabilities into the construction firm's cybersecurity environment.

Cybersecurity Vulnerabilities

• Weak security practices: Not all vendors adhere to strict cybersecurity protocols, and breaches in their systems can expose construction firms to significant risk.
• Phishing and social engineering: Attackers often target vendors or subcontractors using phishing techniques to gain access to payment systems, which allows them to reroute funds or access sensitive financial data.
• Downstream attacks: If a vendor's systems are compromised, attackers can use their access to launch broader phishing attacks against other stakeholders, including the construction firm's clients or other partners.

Mobile Devices and On-Site Technology

On construction sites, mobile devices are frequently used for various purposes, including checking project updates, signing documents, and managing machinery. These devices, alongside other connected technologies such as drones and sensors, offer significant convenience, but they also open the door to various cybersecurity risks.

Cybersecurity Vulnerabilities

• Phishing scams: Employees on the go may not exercise the same level of caution when accessing emails or signing documents on mobile devices, increasing the likelihood of falling for phishing scams.
• Weak device security: Many mobile devices lack the necessary security measures (e.g., encryption or strong passwords), making them easy targets for cybercriminals.
• Unsecured Wi-Fi networks: On-site workers may connect to unsecured networks, which exposes them to man-in-the-middle attacks and other types of cyber threats.

Learn more about Gallagher Bassett's comprehensive cyber claims and risk management solutions