US construction tech firms brace for increased cyberattacks

Cybersecurity experts caution against something far more foundational than ransomware attacks or private data thefts […]

Cybersecurity experts caution against something far more foundational than ransomware attacks or private data thefts when it comes to threats in the construction sector: Their eyes are on the security of building materials.

“Take for instance the construction of a bridge, you have to have that strength integrity,” said Jason Vigh, principal consultant for 1898 & Co., a Kansas City, Missouri-based business, technology and cybersecurity consulting firm. “What if [hackers] change the systems that are actually being used to automate [the project] and it collapses… all because the supply chain is compromised in the first place.”

Construction companies use automation during the mixture and measurement of materials or chemicals going into a manufacturing process. For example, a concrete contractor uses control systems to mix the cement and lay the concrete.

During the post-manufacturing process, construction pros use automation to test the structural integrity, such as surface hardness inspections, load testing and surface absorption checks.

The processes that go into the mixture and measurement of construction materials are vulnerable to cyberattacks because they use internet- and cloud-based technologies that have minimal defense parameters. If compromised, a cyberattack on these technologies could cause havoc that goes much further than companies’ wallets.

These automated systems leave tempting holes for cyberattackers to compromise, cybersecurity experts say. That means material failure is a real possibility if the systems become an attacker’s target.

Threat level rising

The attention on materials security comes as the Biden administration recently warned companies to harden their cyber defenses, as evolving intelligence shows Russia could launch a retaliatory attack against the U.S. and its allies. While the White House did not share specific targets, its steady stream of cybersecurity warnings are meant to harden critical infrastructure security.

Threat actors target the trillion dollar construction industry because it’s a known as a laggard in cybersecurity. Ryan Johnson, director of cybersecurity at construction technology firm Trimble, told Construction Dive that these worst-case-scenario cyberattacks are a concern in the industry.

“The integrity of critical infrastructure is certainly in scope of a malicious actor attempting to cause harm,” said Johnson. “Construction companies should look to embed security by design principles as part of their requirements definition stage for any structure components that are to be connected to the internet.”

The mechanisms to safeguard and detect those changes in the construction industry lag other industries, Vigh said.

“Think about the financial sector and the transaction of large amounts of money on these financial networks. There’s a lot of confidentiality and integrity checks that are in place for those types of systems,” said Vigh. “But on the construction side, where you’re talking about manufacturing and all those types of processes, those systems don’t have the same protections.”

A focus on security

At Dallas-based contractor Jacobs, cybersecurity is an increasingly important aspect of its business, especially specialized consulting, operations technology solutions and data analytics platforms. Earlier this year, the company reported accelerated requests for its data and cyber solutions from critical infrastructure customers, according to CEO Steve Demetriou during its first quarter earnings call.

Jacobs’ clients include the U.S. Department of Defense, the Combatant Commands, the U.S. Intelligence Community, NASA, the U.S. Department of Energy, U.K. Ministry of Defence, the U.K. Nuclear Decommissioning Authority and the Australian Department of Defence, as well as private sector companies in the aerospace, automotive, energy and telecom sectors.

To complement its focus on cybersecurity, Jacobs acquired all outstanding shares in November 2021 of BlackLynx, a provider of enterprise-scale software solutions for national security and commercial customers. In November 2020, it also acquired Buffalo Group, a leader in advanced cyber and intelligence solutions.

“There is not an infrastructure project right now with major agencies, in the U.S., the U.K., across the world, in Australia, where we don’t have a cyber component that’s with it,” said Bob Pragada, president and chief operating officer at Jacobs. “That’s going to become a bigger part of our business as we continue to go forward… it’s a great skill set as cyberthreats become as big of any threat that we have.”

Publicly traded construction companies Tutor Perini, Granite and Fluor also all reported in SEC filings their awareness of the evolving nature of cyberattacks.

Construction cyberattacks grow

Most cyberattacks in the construction industry involve ransomware or target sensitive customer data, said Vigh.

“But the compromise begins from where the system interconnects,” said Vigh. “Then it just depends on the adversaries’ target.”

Ghilotti Bros., a San Rafael, California-based concrete contractor, reported in December 2021 an unauthorized third party was able to temporarily access its systems and files. JMA Energy, an Oklahoma City-based oil and natural gas company, reported a data security breach in February.

Neither JMA Energy or Ghilotti Bros. responded to requests for comment on those incidents.

Steve Arring, product director at Procore, said the company is seeing higher anxiety about cyberattacks from its customers. The Carpinteria, California-based firm grew its cybersecurity team over the last year by 300% and also made substantial investments in defensive measures, said Arring.

Contech giant Autodesk is also keeping an eye on the rising threat.

“It does require some investment on behalf of everyone involved in the ecosystem,” said Sameer Merchant, vice president of product development at Autodesk.

“But that’s a much smaller price to pay than the price you pay if exposed to these attacks,” Merchant said. “Be prepared to face the upfront investment in order to make sure that downstream you’re protected.”