Status Critical

CYBER SECURITYCyberthreats are shaking up infrastructure.
By Eric Chuang and Ian Shapiro

Increasing infrastructure spending to the tune of $1 trillion was a core pillar of Donald Trump’s campaign for office, and a welcome refrain for the construction industry. Whether the new administration will deliver on this promise remains to be seen. Despite some cuts to the Department of Transportation in the administration’s first budget blueprint for fiscal year 2018, the White House reaffirmed a commitment to support the nation’s critical infrastructure in subsequent proposals.

With infrastructure investment still occupying some of the political discourse in the early months of the Trump presidency, one vital consideration remains largely absent from the conversation: cybersecurity vulnerabilities in critical infrastructure.

What are the Risks?

Cyber security risks associated with infrastructure projects have recently received attention at the federal level. This March, the Department of Homeland Security (DHS) issued a cyber security alert for critical infrastructure owners and operators outlining top cyber threats. DHS asserted “any sector that uses industrial control systems (ICS)” — ranging from energy to manufacturing to technology — could be susceptible to cyber attacks. ICS automates industrial distribution and processes, and comprises hardware and software components integrated via the Internet of Things (IoT).

Critical infrastructure encompasses 16 sectors — several of which are within the scope of the construction industry, including transportation systems, government and commercial facilities, energy and defense industrial bases (DIB). A cyber attack on firms involved in the construction of critical infrastructure, sensitive government facilities, or even facilities for emergency management, public health or medical providers, could jeopardize those services. Hackers could glean potentially vulnerable information housed in construction firms’ databases, including proprietary employee data, sensitive client data, tenant personally identifiable information (PII) and non-public material information. Construction firms also house computer-aided design (CAD) drawings and blue prints to sensitive buildings, which hackers can exploit to inflict physical damage.

A Triple Threat

Cyber security vulnerabilities in the construction industry are compounded by growing industry adoption of cloud computing and the IoT. Smart buildings technology, such as sensor-enabled heating and cooling systems, can be physically compromised or provide an entry point to the larger corporate network. With increased connectivity, the security (or lack thereof) of each individual device impacts the whole system’s integrity. And because IoT devices fall outside the traditional scope of IT, they are often overlooked. 

The top threats specific to physical infrastructure are distributed denial of service (DDoS) and the emerging threat of permanent denial of service (PDoS) attacks. DDoS and PDoS attacks aim to temporarily disable or permanently destroy technology – such as power grids, heating and cooling systems and Internet providers – by overwhelming the targeted system with traffic, thereby disrupting the distribution and delivery of a service.

And then there is ransomware, another type of denial of service (DoS) attack that uses encryption malware, generally downloaded via phishing emails, to block user access to computer files, potentially permanently if the victim is unable or unwilling to pay the ransom for the encryption key. Ransomware attacks quadrupled in 2016 with an average of 4,000 per day, according to data from the U.S. Justice Department. The problem from a critical infrastructure perspective? Ransomware could infect operational technology, disrupting essential processes or taking entire systems offline.

Although DoS-style threats emerged nearly two decades ago, hackers have leveraged IoT to carry out much more sophisticated attacks in recent years. For example, the October 2016 attack against Domain Name System (DNS) provider Dyn, used IoT and a Mirai botnet to increase the attack’s scope and impact. Mirai botnets are a strain of malware that infects internet-connected devices and corrals them into an IoT “army” to overwhelm a target’s servers with malicious traffic, shutting down highly trafficked websites for several hours. While the Dyn attack caused arguably little more than inconvenience, it spurred speculation about the chaos and physical harm a DDoS – or worse PDoS – attack of that scale, or bigger, on the nation’s infrastructure could potentially cause.

Cyber attacks to date on critical infrastructure have largely targeted power grids and the electrical sector. In 2016, ransomware and DDoS attacks of that nature stole headlines worldwide. In Finland, a DDoS attack targeted computerized heating distribution centers, disabling heat to apartment buildings. In December, a cyber attack on the Ukrainian capitol’s power grid caused a power outage in various areas of the city. The attack has roots in malware — employees at Ukrainian power companies received infected emails, which allowed the hackers to seize control over their computers and carry out the attack. Beyond the technical semantics of the attack, it appears the act might have been one of cyber warfare. CBS News reported that Russia was likely tied to the DDoS attack, motivated by the war in Eastern Ukraine. With this incident in mind, securing the U.S.’s critical infrastructure against cyber attacks becomes a matter of national security.

The Contractor’s Role

From a business perspective, construction companies would be wise to shore up their cyber security. Construction firms looking to win federal or state government contracts under the much-anticipated infrastructure spend will be held to stringent cyber security standards. The U.S. government produces, collects, consumes and disseminates huge volumes of data and entrusts sensitive information to federal contractors. At the federal level, the Federal Acquisition Regulation requires basic safeguarding of contractor information systems that process, store or transmit federal contract information, and contractors can face fines or contract termination if there are levels of cyber negligence. Construction companies contracting with the government must also consider their subcontractor’s cyber security standards: Any weak cyber link can create a vulnerability.

While the construction industry looks forward to the promise of financial boon from new infrastructure projects, cyber security should remain top-of-mind. Too often, contractors may have basic cyber defenses in place but don’t prepare any real coordinated response plan until after an incident occurs. Cyber security controls addressing current threats are essential, but with the rapidly emerging swath of risks, contractors need to set their sights on the future and invest in monitoring, responding to and mitigating the next big threat.

Eric Chuang Eric Chuang is a managing director in BDO’s forensic technology services practice. He has held several senior positions in law enforcement, including most recently as chief of the computer operations group in the Operational Technology Division of the FBI, where he received the FBI Director’s Award for Outstanding Science & Technology Achievement. 

Ian ShapiroIan Shapiro is a partner and co-leader of BDO's real estate and construction practice. 

Current Issue

Check out our latest edition!


alan blog ct

Contact Us

Construction Today Magazine
150 N. Michigan Ave., Suite 900
Chicago, IL 60601


Click here for a full list of contacts.

Latest Edition

Spread The Love

Back To Top