Cyber Risk in the Construction Site of the Future

cyber construction

One of the most disconcerting realities is that while the risks to cyber security will undoubtedly increase as we leverage new construction technology, the fact is that much of our current generation of technology already represent significant vulnerabilities. Moreover these vulnerabilities ought to be reflected in our quantification of total exposure but rarely are.

If you consider a typical construction site, pretty much every machine has a control unit of some kind, a pressure sensor, a flow meter a temperature sensor. Many of this field equipment is aggregated and controlled by a supervisory control and data acquisition (SCADA) system. In a building information modeling (BIM) environment, the SCADA system takes its rules and configurations from BIM. All of the data points from the equipment—from the pump running at 3000 rpm to the flow meter when you are pouring the slab—send their data to a part of a computer system called a static data pool. All these values are analyzed by the SCADA system, so on the day the pump runs at 2500 revs, an alarm goes off before the pump bearing disintegrates.

These static data pools are highly vulnerable to interference so we might pour the slab light, we might let the pump explode on site or the temperature in a mixing tank get too high and so on.

This static data pool also provides a route into the BIM data and system so the core data at Level 1 and 2 projects could be potentially be compromised.

Implications of These Vulnerabilities

How smart have we been in viewing the implications of these existing vulnerabilities? Risks where we already have defined trigger events but clearly not quantified the exposure to include the enablement, acceleration or amplification of the risk that cyber vulnerabilities represent? – not very, in truth. As our resident white-hat hacker said recently, “3D and 4D BIM, autonomous vehicles and machines – yeeha!”

Perhaps the most dire of all the risks emerging from technological advancements in construction is cyber-related security. As web-based and interconnected tools become the new norm in construction, so will the threat of cyber-attack.

According to a 2014 study by HP, 70% of Internet of Things (IoT) devices are vulnerable to security attacks. Just recently, Proofpoint, Inc., a leading security-as-a-service provider, uncovered what may be the first proven Internet of Things (IoT)-based cyber-attack involving conventional household “smart” appliances. Here a smart fridge launched several hundred thousand spam emails (so-called spam floods as part of a denial of service attack). Given this, it is not unreasonable to assume that something very similar could happen in the construction environment with its smart buildings and related technology.

Often times the IT risk management is isolated from the balance of company risk management.

Nearly all of the aforementioned technological advances present increased susceptibility to cyber related risk. And to make things worse, often times the IT risk management is isolated from the balance of company risk management.

Moreover, an attack could come from nearly anywhere:

  • The very small sub-contractor that can’t afford the additional security
  • The prime contractor who won’t support the specialist sub-contractor by providing hosting of the BIM environment for them
  • The 3rd party supplier who doesn’t vet their personnel properly
  • The CEO who opens the spear phish e-mail

One only has to recall the Target data whose original intrusion was traced back to a third-party HVAC vendor, to know that the construction community is not immune to such threat. This breach will end up costing Target hundreds of millions of dollars.

But financial loss is not the only potential consequence of cyber-attack in construction. Proprietary advantage can suffer as years of R&D and related investment could be comprised if someone steals or such information is leaked.

Furthermore, drones are connected to electronic communication systems and therefore vulnerable to attack by hacking. That could possibly result in a drone’s diversion from its intended flight path for purposes of theft and in most extreme cases terrorism.


This post was written by the Willis Global Construction Industry, main contributors including John Roberts, Mike Phillips, Jeff Burns, and Kathryn Harb.

About John Roberts

A professional Mechanical Engineer by training, John Roberts joined the insurance industry in 1979.  In 2008 he jo…
Categories: Construction, Cyber Risk

Leave a Reply

Your email address will not be published. Required fields are marked *