Cyren Security Blog

Construction Industry Security Threatened by Weak Links

by John Callon

Remember the big Target breach in 2013, when 40 million credit and debit cards and as many as 110 million email addresses stolen? It cost Target $292 million (according to their annual report), led to 80 lawsuits which took four years to resolve, and cost the CEO his job.

Subsequent analysis eventually pointed the finger at weak email security at a vendor among Target's many store construction and maintenance providers, specifically a regional HVAC company (whose name is known and who received a lot of (negative) attention from the press). The hack began with an employee at the small firm who received an email which was not blocked by the existing email security, and was induced to open the attachment — which contained malware that captured locally stored system passwords, including access to certain Target systems.

Smaller firms are the most common point of entry

If you read the news, you may be under the impression that criminal hacks are focused solely on major firms, but the truth is that the majority of successful attacks on businesses target SMBs and mid-market firms.

According to a 2017 study by the Ponemon Institute, 56% of large breaches were shown to be the result of an initial attack  at a third-party partner or supplier. Since construction and infrastructure-related businesses are always embedded in a complex, diverse set of relationships — the many moving parts necessary to make new homes happen, buildings spring up, and roads appear—the construction industry is particularly prone to this problem of collective risk, where security is essentially only as good as the weakest link in the supply chain. A construction firm may be working with a high-profile property management company. An HVAC or electrical vendor could be working with a civil engineering company, who is in turn working with a large, high-profile corporation to build new office space. All of these businesses could be connected to a recognized financial institution as part of the construction investment and lending deal.

These supply chain connections put construction-related businesses in the cybercriminal’s crosshairs, simply because these firms are going to possess or have access to privileged information about the other interconnected organizations. That information could take the form of trusted access into a customer’s IT networks and portals, or financial transaction data connected to the banking institution managing the construction loan, or be something as seemingly insignificant as email addresses for the various investors in a construction deal. Regardless of the type of information in the firm’s possession, it is all valuable to the hacker.

But even in the absence of the "big score," keep in mind that it is easy today for hackers to monetize even modest amounts of data, with "informationally liquid" black market buyers able to buy and put data stolen from one source together with data from other sources, completing a picture and enabling valuable, tailored phishing campaigns, for example. So even modest amounts of data from smaller firms have utility and value in the marketplace.

Small and mid-sized companies are over 50% of hacks

And, research bears out the fact that, as far as cybercriminals are concerned, small- to mid-sized suppliers of materials and services are currently highly targeted. The 2018 Verizon Data Breach Investigations Report also shows that smaller businesses are more likely to be the target of cybercrime 58% of the time.

It's a dynamic which certainly crosses industry lines. The massive 2014 hack into Home Depot (resulting in 56 million stolen credit and debit card details), was attributed to a third-party vendor, as were the hacks into Amazon Web Services and Wendy’s, as well as the so-called “Panama Papers” breach.

Phishing is currently the #1 threat

Looking at these supply chain breaches, the majority of them result from a phishing attempt via email—not surprising considering that phishing was the most successful type of attack on all businesses in 2017, according to the annual Cyren-Osterman Research survey. In the case of a construction-related business, once inside, the hackers perform reconnaissance and map the network. They steal user names and passwords; they obtain both internal and customer email addresses; they collect social security numbers and birthdates for the employees. They may even be after more focused information, such as building blueprint plans, electrical schematics, or building access or security guard details.

Free security tool led to Target breach

The malicious email at the source of the highly destructive Target breach probably would have been blocked had the HVAC vendor been using an effective email security service. (As it was, reports suggest that the HVAC vendor was using a ‘freebie’ security tool—that did not include real-time updates—to protect its entire system, including access to all the passwords and portals for its various large clients.)

Free downloadable security tools are designed for individual consumers, and do not offer the type of protection businesses need. Consumers simply aren’t targeted with the same intensity as supply-chain businesses. New threats are appearing constantly, and, once a threat has been launched, you only have seconds to block it.

Construction supply company loses data and a week of work

In 2015, an employee at a mid-sized concrete manufacturer clicked on an email attachment containing ransomware, which then installed itself on the employee’s computer. From there, the Cryptowall ransomware spread throughout the company, encrypting every system, from production to accounting and invoicing. The manufacturing and delivery of concrete to active construction sites came to a halt for several days. In an effort to get production up and running again, the company paid the ransom and then reportedly hired external consultants to clean the corporate networks. A week into the clean-up and recovery process, the company was still not back at full production capacity. And, unfortunately, in the end, some of the data was never recovered. 

Construction and building trades businesses are heavily reliant on project and production schedules to ensure profitability and customer satisfaction. It only takes one ransomware or phishing attack to have a detrimental effect on an entire construction project, including work shut down and potentially significant delays in the delivery schedule, leading to financial consequences, including a reduction in fees or fines for delayed delivery.

Be prepared

As suggested earlier, security is only as good as the weakest link. And the construction supply chain is only growing bigger and more complex. No business connected to the industry wants to be at the center of a major data breach with national or global implications. Fortunately, several construction industry organizations recognize this and have implemented security as part of their key and critical member messaging. For example, this years’ Associated General Contractors (AGC) IT Forum  will include security as part of its primary agenda topics.

Ultimately, construction-related businesses need to view cyberattacks as a critical business risk, not unlike regulatory compliance or financial risk. As such, web and email security need to be a key component of a business risk plan.

Go back