Monday, Aug 19, 2019
BY: Dan Hoban
Construction technology is shifting. Advancements in mobility, applications, and the cloud are changing the capabilities of construction networks, leading to integrated data, and a quick transfer of knowledge. But, with this change comes challenges and risks. Data is no longer centralized, work is more dependent on IT, and IT security is a more daunting task than before. This blog details the shift in the construction IT landscape, risks from these changes, and what a construction IT leader must do to prepare, operationalize, and secure the modern construction network.
Construction IT Landscape Shift
The construction network was simplistic. It started with a simple corporate network, and no remote networks at all. Blueprints, schedules, and finance documents were physically taken to the site, and communication was over the phone. Over time small networks were established at construction sites to better facilitate communication. This consisted of remote connection back to corporate to transfer documents or basic application use. These networks would contain a basic firewall/router, a switch, a few PCs, and a server. Security on these networks were simplistic as well. Harden servers, AV on machines, and secure connections between corporate and jobsites. This methodology sufficed until recently.
The adoption of wireless networks, cloud-based technologies, and specific applications changed everything. Wireless networks allowed non-corporate owned machines to join the network. Cloud technologies bypassed HQ, and construction specific applications pushed to mobile devices. This created a significant impact on construction networks that led to a greater need for the adoption of cybersecurity.
Today, specific construction management software, such as ERP systems and tool management software, have shifted to a cloud architecture model. This means construction plans, customer data, and construction technologies in general are no longer relegated onsite, on a hard drive, or even on servers at HQ. This creates a challenge for modern construction networks, because the data is no longer centralized. Because data for a particular job may live in the trailer, at HQ, on a hard drive, in the cloud, with a multitude of software providers, or with third-party contractors, construction IT leaders now have to secure multiple systems, sites, and datapoints. Many of which the IT department has no control over.
This shift means IT leaders need to focus not only with on premise tech, but mobile technology as well. Traditional rigid network architecture must now adapt to:
– As-a-service, cloud-based software
– Remote file shares, storage, and data sharing technologies
– 3rd party security policies
– BYOD (Bring you own device)
– Mobile phones, tablets, and laptops
To tackle this challenge, a construction organization should determine the IT needs of the organization, how these needs are changing data storage and processing, and the risks associated with this new landscape. After risk assessment, an organization can better plan for tactical measures (people, process, technology) to safeguard the modern construction network.
Security Risks Impacting the Modern Construction Network
This modern construction network shift comes with a new perspective. IT leaders need to reevaluate where their data resides, types of threats, and the positive impact they can make by securing the organization. Once an organization does that, they can better understand tactical steps to secure the network.
Security for construction companies starts with the data. Traditionally, data used to live in a few places, primarily at HQ and on a server in a construction trailer at the jobsite from time-to-time. This network architecture relied on connecting to a server, either at the job site or back at the home office. This dynamic has changed. Now, data is no longer aggregated in one place or managed by the construction company. Data lives in the cloud, on mobile devices, and with third party vendors as a result of advancements in Construction ERP Systems, Tool Management Software, Construction CRM software, and Building Information Modeling (BIM) software. These advancements have created efficiency and workflow automation, but often at the expense of data aggregation. Not only is there more infrastructure to manage, but there are new risks to consider. Data security no longer happens in one place and network traffic does not go to the same spot. One security approach to data security may not suffice.
Risks to the construction network center are not just with data security, but productivity, availability, and from people. Beyond the integrity of the data, organizations also need to focus on the impact that security can have on productivity. Nuspire has found botnet activity on 1 in 20 new customer networks, which can take up to 60% of a network’s bandwidth. Customers with botnets often have trouble downloading files from the cloud, communicating with tablets and other mobile devices, and connecting back to corporate. This risk impacts job site productivity, the ability to coordinate resources, and the goal of getting the job done in time.
Network availability is also a security concern. Construction organizations need to connect to multiple sites, devices, applications and cloud services. When any one of these links become unavailable there is a tangible impact on performance, timing, and logistics. Construction customers who have experienced threats, such as ransomware understand the impact it can have on scheduling, collaboration, and resource availability. Beyond the financial impact of ransomware, there are real impacts that data availability can have on a construction project.
Another risk for construction companies to consider is the risk from people. Construction networks are unlike many corporate networks. Corporate networks tend to be static, users and user counts predictable, and the network resources under control of the organization. Construction networks are dynamic and have a multitude of different people joining the network most often with devices not under control of the organization. More than any other industry, construction networks need to tackle high turn over issues, BYOD, and third-party network access. These issues present larger risks than other organizations. These risks can impact data security, network availability, and process/procedures for securely managing the network.
What to do
After IT leaders understand the shift in the technology landscape, and risks to the corporate network, you can start to have an immediate change. The best approach is to find the data, gain visibility, identify threats, and start where you have the biggest impact.
Finding the data and gaining visibility is often more difficult than it sounds. To find the data, organizations often need to start on business practices. Where are jobsites located? Is there a network there? Who uses construction applications, and how? Sometimes the best course of action is to job shadow at a construction site. From there you can determine who is using data, and where it is going. The answer to those questions may not be direct employees using data on company servers. Often the data is transferred through cloud applications directly to end points. Those end points often are owned by contractors. In this instance, looking on servers at HQ isn’t the best approach. A more practical approach might be to determine that data resides in multiple places, used by multiple parties, and in non-traditional ways.
Once you have found the data, you must gain visibility. Although data resides in a variety of locations, it doesn’t mean that it can’t be monitored. There are many technologies and partners who can assist with visibility into data not traditionally found on corporate owned hard drives. Once you have that technology to monitor the data, you need to aggregate mounds of data to gain visibility across multiple technologies, in one place. In this instance, the challenge isn’t necessarily the aggregation of data, but the volume of the data itself. Over the course of a month, events on a construction network could easily surpass one million individual events to monitor. On average, only 0.000017% are actionable security events. The challenge of gaining visibility comes down to how to find data sources, aggregate those sources, and then find the 20 or so threats hidden in millions or billions of events.
Because this is such a huge challenge, many organizations will need the help of trusted providers that often have the resources, experience and expertise not found in the construction industry. Managed Security Services Providers often have the technology needed to gain visibility and perform security monitoring and use this visibility to baseline activity, find anomalous activity, and uncover hidden threats.
Weather going with a partner, or trying to monitor security events on your own, the critical step is to gain visibility. That way security events can be monitored, and threats remediated. The best way to find those threats is to know what to look for by anticipating threats to your data.
Anticipating threats to your data requires expertise and experience. Identifying the types of threats that present the highest probability of risk is the best approach. Instead of focusing on a specific vulnerability or event signature, focus on higher level threats to the data. For example, if your data is primarily housed on an endpoint, ask yourself, what if that device is compromised, stolen, or unavailable? This outlook will better prepare you to understand what you’re looking for after you gain visibility. For example, if your concern is compromised endpoints you can look for indications of compromise with an endpoint detection and response solution. This would be a better solution to anticipate threats than worrying about monitoring specific vulnerabilities on corporate printers. The thought process isn’t what not to do, but where to start first. In this case, securing the endpoints would have the most impact, and may be the best place to start since that is where you could reasonably anticipate the biggest risk impacting your network. Many organizations perform regular security reviews to determine risks, security trends, and changes to the corporate security posture that may have the biggest impact.
Start with impact
Deciding where to start comes down to where you can have the biggest impact first. In the example above, starting with the endpoints would provide a better impact than monitoring printers at HQ since most of the data, and potential threats reside with endpoints.
The starting point for many organizations is designing the processes and procedures to secure against the human element. Human error is often the start of a security event. Starting with training, awareness, and education may be a company wide effort that encompasses more than just IT. The focus may not even be on individuals from your own company. Third-party access is an important topic in the construction industry. Construction companies rely on contractors, specialists, and partners to get the job done. In order to accomplish the job, these individual often need access. Training, policies, and procedures intended for the internal organization often need to be extended to third parties as well. These parties have a significant impact on the company, job, and overall security of the organization.
Example of a plan in action:
To put all of this in perspective. Let’s take an example of a medium-sized construction firm specializing in senior home care. Traditionally, most data, such as designs, project plans, and scheduling was stored on a server at HQ. This data was primarily accessed by a small group of admins in the organization and accessed by the job site managers through a PC at the construction trailer, via VPN. Traditional security was achieved through Anti-Virus on the corporate server and a secure VPN tunnel from the job site to corporate HQ. However, over the last year the company’s scheduling system and project planning software migrated to a cloud-based construction ERP system. Project designs moved to a Building Information Modeling (BIM) software housed in an instance of AWS. The construction CISO now needs to shift their security strategy.
Because of this shift in technology, the traditional model of securing access through a VPN to a server is no longer viable. That data, which used to be stored onsite, is now in the cloud and on endpoints. Access is no longer just a couple of admins, but a wide range of employees and contractors.
Using the recommendations in this document, the CISO implements the following steps:
- First, the CISO documents where the data is stored to determine where to gain visibility. Most of the data is no longer onsite. Because this data is now accessed by a wider group of people, data resides on a larger number of endpoints out in the field.
- Next, the CISO chooses an endpoint detection and response (EDR) solution to monitor and record events on the company endpoints. They also contract with a managed detection and response (MDR) provider to monitor this traffic as well as traffic on their AWS instance. The CISO has now gained visibility into a large portion of their data.
- The CISO realizes that threats to that data include not only data compromised from external threats, but also from internal access now that multiple people have access. The CISO realizes the significant impact that could be made around employee and vendor security training and awareness. CISO holds regular security training sessions reviewing security policies that include access, authentication, and acceptable use policies.
- The CISO works with their MDR provider to explain their corporate policies, and to alert on any deviation from these policies. The MDR provider is also instructed to alert the organization of any anomalous traffic that is out of the normal network or endpoint traffic behavior. The CISO formally documents procedures and playbooks in the case of a security event, and trains staff and vendors appropriately.
At this point the CISO has quickly adapted with the changes within the construction company. The CISO has identified where the data now resides, determined threats to that data, and implemented technologies, processes, and procedures that have the greatest impact to improve their security posture in short order. The result is better security quickly adapted to the changing IT landscape at the construction company.
Eventually, this becomes more complex with further adoption of cloud applications, BYOD, and third-party access – which is common in today’s construction environment. But the process still holds true; find the data, determine the risks, decide impact.
We’ve seen a significant shift in the construction IT landscape recently. Networks that used to rely on a couple of servers, VPN connections, and a simple construction site network are now more complex. Cloud applications and collaboration tools are driving new capabilities. This change necessitates a new approach to cybersecurity. Data is no longer in one place, more people access this data, and the data does not flow through one network. To tackle this complexity, security leaders need to change their approach to evolve and adapt quickly to technology changes. While the task may be complex, the approach can be simple.
First, organizations need to reevaluate where their data resides, understand the risks your organization faces, then start with an area that has the largest impact.
Most construction companies cannot do this alone. Security talent is scarce in the market, experience is limited, and technology is costly. Most organizations will rely on strategic vendors or partnerships to help fill gaps. Many companies turn to experts to establish frameworks, best practices, processes, and procedures. Others look to vendors to provide visibility, monitoring, and remediation support and some look for integrators to help select technology, train the staff, and provide ongoing support when needed. No matter your approach, look for outside support when you discover gaps in capabilities or resources.
Over time, construction technology will continue to evolve. As this happens security leaders will need to evolve with the business. Though data storage and transport mechanisms will change, it will still need to be monitored. Though risks will change, they will still need to be addressed. The business will change, it will still need to be supported (and secured). A practical approach to securing a changing construction technology landscape will be imperative as the construction technology landscape continue.