The 5 Critical Cybersecurity Steps Construction Companies Should Be Taking

As the construction industry continues to modernize and digitize its practices and data, the more important its cybersecurity measures become. However, the industry has been characterized as slow to institute adequate cybersecurity protocols, and data show it’s the top industry targeted by ransomware attacks. Why is construction a popular target? Because:

1. The industry hasn’t been required to follow the stringent types of data security and privacy laws we see in financial and healthcare spaces.
2. Many in the industry are using artificial intelligence (AI), machine learning (ML) and robotics, which require a much higher level of security controls.
3. The construction industry offers a lucrative target for the bad buys because it deals with a lot of confidential and proprietary information, such as employee information, financial accounts, project details and other sensitive information.

So what to do about this growing threat? Here’s a five-step process to help construction organizations identify gaps and establish a stronger security program.

Step One: Get Visibility

In order to protect your network, you need to understand its entire footprint, including IoT and employee devices. Get an inventory of everything connected on your construction company’s network, externally and internally. Understand what kind of traffic is being generated to and from your various endpoints.

Step Two: Identify

This step is all about identifying your assets and assessing your vulnerabilities. Think about your assets and data. As your construction organization’s network perimeter becomes more fluid, there may be in-office and in-the-field assets that aren’t visible or secured, making them potential targets. You will also need to identify what kinds of data you have and what assets have access to that data. Our recommendation is to start with all fixed and mobile endpoints.

Look at your risks. Consider traditional, human, environmental, quality and vulnerability risks that include all IT and equipment network configurations. Construction companies typically work with a lot of third-party vendors, and all of those need to be factored in. Risk assessments are valuable here, and you can often find a security partner like an MSSP to help you do it.

Review your requirements and security frameworks. Identify information needed for audits from sources such as your construction company’s executive management, auditors, internal policies, industry regulations and your board of directors. Choose a security framework that aligns with these requirements and covers basic security activities: identify, protect, detect, respond and recover.

Step Three: Plan

Having a thoughtful, cohesive plan keeps everyone in your construction organization on the same page, decreases stress and helps you manage security more confidently.

Look at security monitoring. Are you using a dedicated staff or a managed security services provider (MSSP) to monitor and manage your construction company’s gateways, IT/OT networks and endpoints? Either way, make sure you require 24x7x365 security monitoring to help identify normal versus abnormal behavior and potential malicious activity.

Determine how you will detect threats and manage them. Consider how frequently your construction organization’s detection capabilities evolve. Attackers shift tools and tactics continually, so your detection methods also need regular updating. This is where managed detection and response (MDR) services could be valuable in helping you augment your detection and response capabilities. If you plan to work with an MSSP, ask about their cybersecurity experts, experience and detection technologies.

You’ll also want to develop an incident response (IR) plan that details how security breaches of your construction organization will be handled. Include a variety of scenarios and matching responses.

An IR plan goes hand-in-hand with a disaster recovery (DR) plan, which specifies what actions will be taken before, during and after a disaster. We recommend including the following in your DR plan: roles and responsibilities for responders, communication procedures for employees and vendors, a detailed asset inventory and restoration procedures, and data backup procedures.

If you are breached, document if, when and how to shut down and restart operations. The last thing you want to do during an active attack is spend time figuring out how to pause operations.

Step Four: Implement

Establish a cadence for managing the various elements of your construction organization’s security program. Review your access controls – safeguard IP, technology, assets and production lines with appropriate controls for onsite and remote access. Consider solutions such as identity and access management (IAM), privileged access management (PAM), multi-factor authentication and endpoint detection and response for fixed and mobile devices.

Explore the use of intrusion detection systems (IDS) and intrusion prevention systems (IPS). IDS (monitoring) and IPS (control), combined with skilled security analysts, will help block and respond to network intrusions.

After you identify and list IT assets within your construction organization such as operating systems, software, machine control and other on-site devices, assign ownership to ensure regular patching. It’s important to follow a consistent patch management process to lower your risk of attack and breach.

Strong passwords are always an important way to reinforce your security controls. Introduce and maintain an employee process to ensure passwords meet requirements and are reset regularly. Consider additional security layers such as vaulting, rotation and reauthentication settings.

You should also make sure to segment the networks of different departments or groups and the IT network from the ICS network and demilitarized zones (DMZ). This allows IT to observe behavior and performance and apply security controls within segments. Segmentation also allows IT to block communications from suspect IP addresses, limit an attacker’s lateral movement, and keep proprietary information limited to need-to-know groups.

Finally, document your security policies. Spell out specific requirements within specific security categories. Consider policies that manage:

• Acceptable use
• Asset management
• Security incident management
• Access management

Step 5: Audit

Maintenance and fine-tuning of your security program is critical to keeping your construction organization safe. Maintain visibility of your entire network to help identify security events quickly, monitor malicious or anomalous behavior, and review security actions with context.

Revisit your process for identifying assets and endpoints and their security status. This can be a complex, time-consuming process, so it’s helpful to implement technology that tracks and monitors assets and endpoints to provide visibility and history.

Look at the policies you created and compare them to the performance of your network security. Are they aligned? If not, make any necessary adjustments. Finally, evaluate your security program performance against the threats you documented in the risk assessment. Be sure that risk factors identified in the assessment are eliminated or managed to your risk tolerance profile.
Like what you read? You can download this helpful guidance in our handy Construction Security Checklist.

At Nuspire, our mission is to make clients fanatically happy through a relentless pursuit of excellence. Let’s talk about how we can work together to provide a new, fresh and inspiring approach to closing cybersecurity gaps.