The hardware tools that connect construction companies to the 'net, thanks to the Internet of Things, should be considered a threat, as well as a benefit, says Jayson E. Street, the vice president of InfoSec (information security) at SphereNY. Street recently told construction IT professionals at the Associated General Contractors of America's IT Forum in Chicago that they should address IoT downsides in addition to the two traditional threats to their networks: human and software vulnerabilities.
Street is a security professional companies hire to test and refine their own network security. The "white hat" hacker created the site "Dissecting the Hack" and wrote a book with a similar name ["Dissecting the Hack: The F0rb1dd3n Network"]. He has also spoken at at DEFCON, DerbyCon, UCON and other gatherings about network security.
Street talked about human vulnerabilities, such as spearphishing, and how it has become more sophisticated in that hackers take advantage of tragedies such as the Boston Bombing for access. Using e-mails that play on users' concerns with subject lines such as "Boston Bombing," they have moved on to subtler ways of creating backdoor links that don't even implore the user to click on them and merely look like news stories about tragic events.
A bigger threat to the construction industry, however, may be the software, heavy hardware, drones and construction equipment that general contractors are connecting to their networks to take advantage of the IoT. The benefits of the IoT are that any object or machine component can have sensors installed to monitor operating conditions, performance levels and/or physical states. Construction equipment manufacturers, including Caterpillar, John Deer, Komatsu, Hitachi, Topcon and Trimble, have all been developing this technology for more than a decade. Sensors, electronics, actuators and software collect embedded data and exchange that data via secure network connectivity.
The fact that the drone or excavator you use can now report back all of its findings, its working condition and maintenance logs, also means that the software it needs to connect to a general contractor's secure network also requires updates to stop it from being a hacker's back door as a non-human vulnerability. Any loosely written piece of code can become a vulnerability that hackers can exploit in the software, itself.
The more connected the equipment, the more important software updates and patches become to the integrity of a contractor's network. This can include updating software on equipment on hundreds of jobs on different continents, depending on the size of the construction company—no small task for IT departments that are already stretched thin thanks to an unprecedented level of work and the difficulty of finding qualified professionals.
While segmenting a network to limit vulnerabilities can work to isolate some risk, Street says the better approach is to monitor threats to equipment as well as the software that runs it, and patch and update as often as possible, although this will certainly lead to some groans from employees in the field, tired of seeing their equipment sidelined for updates. The human side of the equation also means IT departments must educate their executives, foremen and even laborers, on human and machine vulnerability threats, and just what is at stake every time they get that software update notification.