At the end of April, just as St. Ambrose Roman Catholic Church in Brunswick, Ohio, neared the close of a five-month-long, $5.5-million renovation, Father Bob Stec, the parish pastor, was surprised to hear that the contractor, Marous Brothers Construction, Willoughby, Ohio, had not received a $1.7- million payment.
“We were paying our bills. At some point somebody was able to get into our email system and in the course of that, changed the routing numbers for the wire transfers,” the pastor told local reporters. The $1.7 million disappeared.
The story follows a typical pattern of cybercrime impacting construction, starting with the use of email to divert funds, which vanish. But it also fits a pattern of victims declining to share details about how it happened. Neither Stec nor Marous Brothers responded to multiple requests from ENR to recount what happened. Most construction victims of cybercrime, including Turner Construction Co.—which had sensitive personnel data stolen in 2016—offer limited descriptions of the incidents and stress the steps they have taken to remediate. To be fair, the Federal Bureau of Investigation is on the case of the church building fund loss in Ohio, which means all parties have been told to clam up. But when it comes to spreading the warning to others, secrecy often prevails.
Contractors, construction managers and owners worry about cybercrime, and with good reason. Their complex projects, with myriad data exchanges among partners and subs, regulators and suppliers, software and systems—and now the internet of things—are tempting targets for hackers. The specific risks are too many to name and evolve constantly. They run the gamut from stolen or locked data to financial theft, sabotage, and destruction of hardware and equipment.
“Hacking is not just something happening in a distant land or like it is in the movies,” says Greg Young, vice president of cybersecurity at computer security firm Trend Micro. “Hacking today is not just getting free long-distance calls, it’s all about money.”
“They do not realize how precarious their situation is.”
– John G. Voeller, Retired CTO And CKO, Black & Veatch
Young says that many hackers are trained for cyberwarfare by state-sponsored agencies and then go into business for themselves. “These guys are not paid well, so they go off at night and do ransomware, they do for-hire work. If someone wants something to fail, it’s easy to hire super capable hackers,” Young says.
Phil Weaver, senior director of IT at Warfel Construction, a construction firm with 230 employees and $235 million in revenue based in East Petersburg, Pa., thinks the industry is unprepared. “I don’t think GC’s and CM’s are worried enough about the impact a cyber incident can have,” he says. “I think there is just a lack of understanding or realization that it can happen to us.”
John G. Voeller, retired senior vice president, chief technology officer and chief knowledge officer for Black & Veatch, has a very big picture view, having been drafted over the years by think tanks and the government to help scope risk to critical infrastructure. And from where he sits, the view is bleak.
“Some construction executives are worried, but too large a number of them do not understand the situation well enough, and their risk managers are too often not technical enough, or connected to their [chief security officer] strongly enough, to really see how many holes there are in their dike—and how few thumbs they have that are effective,” Voeller says. “They do not realize how precarious their situation is.”
Voeller points to the growing activity of state actors and cyber warfare agents, whose tentacles are infiltrating industries and utilities, and whose actions are beginning to move from disruption to outright destruction.
At the moment, many security experts are focused on phishing attacks like the one at St. Ambrose and their potential to put companies out of business. “Phishing is the biggest risk because there are many financial transactions conducted over electronic communications,” says Everardo Villasenor, construction IT leader and chief information security officer at DPR. “Cyberattacks occur where there are bigger opportunities for financial returns.”
David Sheidlower, chief information security officer at Turner, notes the FBI reports that more than $1.2 billion was lost to email-centered crimes against businesses in 2018. “So, we know the risk is real,” Sheidlower says. “That’s why Turner devotes such a high level of attention to raising awareness of the risks among our employees and our partners.”
A cybercrime is often a trigger to action. In March 2016, a Turner employee fell for a phishing email and sent tax information on current and former employees to a fraudulent email address. “We notified federal, state and local law enforcement and involved legal, law enforcement, information technology and security experts,” says Chris McFadden, vice president for communications. “We secured identity monitoring services at no cost to all impacted employees, including their spouses or partners, for an original term of ten years. Since then, we expanded coverage to all Turner employees, who now have access to identity protection services, which are designed to recognize signs of unauthorized use of personal information and help our people respond.”
Turner also has put in place an employee resource site with answers to commonly asked questions, data security tips and links to training material and available external resources on the subject of cybersecurity and protecting personal information. The company also has a cybersecurity awareness outreach program for companies it does business with to arm them with information.
“I don’t think we know the size of the threat because it’s not properly recorded.”
– Everardo Villasenor, CIO, DPR
Security consultant Scott Takaoka, a vice president at Aon Cyber Solutions, says wire fraud incidents, like the theft of payments, often begin with hackers picking through stolen Gmail or Yahoo credentials, which can be bought in bulk on the dark web.
Takaoka says hackers use those credentials to peruse accounts and to find people mingling business with personal email, and sometimes using the same login credentials for both, which can let hackers into corporate email systems. Takaoka says hackers play a long game and research target individuals on sites like LinkedIn to suss out corporate hierarchies and identify people likely to be approving transactions.
“They will watch and monitor and wait for the right time,” Takaoka says. “To some extent they have to have the context of the transaction, but once they understand the context, they know when to strike.”
He says the emails that trick people into clicking on malicious attachments or links, or into rerouting payments to bogus accounts, often appear to be genuine and from people the victim is accustomed to dealing with. They also may come at just the moment a transaction is expected to occur—in the right context—with a message about the recipient having a new account number, and asking to route it there.
Takaoka says such phishing emails often show up late on a Friday afternoon when those who might verify the information can be expected to have left for the weekend, so the victim takes the bait and wraps up his or her workday by clicking “send.”
Says DPR’s Villasenor, “basically, someone is vulnerable and gets hacked, and you didn’t even notice. And all of the sudden you have someone in between. It’s very lucrative. They get in the middle and say, ‘By the way, we changed our account, can you send it to this one?’ Companies can even go out of business when they are victims of this.”
“I saw this kind of action first take place in real estate transactions with escrow accounts,” Takaoka says. “Then I saw that same play happening with heavy machinery—especially in international transactions with high transaction dollar amounts.” With high stakes like that, hackers are willing to invest the time to watch and find the best time to spring, Takaoka says.
The most sinister variant of phishing emails are not fake emails from outside servers disguised to look genuine — spoofs — but emails from genuine accounts that have been hacked. “It’s a hack, versus a spoof,” says Danielle Roth, a cyberclaims manager with AXA Catlin, a division of AXA XL Insurance. “Microsoft Office 365 mailboxes are controlled by password and credentials, and if a hacker can get that, they can use that to actually gain access from someone’s account. The email will look correct—and it is correct—but it is controlled by someone who is not the user.”
How Bad Is It?
Cybersecurity vendor Symantec, which claims to have the largest civilian threat-intelligence network in the world, issued its latest global internet security threat report on Feb. 20. The annual review finds that attackers are enhancing proven tactics, including spearphishing, hijacking legitimate software tools and distributing malicious email attachments. Ransomware infections—which make data unreadable—of individual computers are trending down, but enterprise ransomware attacks were up by 12% in 2018, “demonstrating ongoing threats to organizations,” the security vendor says in the report.
Theft drives most of the action, with the diversion of electronic payments to bogus accounts creating a significant threat for construction, the report states. The Symantec data reveals that one out of every 39 construction industry email users gets targeted by phishing, but the rate of phishing emails in construction is only one out of every 3,960 emails, which suggests it is being used selectively and with specific individuals in the crosshairs—spearphishing.
Symantec reported that one out of every 382 emails exchanged in the construction industry in 2018 had malicious content, but attackers are trending away from embedding malicious urls in favor of malicious attachments. The company found that Microsoft Office files accounted for 48% of the malicious email attachments tracked by its telemetry in 2018, up from 5% in 2017, and notes that small companies are most at risk from malicious content.
Another technique expanding rapidly is “formjacking,” in which malicious code infiltrates a web server used for collecting form data for financial transactions. The malware skims the account and payment information. Although primarily used to attack the retail sector, it is increasingly being seen as potentially jeopardizing any supply chain.
Symantec also found a growing interest among attackers in compromising operational and industrial control systems, “with the potential for sabotage,” its report said.
“I don’t think we know the size of the threat because it is not properly recorded” says DPR’s Villasenor. “I think the number of incidents is increasing, increasing risks to companies and projects.”
Security vendor Sophos, which specializes in end point detection and response technologies, or EDR, commissioned a global study by an outside research firm, Vanson Bourne. It surveyed 3,100 IT managers across the globe in December 2018 and January of this year, including 203 in the construction sector. It found that 68% had been victims of cyberattacks in the previous year—meaning they were unable to prevent the attacker from entering their networks and endpoints — with larger organizations seeing more attacks (73%) than smaller ones (63%).
The researchers suggested that there are two likely reasons for the difference: Larger companies are considered to be more lucrative targets, or larger organizations are just more aware that they have been hit and more likely to have to resources to detect and investigate.
“Patching vulnerabilities is really the easiest way not to be the low-hanging fruit.”
– Danielle Roth, Cyber Claims Manager, AXA Catlin
The study also found that most threats were discovered at the server level. It noted that modern attacks tend to start at the endpoints and move to the servers, the more high-value target, and if the attacks were being detected there, “it suggests a lack of visibility into what is happening earlier in the threat chain, as well as endpoint security gaps.” When respondents were asked how long the most significant cyberattack they had been hit with dwelled undetected in the system, 1,744 responded, and the average dwell time was 13 hours.
The researchers acknowledge that the 13-hour average is at odds with other data-breach investigation reports, such as Verizon’s, which found that 68% of data breaches take months to discover. But they suggest the difference may be that their respondents, most of whom detected the intrusions at the server level, might simply be unaware of the full scope of their problems. It found that 17% of the IT managers didn’t know how long the threat had been in their environment, and 20% didn’t know how it got there.
DPR’s Villasenor says the sophistication of attacks and the inclusion of artificial intelligence takes threats to a new level, and keeping employees’ cyber awareness knowledge current is a continuing challenge. He also warns that the increase in state-sponsored attacks has the potential for wider disruptions.
“AI is interesting,” says Weaver. “It’s a new threat vector, but also can be leveraged to help in the cybersecurity fight. You need to try to guard against them all, [but] most of the threats we see are still social engineering based.”
What To Do
Aon’s Takaoka says a security assessment should come first. “Understand and have a third party come in and provide some guidance, based on your business [and] the size of the company, and come up with recommendation around the biggest areas of weakness,” he says. “Construction companies need to consider remediating these areas and do it in a risk-based fashion. It’s mostly about reducing the opportunities for damage, not eliminating them, and being ready if it does happen.”
Takaoka says contractors should make sure the basics, such as updating software, enforcing password policies and restricting approval rights and administrative privileges, are executed. “You stop forwarding emails to the outside, which is very simple and it doesn’t cost.” He also adds that they should get cyber liability insurance, “and if you work on anything, work on your backups. Make sure you have a good backup, retain a good incident-response provider and consider retaining outside counsel.”
Clients will gain confidence in contractors who manage cyber risk well, Takaoka adds. “That’s the reason you do that assessment by a third party, and share the results—which is basically a review of your processes and controls—and you provide that to the client. Either have that assessment done yourself, or expect that as time goes on customers are going to have third party assessments done of you.”
Turner’s Sheidlower says many owners have robust cyber risk management programs and review Turner’s cybersecurity protocols, which he says “mitigates the risk of attack on systems and information through a comprehensive approach to the technical, physical and administrative controls—coupled with training and policies that serve to raise awareness on a range of issues amongst the people who access and control the flow information.”
Sheidlower adds that controls are available to firms of all sizes, and those include staying current with updating software patches, requiring multifactor authentication and installing anti-malware software on all endpoints.
“Contractors should emphasize identifying information assets, finding vulnerabilities, employing protective and detective controls and, finally, having a plan for responding to incidents in an effective manner,” Sheidlower says.
“On the tech side, patching vulnerabilities is really the easiest way not to be the low-hanging fruit,” adds AXA’s Roth.
When asked if large operations have a better shot at secure operations than small and medium sized contractors, responses varied. Voeller’s quick observation was “obviously not when the largest in the world have been hacked and damaged, from Lockheed to Google to Facebook to the NSA.” Disaster recovery service vendor Unitrends claimed that security is attainable with the right tools.
In its description of services, Unitrends recommends a multilayered approach, but claims that “adding multiple layers to cybersecurity may look like you are adding many man-hours of labor to your already overworked IT department, [but] that does not have to be the case.” It says multilayered solutions can run and report findings automatically. “The only additional labor required is when a negative finding is discovered. Plugging an open security hole is labor you should be happy to invest,” the company says.
“The biggest issue I see here is small and medium-sized businesses don’t have the capital to properly address these issues, until they have a breach,” says Warfel’s Weaver. “For many SMB companies, they are much safer in the cloud than in their own environment,” he says, adding, “We are one of the SMBs I am talking about, but I like to think we are at least trying to do it right.”
DPR’s Villasenor says “Cybersecurity is scalable if companies start with simple controls and evolve with a good strategy. An evolving cybersecurity practice requires more investment, but based on the cyber threats, the ROI is there. Companies of all sizes have the opportunity to succeed on securing operations.”
“If you don’t have comprehensive security awareness and training, you are a sitting duck.”
– Phil Weaver, IT Director, Warfel Construction
Villasenor says DPR—a contractor with $6 billion in revenue and nearly 6,000 employees—uses collaboration platforms offered by service providers operating in compliance with privacy and security standards, including NIST, ISO-27001, CSA, HIPA, SOC and others. He says contractors need to adhere to cybersecurity best practices, such as those promulgated by the Center for Internet Security, a nonprofit that “works to identify, develop, validate, promote, and sustain best practice solutions for cyber defense and build and lead communities to enable an environment of trust in cyberspace,” according to its mission statement.
Villasenor recommends starting with the first six of CIS’ top critical security controls, which include making an inventory and securing control of hardware and software, continuous vulnerability management; controlling the use of administrative privileges; securing the endpoints; and maintaining, monitoring and auditing network activity.
But Villasenor adds, “You have to enforce cyber awareness training. One of our biggest threats is our own people. They can become victims very easily.”
DPR uses a third-party security awareness training service, ProofPoint, also known as Wombat, for training software and materials, but schedules and runs its own sessions in house. Wombat’s tools include a phish alarm button that email users can click to automatically report suspicious email to IT, but it also includes a system to check whether the sender has already been checked and added to a whitelist of trusted sources. That can save IT from being inundated with false alarms. Phishing can also be reported directly to Microsoft 365, Villasenor says. “They react very quickly. The best thing is to always report such incidents.”
“You are only as good as the weakest link,” notes Weaver. “It’s why so many of the megabreaches you read about started with a third party connection. People, processes and technology: I always oversell the people side. You can have the best controls in place, but if you don’t have comprehensive security awareness and training, you are a sitting duck.”
But Black & Veatch’s Voeller points out that addressing unsafe personnel practices is not a simple matter. People change jobs and there is no motivation or reward for dealing with the drudgery of methodically cleaning up their digital traces.
“In the future, people using data will be bonded in the same manner that we bond people handling money,” says Voeller. “As you hear the calls for regulation, be aware that I have been campaigning with major cyber leaders for making major data holders and creators to be treated as regulated utilities in the same manner as power, water and telecom. It is an essence of life, just like water, power and communications. Credentials will follow.”
Insurance broker Aon produced a U.S. Construction Industry Risk Outlook Report in February that claims cyber insurance options for construction are improving and, from the contractor’s standpoint, it is a buyer’s market.
The Aon report suggests “this is a good time to lock in baseline competitive pricing before any hardening of pricing occurs.” It says many construction-related firms are purchasing their first cyber policies because they are implementing technology to stay competitive and drive revenue, or are contractually obligated to have coverage, or their boards of directors are requiring it.
The report notes the ironic benefit that, despite the construction industry being hit with more ransomware leading to complex network business interruptions and rising incident response expenses, the resulting claims and loss data is leading to expanded coverage offerings and improved actuarial data for loss modeling purposes. “The stratification of risk enabled by improved data and analytics leads to better outcomes for the best specific risks,” the report states.
The report says this has led to average premium rates for cyber insurance dropping, on a year-over-year basis.
Takaoka says the end result is that “in ransomware situations there seems to be plenty of coverage. [Insurers] will pay ransom, and it’s pretty well known, but with wire fraud, it kind of depends.”
“Cyber insurance is a great risk transference tool,” says Weaver. “It comes in very handy if you have an incident. There are many regulation, notification, legal, and fine costs. Also, it provides you with training, policies and resources to prevent an incident.”
But looking across the whole construction industry, sources have a bleak view of the industry’s level of cybersecurity maturity, to borrow a term from Aon’s Takaoka.
While DPR’s Villasenor is confident that his company’s processes are performing well, on a scale of 1 to 10, he gives the industry as a whole dismal marks. “[Construction’s] cybersecurity score is low, perhaps 3 on a 10-point scale,” he says. “Many firms see cybersecurity as slowing operations or a high overhead cost versus perceived return on investment. Unfortunately, it has taken serious incidents for firms to truly understand the threat.”
Warfel’s IT director Weaver was even less sanguine. “Two,” he says. “I think it’s worse than most people know.”
By Tom Sawyer, with Jeff Rubenstone