While most of the world has heard about the famous hacks of Target, Anthem and Sony, few have heard about what happened in 2013 to the Australian Secret Intelligence Organisation's new headquarters in Canberra. While it was being built, credible reports claimed, Chinese hackers had gained access to the digital files of a "prime contractor" and stole floor plans and other vital information related to data and communications systems. As pointed out in ENR's recent cover story on cybersecurity, the world knows little more than a skeletal account of what occurred.
And that's a problem at a time when engineers, contractors and insurers are still trying to gauge their potential exposure to cyber attacks. It's easy to understand the impulse by an individual company or government agency to squelch information about a security breach. But that reticence works against the group welfare by leaving an information vacuum.
The vacuum deprives the community of the battlefield knowledge it needs to fend off future hacks. Federal agencies are going to produce new regulations with the information they can scrape together. Yet insurers lack the datapoints they need to price the risks. And engineers and contractors only now are discovering the many "vectors" on which threats could arrive.
Costly, destructive electronic invasions are turning out to be the dangerous undercurrent beneath the wave of beneficial electronic change, and construction is unprepared.
Ask the IT chief of a midsize civil engineer or specialty contracting company, and you are unlikely to find much concern with a prolific malware such as Cryptolocker or its file-less offspring, Fessleak. They ignore them at their peril, for many hacks are directed toward small and midsize companies whose defenses are weak.
Construction's special challenges, including the prospect that networked control systems in cranes could be soft spots in otherwise well-protected systems, call for solutions that help the entire construction industry.
One immediate need is for a simple count of the number of security breaches and cyberattacks on design and construction firms. So far the claims are few and insurance data is proprietary. A national construction sector cybersecurity database, funded by industry, where the entries do not identify the victim company but provide salient details, could help fill in the blanks about the number of breaches and how they occurred, and what the damage was in terms of lost data, financial drain and the cost of remediation. From this information, the industry then could develop a picture of the total costs. Is there any reason not to go down this road?