But even the NIST framework is not enough, says Lacombe, adding, "We're trying to move away from solely a compliance-oriented security approach to one that involves continuously monitoring the system for indicators of either a vulnerability, an attack or a performance issue that might demonstrate that there's something wrong. That is widely recognized as the means by which you will achieve the level of security required."

Security Is More Than Antivirus, Firewalls


Private contracting has even more to do to tighten up than federal contractors. Joe Weiss, president of Applied Control Systems LLC, says some private contractors act as if cybersecurity compliance is required only at the handoff. "There is this thought, 'We're going to build what we're going to build, and, at the very end, we'll put in a firewall, and, therefore, we will have addressed cyber.' And the answer is, 'No, you haven't,' " Weiss says.


The view of cybersecurity as an IT issue that is confined to the office or company servers also does not work in the construction industry, Weiss adds. Computer-guided equipment and drones and even tampering with shared procedural or structure models on company servers can create significant issues. "If it's a large construction project, you're going to have large dump trucks and cranes, and a lot of those have remotely accessible controls," says Weiss. Industrial control-system vulnerabilities figure in worst-case scenarios involving power-grid outages and chemical- facility explosions, but, paradoxically, companies increasingly are connecting equipment to the internet to control it remotely or access sensors. Says Voeller, "If I want to do something that's going to cost you billions [of dollars] or I want to do something that's going to kill somebody, I'm going to change a crane rating or I'm going to change the time at which a certain set of motors are connected to the grid."

Most such operational technology is not built with embedded security on the assumption that security will be applied once it is put on the network, says Britton. Unfortunately, securing the tools often is overlooked by IT departments, a lapse that Britton says can be resolved if departments communicate better.

Britton says due diligence requires an expert safety audit, thorough vetting of the tools and products in use, a security-first attitude and a well-tested emergency plan. But even if a firm does everything right, a breach is only as far away as an unpatched, previously undetected "zero-day" vulnerability in the tools, either in-house or in a cloud.

"In typical construction casualty underwriting," says Scott Rasor, head of construction underwriting at Zurich NA, "we talk about having nurse trailers on the jobsite, access to doctors and hospitals, [and] emergency response plans if someone gets hurt, material gets damaged or if there's a threat to the community. If I were on the board of a construction company, I would ask, 'what is our resiliency plan if somebody hacks our system? How are we going to get up and going?' That's something people can really understand and buy into," Rasor says. "After an attack is no time to be drawing up your resiliency plan."