By Eric Chuang and Ian Shapiro
Increasing infrastructure spending to the tune of $1 trillion was a core pillar of Donald Trump’s campaign for office, and a welcome refrain for the construction industry. Whether the new administration will deliver on this promise remains to be seen. Despite some cuts to the Department of Transportation in the administration’s first budget blueprint for fiscal year 2018, the White House reaffirmed a commitment to support the nation’s critical infrastructure in subsequent proposals.
With infrastructure investment still on the president’s agenda, one vital consideration remains largely absent from the conversation: cybersecurity vulnerabilities in critical infrastructure.
What are the cyber risks?
Cybersecurity risks associated with infrastructure projects have recently received attention at the federal level. In March of 2017, the Department of Homeland Security (DHS) issued a cybersecurity alert for critical infrastructure owners and operators outlining top cyber threats. DHS asserted that “any sector that uses industrial control systems (ICS)”—ranging from energy to manufacturing to technology—could be susceptible to cyber attacks. ICS automates industrial distribution and processes, and comprises hardware and software components integrated via the Internet of Things (IoT).
Critical infrastructure encompasses 16 sectors—several of which are within the scope of the construction industry, including transportation systems, government and commercial facilities, energy and defense industrial bases. A cyber attack on firms involved in the construction of critical infrastructure, sensitive government facilities, or even facilities for emergency management, public health or medical providers, could jeopardize those services. Hackers could glean potentially vulnerable information housed in construction firms’ databases, including proprietary employee data, sensitive client data, tenant personally identifiable information and non-public material information. Construction firms also house computer-aided design drawings and blue prints to sensitive buildings, which hackers can exploit to inflict physical damage.
Triple Threat: IoT, DDoS and PDoS
Cybersecurity vulnerabilities in the construction industry are compounded by growing industry adoption of cloud computing and the IoT. Smart buildings technology, such as sensor-enabled heating and cooling systems, can be physically compromised or provide an entry point to the larger corporate network. With increased connectivity, the security (or lack thereof) of each individual device impacts the whole system’s integrity. And because IoT devices fall outside the traditional scope of IT, they are often overlooked.
The top threats specific to physical infrastructure are distributed denial of service (DDoS) and the emerging threat of permanent denial of service (PDoS) attacks. DDoS and PDoS attacks aim to temporarily disable or permanently destroy technology—such as power grids, heating and cooling systems and internet providers—by overwhelming the targeted system with traffic, thereby disrupting the distribution and delivery of a service.
And then there is ransomware, another type of denial of service (DoS) attack that uses encryption malware, generally downloaded via phishing emails, to block user access to computer files, potentially permanently if the victim is unable or unwilling to pay the ransom for the encryption key. Ransomware attacks quadrupled in 2016 with an average of 4,000 per day, according to data from the U.S. Justice Department. The problem from a critical infrastructure perspective? Ransomware could infect operational technology, disrupting essential processes or taking entire systems offline.
The NotPetya “wiper-ware” in June of 2017 demonstrated the next level of sophistication of malwares that did not require the use of phishing emails to infect and propagate across the victims’ networks, and the non-reversible encryption of the victims’ hard drives have every indication that it was intended to be a PDoS attack and not for ransom.
Although DoS-style threats emerged nearly two decades ago, hackers have leveraged IoT to carry out much more sophisticated attacks in recent years. For example, the October 2016 attack against Domain Name System provider Dyn, used IoT and a Mirai botnet to increase the attack’s scope and impact. Mirai botnets are a strain of malware that infects internet-connected devices and corrals them into an IoT “army” to overwhelm a target’s servers with malicious traffic, shutting down highly trafficked websites for several hours. While the Dyn attack caused arguably little more than inconvenience, it spurred speculation about the chaos and physical harm a DDoS—or worse PDoS—attack of that scale, or bigger, on the nation’s infrastructure could potentially cause.
Cyber attacks to date on critical infrastructure have largely targeted power grids and the electrical sector. In 2016, ransomware and DDoS attacks of that nature stole headlines worldwide. In Finland, a DDoS attack targeted computerized heating distribution centers, disabling heat to apartment buildings. In December 2016, a cyber attack on the Ukrainian capitol’s power grid caused a power outage in various areas of the city. The attack has roots in malware—employees at Ukrainian power companies received infected emails, which allowed the hackers to seize control over their computers and carry out the attack. In June, 2017, the NotPetya wiper-ware infected the Chernobyl power plant’s radiation monitoring system, but this time, the attack was believed to have originated via the MEDoc accounting software’s update service, and no phishing email was used. Beyond the technical semantics of the attack, it appears both acts might have been cyber warfare. Multiple security and media sources reported that Russia was likely tied to both attacks, motivated by the war in Eastern Ukraine. With these incidents in mind, securing the U.S.’s critical infrastructure against cyber attacks becomes a matter of national security.
What role can contractors play in hedging against cyber warfare?
From a business perspective, construction companies would be wise to shore up their cybersecurity. Construction firms looking to win federal or state government contracts under the much-anticipated infrastructure spend will be held to stringent cybersecurity standards. The U.S. government produces, collects, consumes and disseminates huge volumes of data and entrusts sensitive information to federal contractors. At the federal level, the Federal Acquisition Regulation (FAR) requires basic safeguarding of contractor information systems that process, store or transmit federal contract information, and contractors can face fines or contract termination if there are levels of cyber negligence. Construction companies contracting with the government must also consider their subcontractor’s cybersecurity standards: Any weak cyber link can create a vulnerability.
While the construction industry looks forward to the promise of financial boon from new infrastructure projects, cybersecurity should remain top-of-mind. Too often, contractors may have basic cyber defenses in place but don’t prepare any real coordinated response plan until after an incident occurs. Cybersecurity controls addressing current threats are essential, but with the rapidly emerging swath of risks, contractors need to set their sights on the future and invest in monitoring, responding to and mitigating the next big threat.
This article originally appeared in BDO USA, LLP’s “Construction Monitor Newsletter (Fall 2017). Copyright © 2017 BDO USA, LLP. All rights reserved. www.bdo.com