Cyber criminals are becoming ever more sophisticated, as are the scams they are executing. Globally there are countless reports in the media of cyber-attacks (from sectoragonstic criminals) on companies operating in these sectors. This article considers some of these issues and draws on the expert views of selected stakeholders in the industry.

Developments in Technology

The pace at which technology is developing in the construction, energy and engineering space is ever increasing, as indeed is the reliance on the same. Autonomous vehicles, artificial intelligence and smart contracts are creating opportunities for organisations to reach customers that they could not previously reach, and to offer their services and solutions at a more cost effective rate. It’s inevitable that in the desire to achieve ever increasing ways to be efficient that technology will need to be utilised. These opportunities also create risk; utilising a new application might be a fantastic idea in principle, but if the implementation of that application creates other issues (whether compliance related or otherwise) then they need to be managed properly. The same principles apply to cyber security in the development of new technology. If not properly protected, they can lead to vulnerabilities and exploits that create a financial and reputational risk to an organisation and its supply chain.

Why do people keep talking about cyber security?

Cyber is very much a buzz word at the moment (sometimes sold through ‘fear’). It is for that reason that it is estimated that the global cyber security market is forecast by Statista to grow to $345.4 billion by 2026.

Why the significant increase? The answer is simple. Individuals and organisations are spending more and more money on addressing this risk. The amount spent very much depends on the availability of budget, and the organisation’s attitude to risk. In addition, the additional spend is leading to the development of new cyber related services. In the context of a corporate transaction, it is now more
important than ever that enquiries are made to ensure that the business being acquired is cyber secure. Several high profile fines by the ICO would suggest that the regulators will expect organisations that have the budget to make those enquiries to do so (in the event of a significant cyber security incident or breach).

Celso De Azevedo, a specialist cyber and technology barrister at 36 Commercial also considers the importance of the wider cyber security landscape:

“We are in the foothills of a revolution in cyber security. The future of cyber security is holistic, rather than as separate private versus government framework. Governments will eventually realise that there is no point in trying to punish corporations that do not adopt adequate cyber security measures after the event, where adequate standards remain unclear. International corporate governance frameworks which incorporate a robust kitemarking and certification regime for cyber security systems and providers must be developed at pace. Setting up this worldwide government-sponsored cyber security framework will be the greatest challenge for the next decade.”

Who should be addressing the issue?

Cyber security is an issue that needs to be addressed at all levels including at senior board level. In that regard, the National Cyber Security Centre introduced a specific toolkit to help organisations address these issues back in 2019.

However, one can easily see how discussing complex and technical issues at senior level could potentially be challenging and, therefore, must be carefully managed.

Michael Corcione, Partner, Global Head of Cybersecurity & Privacy Services at the global consultancy firm HKA agrees:

“The current cyber threat landscape is more ominous than ever. Recent attacks have shown increased sophistication while, simultaneously, having a wider reach by infiltrating into supply chains. Additionally, attackers are also more empowered than ever. They operate like big businesses, but they do not have to pay taxes, provide employee benefits, or adhere to regulations. As construction companies rapidly adopt new technologies to optimize their project delivery, and with the integration of IoT (Internet of Things) devices into their buildings, attackers are given more targets to strike. Senior and Board level leaders must ensure cybersecurity and privacy risk is an ongoing discussion, while utilising the support of subject matter experts with the knowledge to navigate such cyber threats.”

Ransomware

Ransomware is a global problem. The disruption element is significant and organisations that are affected by these incidents are forced to incur significant costs (by both third parties and internal management time) in dealing with the fall out. Reputational damage is harder to price.

In addition to the 72 hour reporting window (with the clock starting when an organisation becomes aware of a personal data breach) under GDPR, organisations may also be dual regulated or subject to additional requirements to notify an incident to other stakeholders (in other jurisdictions). For example, an organisation may also need to self-report the data breach or cyber security incident separately to the FCA. In addition, organisations in the energy sector will also likely have additional requirements; for example under the NIS Directive (EU) 2016/1148 operators of essential services are required to make a notification of a security incident which has a significant impact on continuity of essential services. Why is this important? Organisations need to be prepared. They need to be ready to deal with these issues and ensure that information that is shared is both required and consistent (noting that many regulators: (1) have powers to request the disclosure of documents and (2) may communicate with other regulators and find out if different messages are being conveyed).

The ability to respond to an incident efficiently is only as good as the extent to which the organisation is prepared to deal with those issues. The better prepared, the better they can involve the relevant teams (legal, PR and cyber security) to investigate the position. The sooner they can manage the communications, and associated privilege issues, the sooner the risk is reduced.

Supply chain issues

A threat actor will look for exploitations within an organisation’s network. It is not just an old server that is not segregated from the network, or a devicewhich is not properly patched which provides the ‘holy grail’ for a threat actor. Employees are often touted as the weak link in the chain – they are the party that may click on a phishing email which inadvertently leads to the granting of access to a third party. The underlying reasoning for the incident will vary. It could be to showcase a threat actor’s capability, or to cause maximum disruption. It may equally be to access data (to commit other crime, or to sell on the dark web) or to extract a ransom payment.

The construction and engineering sector is particularly vulnerable. They are perhaps not thought to be a source of information which could be stolen and then sold on the dark web, however they are potentially one of the industries which can be very easily disrupted. Moreover, many organisations in the supply chain may have varying levels of cyber security proficiency. Smaller organisations (who may become involved in larger projects due to them carrying out niche specialisms) may not have the budget and bandwidth that a much larger organisation would have. They are unlikely to have their own security operations centre, and are equally unlikely to be actively engaging in threat hunting. One weak link in the supply chain can cause significant problems for all involved.

For example, if the smaller organisation is compromised (perhaps by way of a spear phishing email attempt, whereby an unsuspecting employee inadvertently clicks on a link and downloads malware onto their computer network) and as a result a payment due to them or a third party is successfully diverted to a threat actor, then it is important to consider who is left ‘carrying the can.’ In the event that agreements cannot be reached, then organisations end up in costly and adverse litigation.

Zero day vulnerabilities

Ultimately, it is the reputational damage (in addition to the potentially significant financial damage) resulting from an incident which does the most harm to a business. Contracts can be lost and relationships which were thought to be on solid ground can seemingly disintegrate overnight. In certain sectors, such as oil and gas, there are potentially additional threats and disruption (such as the threat to life) as a result of a cyber incident.

In addition to the threats mentioned above, organisations in the construction, engineering and energy sectors are potential targets for new exploits and strains of ransomware. A threat actor who has identified a rare ‘zero day vulnerability’ (i.e. an
unknown flaw that creates a significant vulnerability in software or hardware – the significance of this is that there will not be immediate mitigation options such as patching which could prevent the same) is going to want to exploit that vulnerability in the most powerful way possible. Once it is out there, it will only be a matter of time before a patch is created and the exploit is closed off.

Therefore, a threat actor with a zero day exploit is likely to use it cause the most disruption possible. It is conceivable that potential targets for those attacks could be power stations, or oil pipelines. This is not always the case, however, noting that the hack on the Colonial Pipeline (which disrupted fuel supplies across the US) happened because of a cracked password without multi-factor
authentication.

Chris Woods, the founder and CEO of CyberQ Group Limited, a specialist global cyber security business considered the importance of the ‘digitisation’ of these industries:

“Construction, energy and the engineering sectors have lagged behind other industries in preparing and quantifying the cyber and supply chain risk. With the digitisation of these industries, vast amounts of highly-sensitive data including building models, documents, drawings and personal data are being processed, stored and shared. Thus, certain cyber incidents have the potential to impact a company’s ability to meet these goals, causing reputational damage and hefty financial implications. The solution is to understand risk and apply the appropriate measures within the business to protect detect and respond with speed and agility, which is paramount in an attack situation. The faster a business responds, the greater the chances of being able to minimise its impact. Overall, it is important to have a plan of action in place so that your organisation is ready to defend 24/7/365”

Conclusion

Cyber risk is real, and organisations in the construction, energy and engineering sectors really do feel that risk from all sides. As well as being targets, they are vulnerable through their supply chain. Therefore, the ability to remain vigilant and get ahead of the game and prevent (or mitigate) an incident from happening is considerably more efficient than ‘cure.’ In the event of an attack it’s important to take action quickly with legal and other Cyber professionals.