Cyber Risk in the Construction Industry
By: Kendall Woods
Technology has always been critical in the construction industry – driving construction forward and allowing the construction industry to evolve. Technological advancements, such as building information modeling, personal smart devices, connected equipment and tools, telematics, mobile apps, autonomous heavy equipment, drones, robots, virtual reality, and 3D printing allow the construction industry to rapidly advance in efficiency, coordination, safety and cost-savings. Unfortunately, the benefits of technology are often coupled with risks. Stories routinely appear in the news of cybercriminals who have hacked into companies’ systems to obtain personal or financial information or to take control of the systems to cause mayhem. For the most part, these attacks seem to be directed at financial institutions and retail. However, the potential for hacking into construction technology exists too. In particular, the wider use of internet connected devises dramatically increases the risk of transgressions from unauthorized access to these devises. The potential for harm resulting from the unauthorized access of information should be a major concern for owners, contractors, subcontractors, and design professionals in the construction industry, as well as those who advise them. This article provides an overview of the technology and information systems used on construction sites, some of the potential risk that accompany such use, and considerations for coverage to protect against damages arising from cyberattacks.
What is IoT?
An Internet of things – IoT – consists of web-enabled smart devices that use embedded processors, sensors, and communication hardware to collect, send, and act on data they acquire from their environments. This data can then be shared, analyzed, and utilized. These devices also communicate with other related devices and act on the information received from one another. For the most part, these devices do their work without human intervention, although people can interact with the devices. This interconnectivity and remote data collection, while beneficial, carries the risk of cyberattacks. Because IoT devices are interconnected, a hacker need only find the weakest link to infiltrate the entire system and access private data or shut down entire systems.
Examples of IoT Devices Used in the Construction Industry
1. Drones. Drones are unmanned aircraft – flying robots that can be remotely controlled or fly autonomously through software-controlled flight plans. Drones are used for a multitude of activities on a construction site, including:
a. Surveying Land and Buildings. Construction requires real-time information on existing conditions of buildings and land to enable contractors to build accurate, safe, and economical buildings. Drones greatly reduce the labor and time involved in producing accurate land surveys and as-built building conditions. For example, drones can be used to inspect conditions of areas that are challenging to access, such as roofs. Traditionally, builders would have to erect scaffolding, manlifts, or extension ladders to access a roof to assess its condition and ascertain any defects. Using drones, contractors can now obtain this data in a faster, less expensive, and safer manner. Similarly, drones can be used to perform visual inspections of site conditions, including high-risk areas, that can save time and reduce health and safety perils.
b. Improvements to Infrastructure. Drones provide superior endurance and intelligence on job sites, obtaining and recording information quickly, with more accuracy and less risk.
c. Communication and Management. Drones are used extensively on construction sites to provide immediate access to video and data information, as well as keeping tabs on employees and workers.
d. Improved Overall Security. Drones are used to maintain the safety of employees and monitor sites to prevent vandalism and theft.
e. Accurate Surveillance. Drones are used to collect constant data to create a continuous record of the construction site, allowing contractors to record and store the progress of each project.
f. Transportation and Inspection. Drones can be used to both inspect job sites and transport materials aerially.
2. Vehicle Tracking. Contractors utilize software that enables them to track the vehicles and machines used on site. These systems can monitor the location and use of various vehicles and machines and even prevent theft or help locate stolen equipment.
3. Wearable Devices. Wearable devices have been heralded in recent years as a significant enhancement in worker safety. The technology can be embedded into common-use items such as hard-hats, vests, and boots and monitor location, worker movement, repetitive motions, posture, fatigue levels, and slip and falls. This technology can even warn workers when they are too close to moving equipment or hazardous conditions.
4. Machine Control. Software and equipment outfitted with GPS allow for remote operation and guidance.
5. Time Tracking. Time tracking software enable contractors to track location and hours worked by labor forces.
These are only some examples of uses of IoT technology on construction sites. These innovations – and each new innovation that comes along – must be protected to minimize risks.
Cyber Risks With the Use of IoT
While almost everyone can recall a time they have lamented a technology failure, such as a software or equipment malfunction, these issues, right or wrong, are not perceived as damaging and anxiety-provoking as hacking. Hacking is the unauthorized access to or control over computer network security systems for some illicit purpose. The technology used in the construction industry, like in other industries, is susceptible to cyberattacks resulting in misappropriation of data or even shutting down systems using ransomware or a distributed denial-of-service (DDoS) attack. Ransomware is a type of malicious software, or malware, designed to deny access to a computer system or data until a ransom is paid. A DDoS attack is an attack in which multiple compromised computer systems attack a target, such as a server, website or other network resource, and cause a denial of service for users of the targeted resource.  Some of the top cybercrime trends that could impact the construction industry include: ransomware; DDoS attacks; government targets, particularly local municipalities; critical infrastructure, such as hospitals, water supply systems, police and power generation; and business e-mail compromises.
While the construction industry has not yet been the topic of widely publicized cyberattacks, examples of cyberattacks in other contexts highlight vulnerabilities that are also present in the construction industry:
- Bowman Avenue Dam. Seven Iranian computer hackers penetrated the Bowman Avenue Dam control system on behalf of that country’s Revolutionary Guard Corps. This breach paralyzed 46 of the United States’ largest financial institutions and blocked hundreds of thousands of customers from accessing their bank accounts online.
- Dyn Cyberattack. In 2016, cybercriminals launched the largest DDoS attack, targeting systems operated by Domain Name System (DNS) provider Dyn. The attack caused major Internet platforms and services to be unavailable to large swathes of users in Europe and North America, including Amazon, CNN, Comcast, Fox News, Netflix, and many others.
- Polish Tram. A teenage boy hacked into a Polish tram system and adapted a television remote control so it could change track points. Twelve people were injured after a tram derailed.
- Jude’s Cardiac Devices. St. Jude’s implantable cardiac devices had vulnerabilities that could allow a hacker access that could be catastrophic to the patient’s health.
- Infrastructure. Power plants, mass transit systems, dams and the like, represent a particular area of concern as these infrastructures, if hacked, could inflict major collateral damage to the public.
These are only some examples of the ever-increasing risk of cyberattacks in all industries. As the use of technology continues to expand, the increased threat of cyberattacks will likely follow. As the industries who serve as primary targets for hacking continue to improve their security, hackers seek new paths to access information. Contractors might find themselves as unwitting accomplices to hacking schemes. For example, a 2014 cyberattack on Home Depot originated through an HVAC contractor. The HVAC contractor had access to Home Depot’s networks to service heating and ventilation equipment. Hackers stole the login information from the HVAC contractor and accessed tens of millions of customer credit card numbers and other personal information.
Potential Claims From Cyberattacks
Cyberattacks can wreak havoc in numerous ways depending on the type of attack. Some examples of damage particular to the construction industry that can arise from cyberattacks include: (1) the unauthorized disclosure of private/confidential information; (2) property damage; (3) bodily injury; (4) project delays; and (5) false claims. Misappropriation of data and/or the unauthorized control of equipment and information can lead to significant damage. It is important for contractors to understand these potential risks and obtain coverage to protect themselves for a potential cyberattack.
Managing and Insuring Risks
There are a number of measures that your company can and should take to reduce risk. In addition to engaging cybersecurity experts, your company should take necessary steps to install, use, and update antivirus and antispyware software; control and secure physical access to your computers, devices, and network components; control and secure your Wi-Fi networks; restrict employee access to data and information; require individual user accounts for each employee; regularly change passwords and ensure that passwords are strong; and train your employees in your cybersecurity practices and protocols.
In addition to these cybersecurity management measures, construction industry players should consider insuring against risks related to cybersecurity. Given the prevalence of cyberattacks, cyber insurance is now offered by many carriers. Cyber policies typically provide for both first party cyber-incident related losses experienced by the insured themselves and third-party coverage claims.
Typical first party coverages include:
- Data asset protection
- Remediation costs
- Business interruption
- Cyber extortion
- Crisis management and other response costs
Third-party policies include coverage for losses incurred by, or damages payable to, third parties:
- For the unauthorized disclosure, use, or destruction of their confidential information or of protected personal information
- Because of denials or delays of access to the affected business systems
- From the transmission of malicious code or malware
- Because of copyright infringement, misappropriation of trade secrets, defamation, or invasion of privacy if caused by leaked data
Additionally, policies may cover costs associated with regulatory proceedings resulting from a cyber incident.
As always, the exclusions of certain policies can impact the full scope of coverage. It is important to understand both the coverage afforded by the policy as well as the exclusions to ensure that you have procured proper and complete coverage. For example, many cyber policies exclude damages for bodily injury and property damage. For people in the construction industry, these exclusions, coupled with recent ISO endorsements in commercial general liability policies, could lead to a troubling gap. It is critical to review, discuss, and understand the potential policies available for the types of cyber risk prevalent in the construction industry.
Technology has done and will continue to do great things for the construction industry. However, as new technology is integrated into your business, it is imperative that precautions be taken to ensure that your data is not subject to attack.
 Margaret Rouse, IoT Agenda https://internetofthingsagenda.techtarget.com/definition/drone
 Rachel Burger, 6 Ways Drones are Affecting the Construction Industry, August 15, 2019 https://www.thebalancesmb.com/drones-affecting-construction-industry-845293
 David P. Galbralth, Construction wearables’ futuristic features are more feasible than you think, June 26, 2019 https://www.constructiondive.com/news/construction-wearables-futuristic-features-are-more-feasible-than-you-thin/557715/
 Trimble, Machine Control https://construction.trimble.com/products-and-solutions/machine-control
 Margaret Rouse, distributed denial of service (DDoS) attack https://searchsecurity.techtarget.com/definition/distributed-denial-of-service-attack
 Matthew J. Schwartz, How Cybercriminals Continue to Innovate, October 10, 2019 https://www.databreachtoday.com/how-cybercriminals-continue-to-innovate-a-13230
 Joseph Berger, A Dam, Small and Unsung, Is Caught Up in an Iranian Hacking Case, March 25, 2016
 Graeme Baker, Schoolboy hacks into city’s tram system, January 11, 2008 https://www.telegraph.co.uk/news/worldnews/1575293/Schoolboy-hacks-into-citys-tram-system.html
 Selena Larson, FDA confirms that St. Jude’s cardiac devices can be hacked, January 9, 2017 https://money.cnn.com/2017/01/09/technology/fda-st-jude-cardiac-hack/
 National Cybersecurity and Communications Integration Center https://www.us-cert.gov/sites/default/files/Annual_Reports/Year_in_Review_FY2016_IR_Pie_Chart_S508C.pdf
 Paul, The Security Ledger, Third Party Vendor Source of Breach at Home Depot, November 7, 2014, Paul https://securityledger.com/2014/11/third-party-vendor-source-of-breach-at-home-depot/
 Daniel S. Brennan, The Internet of Things in Construction: Opportunity, Risk and Insurance Considerations, Journal of the American College of Construction Lawyers, Summer, 2019.
Copyright 2020 Laurie & Brennan, LLP