Guidance Note: NCSC Cyber Security Guidance for Construction BusinessesMarch 2022
On 23rd February GCHQ’s National Cyber Security Centre (NCSC) issued the first of its kind cyber security guidance aimed at the UK construction industry. The full guidance can be accessed here.
Due to the particular cyber risks facing the construction sector, the NCSC has advised businesses that cyber security measures are as vital as wearing a hard hat on site.
Cyber-attacks in the construction industry are on the increase. For example, in February 2021 cybercriminals gained access to a US water treatment plant in Florida through a poorly protected software app which the plant had stopped using 6 months previously, but which had not been uninstalled from their system. The criminal gained remote access to the network and briefly altered the chemical levels in the drinking water. Additionally, in 2020, Bouygues Construction was hit by a ransomware attack which paralysed their computer system and reportedly led to personal data relating to Bouygues employees, such as addresses, banking details and drug test results being published online.
As these examples evidence, the consequences of a cyber-attack can be devastating. Even if your business does not lose money directly, a data breach or a ransomware attack could cause a temporary shutdown of your business whilst the breach is investigated and systems are recovered, as well as reputational damage with customers and partners. It could also leave you open to an investigation (and fines) from the Information Commissioner’s Office.
The NCSC guidance is formed of two parts. Part 1 is aimed at helping business owners and managers understand why cyber security matters, while Part 2 provides practical solutions for construction businesses to employ to safeguard against cyber-attacks.
Part 1 – Why does cyber security matter?
Construction businesses are particularly at risk of cyber-attacks, and are typically viewed as an easy target by criminals.
Construction businesses are being increasingly targeted due to the large amount of sensitive data they hold. Criminals could be looking for details about the company’s next bid (or building design) in order to gain an unfair advantage. Additionally, due to the extensive use of subcontractors and suppliers involving large numbers of high value payments, construction businesses are an attractive target for spear phishing, which is when attackers send a targeted email pretending to be from a legitimate organisation, in an attempt to trick the construction business into paying money into a criminal’s account.
The new guidance advises that businesses should particularly consider cyber security measures at three key stages of the project: the design phase, the construction phase, and the handover phase.
The design phase:
Much of this stage is carried out digitally using software such as CAD, 3D modelling packages, or simulation packages to assist in structural and other specialist engineering disciplines. On some projects, you may join or create a Common Data Environment (CDE) with other businesses which allows access to large amounts of project information to be given to third parties. The NCSC has produced helpful guidance on managing who has access to such information here.
The construction phase:
Compared to the design stage, activities during the construction stage usually require a larger workforce, more materials and equipment, and more interaction with third parties. As the complexity and scale of the project ramps up during construction, businesses will naturally focus on project deliverables and deadlines. It is important that security is not overlooked at this stage of the project.
The use of high-tech equipment to survey buildings or sites is becoming increasingly common. Drones and GPS equipment can create detailed models and visualisations. This captured data can be valuable to thieves, so ensuring such equipment is adequately secured is a priority, especially if it is being stored in vehicles or the site office overnight.
The handover stage:
On completion of the project, there may be installed building management systems, for example BMS, BACS, BEMS and IACS. It is important that these systems are handed over to the client so that they can continue to secure the building and any digital based systems it might contain.
Details of steps taken to secure the systems as well as any steps or documentation required to maintain the security of these systems throughout their lifetime should be provided to the client. It is also prudent to retain copies of this information after handover for insurance purposes.
Part 2 – What can businesses do to boost cyber security?
The new guidance provides 7 practical steps that can be taken to reduce the risk of a cyber-attack.
- Back up your data
Identify business critical data, such as project plans, CAD models, customer details, quotes, orders, and payment details. Ensure data is backed up on a USB stick, an external hard drive or on a cloud storage system, and make sure you know how to gain access in the event of a cyber-attack. It is essential that any backup is also kept separate from your main computer.
- Protect your office equipment from malware (malicious software)
Make sure to use an antivirus software and only download approved apps. IT equipment should be kept up to date and be embedded with an encryption product which means that if even if your computer is lost or stolen, the data stored on it cannot be accessed.
The use of USB sticks/removable media should be tightly controlled as it is all too easy to plug an infected stick into a device, only to inadvertently introduce potentially damaging malware into the business.
- Keep phones and tablets safe
Make sure lost or stolen devices can be tracked, locked or wiped and never leave devices unlocked.
Care should be taken when connecting to public Wi-Fi hotspots, for example in hotels or coffee shops. Make sure that you’re connecting to a legitimate service; a member of staff will be able to confirm the name of the service to use. If you connect to a ‘rogue hotspot’, that is, a Wi-Fi hot spot set up by a cybercriminal, they could potentially access what you’re working on whilst connected and your private login details that many apps and web services maintain whilst you’re logged on.
- Use high quality passwords to protect your data
Your laptops, computers, tablets and phones will contain a lot of business-critical data such as the personal information of your customers, contractors, suppliers, and also details of the online accounts that you access. When passwords are implemented correctly, they are a free, easy and effective way to prevent unauthorised access to your devices.
Remember to avoid using predictable passwords and the same password across multiple online accounts. Also consider changing your password at quarterly intervals to ensure maximum protection.
- Be alert to phishing
‘Phishing’ is when cybercriminals use scam emails to convince you to click a link or open an attachment, which will re-direct you to an unsafe website where malware may be installed.
Be alert to the warning signs of a malicious email such as being given only a limited amount of time to respond and, content which is designed to make employees feel panicked or curious.
- Suppliers and partners
Cyber-attacks on your suppliers can be just as damaging as an attack on your own business. This is why it is important to employ cyber security when collaborating with suppliers and partners. You may be targeted as a way into the organisation you are supplying. This is very common in the construction industry, as you might already be working with organisations that the attacker wants to access through you. Conversely, your suppliers may be targeted as a route into your business.
It is important to understand your supply chain and determine how to secure it, paying particular attention to the suppliers which are high risk. Ensure you understand the terms and conditions in your contract or licensing agreement, and what parts of security each are responsible for. This will help you to develop a common understanding of each party’s security responsibilities, and what subcontracting decisions you are happy to delegate to them.
- Prepare for cyber incidents
Businesses should prepare plans to handle the incidents most likely to occur such as a ransomware attack (which is a kind of malicious software that prevents you from accessing your computer and the data that is stored on it). Staff should be trained by rehearsing the response to a cyber incident.
Make sure that the information which is essential to keep the business running is backed up and stored in a secure location so that it is still accessible in the event of a cyber-attack. If you have cyber insurance, have your policy details to hand and ensure you understand any legal or regulatory compliance you must adhere to and implement any guidelines/policies/rules they set out for you in your policy.
If you would like to discuss your businesses cyber security measures or accompanying insurance policy, please get in touch with Sheena Sood (firstname.lastname@example.org +44 (0)207 469 0402) or Felicity Hird (email@example.com +44 (0)207 469 0502).Download PDF