iStock/Zephyr18
Last year, according to research conducted by SafetyDetectives, 54% of organizations in the United States reported a ransomware attack. Among the fascinating statistics, one piece of information has gone largely overlooked — that slightly more than 13% of construction companies have reported being extorted using this technique. So if you know of seven construction companies, one has statistically been a victim. Although it is not known whether they paid the ransom, experienced downtime or can quantify losses — there is a larger point to make here. Construction companies – especially those doing work on federal contracts and required to address NIST 800-171 – are well-advised to take note.
As ransomware operators have evolved into using more sophisticated techniques like evasion and lengthy persistence, they also are working more like a business than a “gang.” Victim targeting, research and evaluation of return on investment are now part of the determination as to who gets smacked next — and construction companies are about to get their time in the barrel. It has been reported that ransomware gangs even factor in the revenue of their targets to adjust the extortion demand to a level that’s “appropriate.”
During the first half of 2020, hospitals and local governments have been targets because of the criticality of the services they provide and the historical underinvestment in security controls — a winning combination for ransomware gangs. According to a recent IBM study, approximately 30% of victim organizations pay the ransom, and our adversaries are constantly looking for methods to increase that “win rate” and improve their ROI.
However, the potential impact of snarling government and health sector operations is loss of life and this fact is not lost on many of them. In fact, when a hospital in Germany recently had operations disrupted as collateral damage from attacking an affiliated university, the actors immediately provided the decryption key to restore operations. Regardless, one person died as a result; causing actual deaths is apparently a bridge too far.
Victims are sought out by actors who are measuring the return versus the effort to compromise a network, and the construction industry fits the victim profile. Because construction runs on tight margins that are tightly coupled with supply-chain optimization, any disruption in the ability to perform resource planning and material acquisition will not only delay projects, but that same disruption can impact the ability to submit bids for new projects.
A complicating feature of criminal tactics is “double extortion,” which is now becoming more prevalent. In this attack, the threat actors steal information prior to disrupting operational capacity. Construction operations, for the most part, have not considered or planned for compliance with state data breach reporting statues and additional regulatory scrutiny that comes with unauthorized disclosure of protected information. Records aside, manufacturers also possess information useful to competitors such as bid proposals. This, too, is in a scope of information that may be stolen and disclosed if the extortion demands are not paid. But what are the common ways attackers are getting in? We will look at several below.
Through Credential Compromise
An attack against construction is not unlike any other — it usually starts with a person making a mistake, and that mistake usually ends in the disclosure of credentials — passwords — allowing an actor to walk right into the network, lay the bomb and light the fuse. And because of the dependence on business associates and third parties in the supply chain, there are more opportunities for well-researched “bait” to be introduced into company messaging — either transparently phony, spoofed to appear as coming from inside the organization, or coming from a trusted business associate.
Said another way, there are many opportunities to fool the person or persons that handle communications regarding supply orders, paying invoices or biting on a rigged attachment that introduces malware into the environment and begins the process that ends with an extortion attempt. This is a hard one to avoid, which is why CI Security conducts free security awareness training every Friday via webinar platform.
Through Third Parties
This is a particular Achilles’ heel for construction. Supply chains are extensive, and enterprise resource planning to balance inventory and raw materials is a constant effort that often requires speedy decisions without a lot of deliberation. Supply chains also are the subject of research by criminal enterprises, and compromise through business associates is a growing and troubling trend. Suppliers are frequently the “unlocked window” through which criminals exploit networks of trust to gain access to the real target.
Some example incidents in the last few months include Blackbaud, a supplier to the health sector, charities and philanthropic organizations, and Tyler Technologies – the No. 1 service provider to local governments in the United States. It is a reasonable assumption to make that a supplier of building materials does not make the investments in security that either of these organizations do, yet they were carefully and deliberately compromised with the specific intent of using them in the technique known as “island hopping.” Construction suppliers can be an unwitting threat and should be treated as such.
Through New Technologies
New technologies being introduced into construction — notably artificial intelligence and robotics — are another avenue, especially those that are networked to some type of control system or software. These systems are vulnerable to disruption — but the kinetic nature of their operation may make them dangerous. Little is known regarding the security hardening and configuration specifics of these devices. In addition to new technologies, the addition of various types of “smart” telemetry and control devices has expanded the attack surface and given rise to additional methods of entry. Networked cameras, RFID readers for inventory management and more are used in data acquisition for use in resource planning. Deployment of these devices should be done with care, as default configurations are trivially simple to exploit.
How should construction companies address cybersecurity to safeguard the business from disruption? As briefly as possible, here is an actionable punch list:
- Use policy and training — When it comes to policy, keep personal use on a personal device, and for training, any time you’re asked to enter your password, stop.
- Address security in procurement — Use security criteria in evaluating purchases from technology suppliers — especially to the extent they involve software and embedded systems. Asking for test results conducted against a security standard by a third party is a reasonable request and allows for this comparison.
- Manage third party security — Require vendors to “show their papers” in terms of security controls. This can be an audit report against a standard such as ISO-27001, SSAE-18 (SOC-II), or an assessment report by a third party, or provide a security controls questionnaire. Let them know you’re serious.
- Monitor networks and be ready to respond — Importantly, monitor to detect aberrational behavior and have a plan for when a security incident is confirmed — either through your own IT department or by hiring a service. Putting out the small fires as immediately as possible prevents the house from burning down.
Michael Hamilton is the chief information security officer of CI Security, an incident response firm. He also served in the same role for the city of Seattle.
