Both hard data and anecdotal evidence show that the leading cause for companies getting hacked is human error. Collaborative research by Stanford University and security firm Tessian showed that 88% of data breaches are caused by employees who click on hackers’ emails because they thought these really came from a top company executive or a legitimate source. Considering that dozens of employees in a company have access to critical documents and data which they might have to share with subcontractors for a project, the possibility of hackers and social engineers inserting themselves in the middle and committing fraud increases exponentially.
In a 2020 interview, Joseph Rigazio, a leader in the construction and engineering industry, shared his thoughts on the cybersecurity risks facing construction companies. The interview has shown to be effective in emphasizing the need for builders to be integrated with well-updated PKI tools. Joseph received training in Electrical Engineering, Business Economics, and Construction Management, worked for 21 years at Texas Instruments, and is currently the head of Talisen Construction Corporation. His ideas are transcribed below:
“One other area from the construction standpoint, right…phishing…the con job…ransomware… locking you up…getting inside and stealing – there’s content and there’s contact information so some of the things that keep me up at night is they got in, now they’re looking for banking records and they’re looking through the workflow of your payable and receivable chain, where are those wired information, EIN numbers of our vendors, etc. That’s concerning. That’s on one side, you know, get the money. What about the professional drawings and plans. We have a lot of content, that is, we’re dealing with more sensitive clients that give information, let’s say banking cards. We know where the safe is, we know the structures of the walls, we know how to get underneath them. They’re all in drawings. Construction companies have gotten digital in the last 10 years so there’s a lot of documentation in our files that show how those buildings were built.”-Joseph Rigazio
CEO of Talisen Construction Corporation
Data shows that Rigazio’s worries have come to fruition in the past decade with alarming frequency. According to risk management firm Marsh McLennan, engineering companies in the construction industry are the apple of hackers’ eyes because “relatively few contractors have thoroughly identified and quantified their cyber exposures or developed plans to mitigate and/or transfer that particular risk.”
A 2016-2017 comprehensive survey by Kroll, a risk and valuation digital solutions company, indicated that 63% of respondents in the engineering, construction, and infrastructure industry had experienced a security risk in the past year. When it came to cyber attacks, the survey showed that for the past year as well, more than 75% of the respondents encountered various forms of cyber breaches including phishing, worm viruses, and data deletion with customer files as the central target.
The next section discusses recent historical cases that demonstrate how engineering or construction companies have been breached.
Recent Historical Cases of Cyber Attacks on Engineering Companies
In 2013, the blueprints for the new Australian Security Intelligence Organisation (ASIO) building were stolen by the Chinese hacking gang APT3 who uploaded malware on the laptop of an ASIO employee. Among the critical content stolen included the floor plan, the communications systems, and the security systems. The cyber attack caused a delay in the construction of the building and forced ASIO to consider redesigning it.
In March 2016, a spear phishing scam targeted an employee of Turner Construction, one of the largest American construction companies. The person ended up sending the social security numbers and addresses of present and past employees to a hacker’s email account. Spear phishers create fake email accounts of people in a company who have key positions like CEOs, and then trick employees into sending confidential data or initiating financial transactions. The personal data gathered by hackers can be used in other fraudulent transactions such as pretending to be the person owning the social security number and then tricking an employee of another company like a bank into transferring funds to the hacker’s account.
Joseph Rigazio’s own company also fell victim to spear phishing. In the same 2020 interview, he shared how his head of project accounting was scammed when the person thought the hacker he was communicating with through email was him. Upon meeting at the office, Joseph’s employee mentioned that he followed up on the transaction to which Joseph replied with “What are you talking about?” The person then went white after realizing he got scammed and the cyber criminal got away with $10,000.
This 2021, a construction industry newspaper reported that “cybercriminals have moved on from hacking personal information. Now corporate intelligence, infrastructure and even heavy equipment are targets.”
Probably the most definitive example of the alarming cyber security risks faced by engineering companies is the May 2021 ransomware attack of Colonial Pipeline, an oil pipeline system that carries gasoline and diesel from Texas to the Southeastern states. The cyber crooks, believed to be the Eastern European gang Darkside, targeted the computers controlling the pipeline system. They also stole almost 100GB of information from Colonial Pipeline and made threats to divulge it on the internet if the company did not pay the ransom. For fear of subsequent attacks occurring and because they have lost their capacity to bill customers, Colonial Pipeline decided to shut down their operations and paid Almost $5 million to Darkside. This ransomware attack affected fuel supplies in airports and flight schedule changes and caused panic buying.
The cyber security risks associated with digital-based engineering work should not encourage companies to regress to purely paper-based planning and transactions.
So what is the way to help employees avoid getting misled by hackers? How do we address the risks of data theft when using the internet? Having them trained by a cybersecurity firm on basic safety protocols is one method. But in order to truly overcome human limitations in safeguarding precious data, engineering companies should look to invest in encryption-based cybersecurity that will make it very difficult for hackers to steal information even from the least internet-savvy workers.
If you are an engineer or someone who owns an engineering company, check out our article here which discusses the benefits of PKI technology in protecting your data.