Cybersecurity in the Construction Industry: Ongoing Malicious Activity

What keeps you up at night? For me, It’s the experiences I’ve lived through in my long career in cybersecurity that concern me. For you, maybe it’s the uptick of malicious activity that has impacted your colleagues and fellow association members in the construction industry. 2020 has proven challenging in many respects, and now many of your peers have experienced first hand how destructive cybercriminals can be. Cybercriminals go where the money is, and they’ve discovered your industry. I want to share a real situation involving our energy sector and our critical infrastructure that highlights how complex these attacks can be.

Late one evening, when I served as the Director of Cyber Security Coordination with the Department of Homeland Security, a call came in that malware had been discovered on various utility companies’ operational networks. The threat appeared simple initially; private sector and government teams worked together to understand and remove the threat.

As we dug deeper, we discovered a potential nightmare. It soon became clear this wasn’t an isolated incident as the federal government monitored internal assessments from other utility companies. We realized this was a sophisticated and coordinated attack. The potential for catastrophe should this malware be activated was enormous.

Over several weeks, with teams of both government and private sector experts working together, we removed the threat. At the same time, we focused on who was responsible and why, and it became apparent who was behind the attack.

It was a two-pronged attack against the United States and its critical infrastructure. First was a basic blackmail strategy. We believed the attacks were meant to warn the US to be careful with our international policies. The simple activation of this malware would have caused significant disruption to our country and daily lives. Second, we discovered that the malware could support a more aggressive, adversarial posture against the US – basically, it deeply embedded offensive capability that would support hostile activity or even war.

We believed our attackers wanted us to find the surface threat and to miss the buried hostile capability. This hidden capability was yet another wake-up call for us to understand the threat and our critical infrastructure implications.

For you, the threat profile is a little different; cybercriminals, not necessarily nation-states, will target you. These criminals typically work with those same nation-states and even use their tools. Today the dominant attack pattern for your industry is ransomware. Ransomware is a type of malicious software designed to encrypt your data and block access to your files until a sum of money is paid.

Imagine walking into your office and seeing a strange red screen message on every computer screen that states that your company data is safe, but you no longer have access to it. You cannot even login into your computer. Your phone and your IT department’s phones start ringing off the hook. The message on the screen changes. You have to pay whoever did this $10 million to access your systems.

Was payroll compromised? What production systems went down? Can you continue to operate? How? Whose personal information was compromised? What about information on your customers? Do you have to report it? Who do you need to contact? The police, your attorney, your bank? In what order do you contact them? Do you have cyber insurance? Can your technology providers help you? Should you pay the ransom? It is a painful and chaotic time after a ransomware attack.

The solution is simple but hard to execute. We must work together to minimize the potential for malicious actors to be successful. Only through open communication and collaboration can we ensure we control our work and life environments. My goal is to reduce the communication gap between the cyber community and the private sector, so I look forward to an ongoing discussion.