
It shouldn’t come as a surprise that the entire construction sector lags behind other industries when it comes to cybersecurity, with 80 per cent of construction executives reporting one or more incidents in the past year.
Couple this with the fact that industrial control systems such as PLCs and SCADA systems are more difficult to protect from cyberattack than standard IT systems, and it is the perfect playbook for blackmail and extortion of asphalt and aggregate producers.
It also shouldn’t come as a surprise that cybercriminals are already targeting construction. And while these companies don’t have massive databases of lucrative personal data, like health care, legal or accounting firms, criminals know there’s a far more valuable prize to chase.
Because all companies have what criminals really want: money.
They know that their payday is in the substantial dollar amounts involved in contracts, projects and construction cash flow. Whether it’s piling for major infrastructure, shoring for urban excavations, or deep foundation work on residential and commercial developments, the money involved makes for a lucrative target.
Conversations about cybersecurity tend towards the trifecta of fear, uncertainty and doubt (FUD). When we look beyond FUD, cybercrime has real-world impact. Based on a report filed with the Office of the Maine Attorney General, in August 2022, an Arizona construction company detected suspicious activity in their computer network. Their investigation determined that personal information of 7,884 people was accessed. As a result, the company posted a notice of breach and sent data breach letters to affected individuals.
Little else was publicly disclosed, so details about exactly what happened are not available. However, we do know that the company provided 24 months of credit monitoring and identity theft protection, deployed improved cybersecurity measures and reviewed their security policies. The total cost to them is unknown, but we can estimate the cost for 24 months credit monitoring and identity theft protection for 7,884 people:
| Credit monitoring & ID theft protection: | ~$20/month/person |
| Duration: | 24 months |
| # of people: | 7,884 |
| Total cost: | $3,784,320 |
This amount doesn’t account for the investigation, remediation and security improvements mentioned in the Maine disclosure, however, it would probably be safe to say the total cost would be at least $3.8 million. All we can hope for is that the company’s cyber insurance policy covered at least a portion of that amount.
How a construction company almost lost $1 million
In one lesser-known attack, another construction company lost $1 million in cash flow. And that was off peak season – if it had occurred during peak construction season, it would have been between $10 million and $15 million. Unlike the first example, we know exactly what happened.
With cybercrime on the rise, the entire construction sector must evolve to meet the current threat and adapt to future, more sophisticated, threats.
An accounts receivable employee looked through her junk folder. She noticed an email from her boss requesting a spreadsheet listing customers with out standing balances and customer contact information for payment approvals. She salvaged the email from her junk folder and did what was asked: she exported the information from the accounting system and replied to her boss. When she asked her boss if he had everything he needed, they both realized something was wrong: she had sent the list to a cybercriminal who had impersonated her boss.
The subsequent investigation revealed the following:
- The email came from a free Gmail account, not a company email.
- The spam filter worked correctly and put the email into the junk folder.
- The email system correctly identified the email as originating outside the company by adding a warning to the message: “Caution! Email is from an external source.”
So, the determined cause of attack? Human error. But it wasn’t a simple oversight like accidently clicking on a link. Despite being enrolled in a security awareness training program to teach people to identify fraudulent emails, the employee hadn’t completed the training or testing. To make matters worse, even though a security awareness training was in place, the company didn’t have a policy in place requiring employees to participate.
Based on these findings, the company concluded that the technical controls (spam filter and external banner) worked properly. However, the administrative controls didn’t work as expected, and security awareness training was ineffective. With no policy for security awareness training, the company had little legal recourse to discipline the employee (the company is not in an “at will” jurisdiction).
Also, despite complying with cyber insurance requirements by having security awareness training, the lack of an enforceable policy and the employee’s poor participation record meant that any claim for losses would most likely be denied.
The company understood their plight:
- The criminal(s) would likely contact customers to redirect payments.
- The stolen information might also be used for blackmail: “Pay us to stay quiet or we’ll ruin your company’s reputation by showing the world how easy it was to scam you.”
Sure enough, one week after the mishap, customers received legitimate-looking payment change notices supposedly from the company. The criminal(s) had purchased a domain name near identical to the company, making distinguishing between legitimate and fraudulent email difficult.
Thankfully, none of the customers fell for the scam because they had been warned about what happened and what to expect. The company reported the fraudulent domain, which led to its removal and they implemented a new service to monitor for newly registered domains similar to theirs.

What about jobsite protection?
Neither of the previous examples mention production equipment; so let’s revisit the first example. We don’t know if production was affected at their jobsite. However, if one of their SCADA computers was hacked, criminals could have easily wreaked havoc on production through an outright shutdown, formula manipulation, inventory manipulation or some other way – all with the intent of extorting money to release control of the plant back to the owner.
For even a small plant, a cyber-forced shutdown would cost over $150,000 per day in revenue, not to mention remediation costs, contract penalties or ransom payments.
Top 5 security recommendations
No two businesses have the same risk profile or resources to manage it. But regardless of a company’s risk profile and resources, the following recommendations can be used to mitigate risk.
- Conduct regular security risk assessments (at least annually).
- Don’t treat information security as a one-and-done project. As cybercrimes become more sophisticated, security must evolve as part of a company’s continuous improvement strategy.
- Create a security culture within your company through training, policies and procedures.
- Think, “It’s not a matter of if we’ll experience a cyberattack, it’s when,” and create multiple layers of protection, including physical or logical isolation of vulnerable production equipment if you’re a producer.
- Create and rehearse an incident response plan (IRP). To draw on a sports analogy, teams practice plays so that they know how to execute on game day. Do the same with your IRP.
While construction companies may not seem like obvious targets, the reality is their involvement in large financial transactions makes them lucrative targets for fraud, extortion and other criminal activities. Because of the common belief the industry is not as susceptible to cybercrime as other industries, firms allocate few resources to truly evaluate and protect against threats.
As seen from the two examples examples, the financial and non-financial risks are significant, potentially affecting everything from cash flow to reputation. Fortunately, an effective risk management strategy using proven controls will help. With cybercrime on the rise, the entire construction sector must evolve to meet the current threat and adapt to future, more sophisticated, threats.
Scott Birmingham leads a team of information security professionals serving clients in a wide spectrum of industries, including heavy civil construction.