Cybersecurity Threats Come in Two Very Different Ways... Especially for Construction Companies | 2018-08-23

Cybersecurity Threats Come in Two Different Forms... Especially for Construction Companies

杰森街（Jayson Street）在芝加哥的AGC IT论坛上谈到了网络安全。Photo: Jeff Yoders

August 23, 2018

Jeff Yoders

No Comments

The hardware tools that connect construction companies to the 'net, thanks to the Internet of Things, should be considered a threat, as well as a benefit, says Jayson E. Street, the vice president of InfoSec (information security) at SphereNY. Street recently told construction IT professionals at the Associated General Contractors of America's IT Forum in Chicago that they should address IoT downsides in addition to the two traditional threats to their networks: human and software vulnerabilities.

Street is a security professional companies hire to test and refine their own network security. The "white hat" hacker created the site"Dissecting the Hack"and wrote a book with a similar name ["Dissecting the Hack:The F0rb1dd3n Network"]. He has also spoken atat DEFCON, DerbyCon, UCONand other gatherings about network security.

Street talked about human vulnerabilities, such as spearphishing, and how it has become more sophisticated in that hackers take advantage of tragedies such as the Boston Bombing for access. Using e-mails that play on users' concerns with subject lines such as "Boston Bombing," they have moved on to subtler ways of creating backdoor links that don't even implore the user to click on them and merely look like news stories about tragic events.

A bigger threat to the construction industry, however, may be the software, heavy hardware, drones and construction equipment that general contractors are connecting to their networks to take advantage of the IoT. The benefits of the IoT are that any object or machine component can have sensors installed to monitor operating conditions, performance levels and/or physical states. Construction equipment manufacturers, including Caterpillar, John Deer, Komatsu, Hitachi, Topcon and Trimble, have all been developing this technology for more than a decade. Sensors, electronics, actuators and software collect embedded data and exchange that data via secure network connectivity.

The fact that the drone or excavator you use can now report back all of its findings, its working condition and maintenance logs, also means that the software it needs to connect to a general contractor's secure network also requires updates to stop it from being a hacker's back door as a non-human vulnerability. Any loosely written piece of code can become a vulnerability that hackers can exploit in the software, itself.

设备的连接越多，软件更新和补丁程序就越成为承包商网络的完整性。这可以包括在不同大陆的数百个工作上更新设备上的软件，具体取决于建筑公司的规模，这对于IT部门而言，由于前所未有的工作水平和寻找合格的专业人员的困难，IT部门的小任务已经很薄了。

While segmenting a network to limit vulnerabilities can work to isolate some risk, Street says the better approach is to monitor threats to equipment as well as the software that runs it, and patch and update as often as possible, although this will certainly lead to some groans from employees in the field, tired of seeing their equipment sidelined for updates. The human side of the equation also means IT departments must educate their executives, foremen and even laborers, on human and machine vulnerability threats, and just what is at stake every time they get that software update notification.

ENR Midwest Editor and Associate Technology Editor Jeff Yoders has been writing about design and construction innovations for 16 years. He is a two-time Jesse H. Neal award winner and multiple ASBPE winner for his tech coverage. Jeff previously launched Building Design + Construction's building information modeling blog and wrote a geographic information systems column at CE News. He also wrote about materials prices, construction procurement and estimation for MetalMiner.com. He lives in Chicago, the birthplace of the skyscraper, where the pace of innovation never leaves him without a story to chase.