新的网络安全威胁在199年后建筑景观中迫在眉睫|2021-01-14 |工程新闻记录

Remote working may be here to stay, but the potential for new cybersecurity threats come with it

Whether it's a now-necessary online meeting capability, or something else, construction technology providers need to know what contractors and personnel in the field need to make those requests happen.照片由Procore提供

January 14, 2021

Phillip RossandRussell Safirstein

No Comments

Ross

新的网络安全威胁越来越遥远和相互联系的团队可能会困扰每个设计和建筑团队。正在进行的大流行的家庭授权和其他副作用创造了更多的在线协作，但也有更多网络安全差距的机会

As teams across these sectors go remote, the attack surface for cyber criminals has dramatically increased, and businesses are more exposed than ever to hacking, malware, ransomware, phishing and other digital tactics. The construction industry is particularly vulnerable, as firms in this field have widely distributed workforces under normal circumstances and regularly use remote devices as standard operating procedure. This also makes them more highly attuned to the risks and in a better position to adapt than other sectors.

保护数字工作流程

信息安全性的格言是，公司仅与最弱的链接一样安全。在Covid-19时代，这带来了重大的后勤困难，网络犯罪分子知道这一点。由于建筑和设计公司在远程工作方面是创新者，因为大多数公司的办公室工作人员开始在家庭中绝大多数工作时，在跨都会区，州甚至国家 /地区分发了大量项目，但安全协议可能会落后。18luck官网Every laptop, tablet and mobile phone on which company work happens needs to be considered part of a firm’s digital network, and the Wi-Fi at field offices, home offices or coffee shops where your people may work represent a potential open door to your firm’s data.

Safirstein

Most breaches occur not because the tools fail, but because of human error. Teams need to be trained regularly on protocols and on what to look for in terms of threats. They also need to know what kinds of networks are safe to access. Similarly, in the construction field, there is a high amount of collaboration between firms, so understanding the security posture of each firm needs to be high on every company’s risk matrix.

Cybercriminals have also become more sophisticated. You may not be dealing with a computer virus in the ways people traditionally think of them. A phishing scammer may gain access to your internal accountant’s email and monitor it over the course of weeks to learn the accountant's writing style and how he or she interacts with contacts. That language pattern can then be used to send a real-looking invoice or change order along with a new routing number that the criminal can access.

Owners and facility operators, architects, engineers, general contractors, construction managers, vendors and subcontractors may all be interacting with your data or your digital networks. It’s important to encrypt all devices and have proactive measures in place to handle the collaborative nature of construction work.

Data and Interconnectivity Risks

一个主要的发展近年来rise of smart buildings, cloud storage and the internet of things to create greater efficiencies, better data insights and heightened sustainability. The construction industry has been a part of this, particularly when it comes to fit-outs of existing spaces. Even in ground-up construction, advances in technologies like BIM, virtual reality (VR), augmented reality (AR) and digital twins have added a new world of tools to create safer and more efficient projects. Similarly, safe storage and backup are more important than ever for the data and insights these services provide. The flip side to this is that every new connection or technology is a potential attack point, and bad actors know that information is currency.

一段时间以来，工业控制系统（IC）中安全的需求被众所周知，因为网络运营商紧紧抓住了他们的环境受到的环境受到的气隙保护，将组织的IT网络与ICS网络分开。但是，ICS环境中IT连接性和通信技术的继续部署以及最新的特定于ICS特定威胁的增长迫使ICS运营商开始认真对待安全性。例如，黑客可以访问可以在远程位置部署以监视设备性能的无线传感器。此外，其中许多技术由第三方供应商提供，这意味着您的接触进一步扩展。例如，您可以通过HVAC供应商对目标漏洞，然后黑客可以潜在地访问云中的所有数据或获得对其他系统的控制。

Essential Security Posture

Corporate governance is key to combating this. Now is the time to update security standards for our new remote and connected normal. Make a long-term plan, train your teams regularly. Schedule daily backups of your data. Implement multifactor authentication and use encrypted remote access procedures for all personnel, not just site teams. Restrict your administrative and user privileges. Patch and update your operating systems and applications regularly, and prevent unapproved applications and software from running on all of your network devices. Most importantly, use an experienced IT and cybersecurity consultant to audit your systems regularly.

进攻，而不是防御 - 威胁狩猎

To stop cyber criminals or state-sponsored actors before a breach materializes requires you to be proactive and vigilant. A customized plan to target, pursue and eliminate threats on your network is the best tactic to stay out of harm’s way. Traditional endpoint and network security products simply aren't enough to protect the modern enterprise. After all, most of these offerings have just expanded on the same frameworks that hackers have successfully exploited for years. Offensive cybersecurity strategies preemptively identify vulnerabilities and security weaknesses before an attacker exploits them. These strategies actively test the network’s defenses and provide valuable insights into a firm’s cyber security posture.

At the end of the day, construction companies and design firms need to make data security and privacy a priority for all team members. As our industries evolve to embrace new and exciting technologies that open up possibilities and attract a new generation of talent, everyone needs to be aware of the risks. Just as environmental, health and safety hazards are a central concern of work cultures now, we need to include cybersecurity as a pillar of our flexible way of building.

Phillip Ross is an accounting and audit partner at Anchin, Block & Anchin LLP and serves as the leader of the firm’s Architecture and Engineering and Construction Industry groups.罗素·萨菲尔斯坦（Russell Safirstein）是负责锚数字风险解决方案的合伙人。