Cyber attack on a Building site? You're having a giraffe…….Aren't you?
One of the most disconcerting realities is that while the risks to cyber security will undoubtedly increase as we leverage new technology, the fact is, that much of our current generation of technology already represent significant vulnerabilities.
Moreover, these vulnerabilities ought to be reflected in our quantification of total exposure - but they rarely are - for a number of reasons.
If you consider a business that isn't an office, such as a building site, pretty much every machine has a control unit of some kind. A pressure sensor, a flow meter, or a temperature sensor. Most of this field equipment is aggregated and controlled by a supervisory control and data acquisition (SCADA) system. In a building information modelling (BIM) environment, the SCADA system takes its rules and configurations from building information modelling (BIM). All of the data points from the equipment—from the pump running at 3000 rpm to the flow meter when you are pouring the slab - all send their data to a part of a computer system called a static data pool. The SCADA system analyses all these values, so on the day the pump runs at 2500 revs, an alarm goes off before the pump bearing disintegrates.
These static data pools are highly vulnerable to interference and so there is a risk that workers pour the slab light, let the pump explode on-site or the temperature in a mixing tank get too high and so on.
This static data pool also provides a route into the BIM data and system so the core data at Level 1 and 2 projects could be potentially compromised.
As we know, humans are the direst of all the risks emerging from technological advancements increasing cyber-related security breaches and lost work time, not to mention the costs of the infrastructure clean once there is a breach. As web-based and interconnected tools become the new norm in all business operations so will the threat of cyber-attack.
Nearly all of the aforementioned technological advances present increased susceptibility to cyber-related risk. And to make things worse, often the IT risk management assessment is carried out in isolation from the balance of the overall company risk management review which means technology within operations could easily be overlooked.
This risk does not just affect your business financially by a fine or costly repair, the potential consequence of a cyber-attack can harm years of R&D and related investment that could be comprised if someone steals or uses such information that has been leaked.
Moreover, an attack could come from nearly anywhere:
- The very small sub-contractor that can't afford the additional security
- The prime contractor who won't support the specialist sub-contractor by providing hosting of the BIM environment for them
- The 3rd party supplier who doesn't vet their personnel properly
- The CEO who opens the spear phish e-mail
If you would like to review your cyber risk and general exposures which could be insured please get in touch.