NCSC Guidance: Cyber Security for Construction Businesses
With the construction industry increasingly embracing new technologies and adopting digital ways of working, the National Cyber Security Centre (“NCSC”), in conjunction with the Chartered Institute of Building (“CIOB”), has issued guidance specifically for construction businesses. Stressing that understanding cyber security is an essential requirement within the construction industry, the NCSC’s guidance is aimed at small to medium businesses working in the construction sector and also applies to the wider supply chain. The guidance is available here.
Why does cyber security matter?
Construction businesses may be seen as an ‘easy target’ for cyber attacks due to their high cash flows and their extensive use of contractors. Construction businesses also store a large amount of valuable data and cyber criminals could be looking for details about a businesses’ next bid, sensitive employee data, such as national insurance numbers and bank details, or to create realistic looking emails to launch a phishing attack.
Cyber attacks can have severe consequences, including both financial and reputational. A determined cyber attacker may be able to breach an organisation’s system and intercept funds or steal or encrypt data as part of a ransomware attack and demand payment before the data is returned. (If you want to read more about ransomware attacks, you can do so here). Even if there is no direct monetary loss, an attack could cause a temporary shutdown of an organisation whilst the breach is being investigated. A temporary shut down could result in project delays as well as unhappy customers and contractors.
Design Stage, Construction stage, Handover stage
The NCSC guidance notes that the various stages in the construction process often involve extensive digital workflows, so are all at risk in terms of cyber security. The guidance considers the following three key stages in the construction process: Design stage, Construction stage and Handover stage.
The preliminary stages of the construction process should also not be overlooked. At the tender process stage, detailed quotes and signed contracts will be circulated. An attack at this stage could prevent an organisation from being able to win a tender, and impact future opportunities.
Design stage
A great deal of the design stage is conducted digitally, and often with a wide range of software. It is of the utmost importance that all software is kept up to date. Applying updates, as and when required, is one of the most important actions to improve cyber security.
Any relevant risk assessments should include cyber security risks alongside the typical health and safety risks. Conducting a cyber security risk assessment at the start of a project will allow an organisation to consider what cyber threats they may face and enact precautionary measures.
During the design stage, organisations should implement a ‘need to know’ process, and only grant access to those individuals who are required for certain tasks. Individuals should have their access removed if they leave the business and other organisations should also have their access removed once a project is completed, if appropriate.
Construction stage
The construction stage usually involves more materials, a larger workforce and increased interaction with third parties. As the complexity increases, and the focus is on deliverables and deadlines, cyber security considerations should remain foremost in the mind.
It is important to consider how IT equipment used on a construction site differs from equipment used in the office. Consider how secure any relevant premises are at night, as IT stored in vehicles or a site office could be more vulnerable to opportunistic criminals. The network being used should also be considered - it is important to avoid public networks where possible and ensure that there is appropriate anti-virus software in place to protect data. The NCSC guidance goes into detail about cyber security from an IT perspective, and this can be found in section 2 of the guidance.
Personal data stored on site should also be considered. Personal data could include details of individuals and their emergency contacts, biometric data, and health and safety incident reports. It is crucial that personal data is stored in a way that is compliant with data protection legislation, something which will assist with implementing cyber security safeguards.
As well as data protection legislation, organisations must also comply with applicable regulatory requirements and consider cyber security aspects for use of the following: building management systems (BMS); building automation and control systems (BACS); building energy management systems (BEMS) and industrial automation and control systems (IACS).
Handover stage
Once a project has been completed, it is important that the installed building management systems such as BMS, BACS, BEMS and IACS are handed over to the client so that they can continue to be used to secure the building and any digital based systems it may contain.
The relevant systems will vary depending on the project, but could include a combination of the following:
- lighting automation and control
- heating, ventilation, and air conditioning (HVAC)
- fire, smoke detection and alarms
- motion detectors, CCTV, security, and access control
- lifts and escalators
- industrial processes or equipment
- shading devices
- energy management and metering
The NCSC guidance notes that it is of the utmost importance that all of the above are fully documented, and that all of the details are included in the handover. The information should include what steps have been taken to secure the systems and any documentation required to maintain their security throughout their lifetime.
What can your business do to be more resilient against cyber attacks?
It is more important than ever to understand the digital impact of a business and to minimise the risks presented. We have compiled some quick tips in order to remain resilient against cyber attacks.
- Look after critical documents and data. Organisations should have a system in place to manage the flow of data, tracking what has been shared, when it has been shared, and with whom.
- Ensure that staff are trained on cyber security and understand its importance. The NCSC has developed an e-learning package which can be completed online.
- Keep IT equipment up to date and use anti-virus software.
- Ensure employees keep phones, laptops, and tablets safe when using them on the move and on site. Devices should be password protected, locked when not in use, and care should be taken when connecting to public Wi-Fi networks.
- Use passwords to protect critical data and ensure only relevant people have access.
- Train staff on how to spot a ‘phishing’ attempt. ‘Phishing’ might take the form of a fraudulent text, email or call whereby a cyber attacker tries to access a system through a link or an attachment which contains malware. Such messages can be hugely detrimental to an organisation and can be sent at random.
- Understand your supply chain and consider the implications if one of your suppliers falls victim to a cyber attack.
- Have a system in place if a cyber attack occurs.
If an organisation is subject to a cyber attack, and personal data has been compromised, there be a requirement to notify the Information Commissioner's Office and affected individuals. If an attack occurs, it is important to understand how the system was breached and to learn from any potential weaknesses.
If you require advice in relation to cyber security attacks or data protection compliance generally, please contact a member of our specialist Data Protection & Cyber Security team.
This article was co-written by Maya Allen, Trainee Solicitor.