Construction businesses are at risk as nation-state attacks are on the rise

According to Microsoft, nation-state attacks are malicious cyberattacks that originate from a particular country and are an attempt to further that country’s interests.

We have seen Russians do it with Ukraine, hitting their national grid during times of political unrest as well as during elections and I can confidently say that these types of attacks are only set to rise.

Many organisations never even consider nation-state attacks while undergoing their risk assessments, especially construction businesses, believing only the largest of companies will be targeted. But this is far from the case.

What does this mean for the construction industry?  

According to Statista, in 2022, the gross value added (GVA) of the construction industry in the UK amounted to almost 128.9 billion British pounds.

Its huge contribution to the UK economy is further reflected in the market’s employment figures, with construction responsible for one in every 20 jobs as of last month according to Reuters.

On a smaller scale, businesses are in more and more danger of being cyber-attacked by a bad actor, nation-state or otherwise and everyone is a target.

The rise of technology in construction comes with many risks, most crucially, cyber risks and an increased critical vulnerability of data security.

The construction industry has become prone to attacks thanks to the wealth of confidential data and information held, as well as cybercriminals being aware of the industry’s perhaps under-protected stance on cyber security in the past. Primarily before the implementation of tech.

However, recent years have proven that the industry is being more and more targeted by data security incidents.

What can the construction industry do?  

To help defend, go on the offensive. Simulate what these nation-states are doing against your own construction business and shine a light on your own cyber blind spots.

We will see a heightening of nation-state interest in cyber attacking as there is a broad range of how these attacks can be deployed.

Ben Wallace (UK Secretary of State for Defence) and Joe Biden have both been talking recently about their need for offensive security practices – running your annual pen test is no longer enough.

For businesses, and especially those providing or supplying organisations with critical national infrastructure, the mentality can no longer be about merely testing but attacking. The traditional pen test is a point in time, typically once a year, narrowly scoped engagement running checks for ‘known’ vulnerabilities using common scanning tools and techniques. You need someone who will emulate and simulate the real threats.

This is a bit of a provocative statement but nobody else is doing this right. Businesses are generally looking at how they think they could be breached and taking a parameterised approach as to how breaches are done in their minds.

How do these breaches occur?  

Typically, it is assumed that breaches will occur via a digital route, say for example your main website.

This leads to a point in time, and narrowly scoped offensive security engagements. Such an approach leaves blind spots and the moment the report touches your desk, it’s out of date. The real actors are constantly looking for ways to compromise your business. They target the whole brand using digital, social and physical routes via multiple attack paths to find a way to achieve a breach.

A typical, naive, response and approach of many business leaders is ‘why would they attack us or why would we be classed as important? We are a construction business – who would come and attack us?’

Imagine if you were breached, your data was stolen, and your business could no longer operate without paying a ransom to the attacker. How would you feel? How would you function? How would your brand suffer being headline news?

There is a lag in mentality in organisations that are doing things the old and outdated pen test way, setting rules of engagement with their cyber security teams and expecting it to provide a realistic view of how attacks really happened.

The data tells us that this is a threat that everybody needs to take seriously, with recent data showing that more than 80 percent of UK businesses suffered at least one cyber-attack in 2021/22. That accounts for nearly 4,000,000 registered companies.

What are the predictions for the future?  

What I believe we will see in the coming years is an acceleration in bad actors, including nation-states, targeting organisations that provide software or services that would give the adversary or nation an advantage if that organisation was taken out.

Hence why this is a threat the construction industry needs to sit up and take notice of. There’s a sense of embarrassment in businesses that have previously been cyber-attacked. Headlines are filled with something else rather than the story of what is happening.

The key issue is that so many businesses take the stance that it won’t happen to them, especially within industries such as construction. However, the reality is that they are already being targeted or have already been breached and just don’t know it yet.

That’s the real risk. And sometimes the result of that isn’t felt for quite some time. When you get in on a Monday, you know if your fire alarm is working because you will do a test.

Ask yourself, is your current approach to offensive security allowing you to sleep at night? Or are you worried that you will be breached tomorrow?

For a list of the sources used in this article, please contact the editor.

 Luke Potter is Chief Operating Officer at CovertSwarm, a leading global ethical hacking and cyber security provider. CovertSwarm runs constant cyber-attacks for its clients, using every possible weapon in the hacker’s arsenal, taking a step further than penetration testing to more closely simulate real-world threats. The organisation constantly attacks its customers, and when vulnerabilities are found, raises the alarm before a real attack can take place.