Contractors and construction sites are becoming more digitised – leaving them exposed to cyber risks. But why would a hacker target a construction contractor?


Contractors actually make surprisingly good marks. Construction is an extremely capital-intensive sector, with a single site often counting thousands of tradespeople among its daily workforce. Those workers are often employed by dozens of different contractors, all of whom may have access to a single database of information about the project.

Contractors are not known for their advanced cyber security and that can leave dozens of digital backdoors that hackers could use to get their hands on that single repository.

If they choose to encrypt it and the computers it sits on – holding the machines and the files to ransom – the hackers know they have some leverage, as workers will be forced to down tools, costing tens of thousands of pounds an hour.

Spying activities

And there’s another reason to target construction firms. They work on some pretty sensitive projects, like nuclear power stations or military bases.

Swiss Re Corporate Solutions cyber expert Francois Brisson says there have been a number of cyber attacks by malicious states trying to get their hands on another country’s intellectual property.

“It’s spying activities,” Brisson says, explaining that they are motivated by money.

Increased use of Internet of Things-connected devices, like sensors and cameras, on construction sites could leave the sector more vulnerable

North Korea is a prime example. Just last month, a confidential United Nations report revealed that Pyongyang had targeted banks and crypto-currency exchanges to steal £1.6bn to support its weapons programme.

The construction sector could be next. Last year, thousands of confidential documents, including plans for everything from power stations to prisons, were stolen from French firm Ingerop. It is not known who was behind the hack.

To protect every device

Brisson says the increased use of Internet of Things-connected devices, like sensors and cameras, on construction sites could leave the sector more vulnerable to these kinds of attacks. Sites will soon employ thousands of these devices and each one could provide a backdoor into the network.

“Everybody knows that all IoT devices are delivered with a default password to access to it,” warns Brisson. “The management on all this equipment will be highly complex.”

And there is a cost of changing those passwords that must be assessed against the unseen benefit that heightened security brings, Brisson explains.

“If you run very complex password management to all these IoT devices, that will slow down the operations.”

Europe is leading

Despite these vulnerabilities, Brisson says there have been very few examples of cyber losses from construction firms.

And even if there had, they may not have been covered by insurers. Brisson explains that there is a notable difference between the cover available in the US and the policies sold by insurers in Europe.

In America, cyber risk is often excluded, whereas in Europe, where the marketplace is more competitive, companies can get a cyber endorsement.

“A lot of US risks come into the London market to find broader policies,” Brisson says.

And, now, those policies are even starting to cover physical loss from a hack, something that is nearly always excluded.

Brisson says that some policies will replace equipment that cannot be cleaned up or guaranteed to be safe after a cyber attack, although the potential coverage is still limited.

The market for cyber cover in the construction sector is still under construction.