What is the cybersecurity impact on construction, engineering projects?

Cybersecurity insights

• If a cyberattack occurs at a water treatment plant or electric utility, it affects more than just that agency. Buildings and individuals are directly impacted.
• Network security within the building’s systems — such as a building automation system — are required to ensure full functionality.

Imagine a hospital or a military base that have achieved a high level of cybersecurity maturity. Both facilities will have outside dependencies including people, power, water, manufacturing and supply chains, which will not have the same level of cybersecurity maturity. What is the potential impact to their operation, if the nonregulated water or wastewater plant were to become inoperable due to a cyber event? Reverse the dependency, what if we have a health care system that cannot treat patients critical to the operations of a water or power plant?

Even though industries are dependent on each other, the regulations, standards, laws and requirements for securing operational technology (OT) systems used vary greatly. Depending on the industry, these can range from voluntary cyber risk recognition and mitigation, to regulated or expected risk management.

A cybersecurity incident within any of the 16 U.S. government-defined critical infrastructure sectors can disrupt modern society in an instant. The potential of societal impact was recently illustrated in the Colonial Pipeline incident. Colonial Pipeline was the victim of a ransomware attach that resulted in the shutdown of pipeline movements affecting the Southeastern United States. News of the shutdown resulted in public panic and a run on gasoline, which led to gas shortages and increased fuel costs.

Essential functions and mission critical facilities including federal facilities, military bases, hospitals, utilities and power generation have deep interdependencies on each other, as well as the OT systems that are essential for operations. OT systems are no longer used as a convenience or efficiency tool for manufacturing. Instead, these are now required to serve the increased production needs for large populations and rely on complex processes that cannot be controlled by humans; and as an enabler to achieve sustainability and resilience initiatives.

For example, a modern building will have OT systems, such as automation systems for heating, ventilation and air conditioning, electrical systems and fire alarm systems. These three system groups include multiple subsystems and sensors connected to operate the building. Each system and sensor represent a potential attack point to an adversary if not secured.

In complex buildings, the number of systems can increase substantially, especially with the increased demand to meet net zero targets to help reduce energy consumption. It is not uncommon for a modern building to have more than 50 systems with thousands of network-connected devices. Many net zero carbon buildings or highly rated U.S. Green Building Council LEED buildings leverage OT technologies such as solar arrays, lighting controls, occupancy sensors, automatic shade controls, smart windows, rainwater harvesting and more to achieve energy reduction goals.

In the not-so-distant past, many of these systems were natively manufactured without intelligent components as an option. Today, components are manufactured with onboard intelligence included and, in many cases, nonintelligent components are no longer an option.

A lack of cybersecurity is a risk to building systems. However, cybersecurity requirements are often not included in every design due to cost or lack of cyber risk awareness.

Some states and regulatory agencies have begun to increase risk awareness and requirements such as:

• March 2023, the Biden-Harris Administration published the National Cybersecurity Strategy and within days the U.S. Environmental Protection Agency and Transportation Security Agency issued updated sector specific cybersecurity requirements.

• In 2022, the states of New Jersey, New York, Maryland, Tennessee and Florida issued legislation applying cybersecurity requirements for utility owners.

• In 2017, the U.S. Department of Defense has required the use of Unified Facilities Criteria (UFC) 4-010-06 for all design and construction projects.

However, many industries have limited budgets or thin profit margins and cybersecurity mitigations often have cost implications in design, construction, system operations and maintenance.

The concept of risk management is not new to design and construction projects. Engineers design to standards and codes that have been adopted to lower risk from incidents such as fire, flooding and wind. Now, industries need to transition traditional planning to include cybersecurity as a risk that should be addressed.

As this industry begins trending toward increased comprehensive cyber risk recognition, the application of cybersecurity requirements within the design of the built environment needs to be included in project plans early in the process. By incorporating proactive solutions for system owners that include cybersecurity considerations into the design from the beginning, engineers and designers can control design, construction and maintenance costs.

Figure 1: Cyber-ready key concepts generally recognized as best practices across multiple industry standards. Courtesy: HDR

Cybersecurity from project inception

As a starting point, consultants can bring the topic of cybersecurity to the forefront by introducing the concept of “cyber-ready” into a standard master specifications package. Where clients may not specifically require cybersecurity requirements, these master specifications will focus on a few key concepts that are generally recognized as best practices across multiple industry standards (ISA-62443, NIST-800 SP 53, NIST 800 SP82, ISO-27001).

Examples include:

• Requiring the contractor to share a spreadsheet-based asset inventory of devices and software allows clients and response teams visibility of what devices belong on networks.

• Default usernames and passwords can easily be leveraged by a low-skilled adversary to impact devices. Requiring the contractor to coordinate with the client to change default usernames and passwords to unique usernames and password per device on all programmable devices and software can help combat this risk. Additionally, the contractor should provide a secured password inventory at project close-out.

• Known vulnerabilities in devices and software are both published and shared by adversary communities. Many devices procured by contractors are received from inventories or sit idle before use, where the firmware in the device is not up-to-date, which could lead to the new system being insecure. Incorporating a requirement for patching to the latest firmware and software at time of commissioning will lower the risk of a new build including known vulnerabilities.

• All systems that support access control such as PIN or password should have it enabled to restrict access to specific system functions based on the person’s role. Actions and capabilities within the system should be limited to only those that are necessary for the particular person based on their role.

It is impossible to design an unhackable system, however, applying mitigations can lower risk to be within tolerance. Therefore, a requirement of a documented transfer of all software and configuration backups for every programmable device, which can be used by clients to recover from an incident, should be implemented.

These basic hygiene requirements fall primarily within the NIST Cybersecurity Framework’s (CSF) “identify and protect” stages and provide for a moment in time (at system turnover) backups for potential recovery actions.

Unfortunately, applying design requirements to detect, respond and recover tools beyond a moment in time backup require a more comprehensive engagement with clients to develop solutions, which are cost effective and maintainable. For sectors with a lower risk tolerance, the use of the NIST risk management framework to evaluate and incorporate appropriate security controls is recommended. This allows for alignment with the sector’s risk tolerance for each of the OT systems in the project. The accepted security controls can then be incorporated within the drawings and specifications. Afterall, cyber ready is just a starting point.

Cybersecurity mitigations implemented during the design and construction process can be more effective than bolt-on solutions after hand-over. These may impact cost and schedule. Applying cybersecurity after a system’s functional startup may impact functionality and require retesting of system function.

System and component suppliers must recognize and plan for the design requirements, which may include:

• Client coordination.

• Client cyber training on systems or components.

• Increased performance requirements for components (managed network switches, firewalls, encryption).

• Specific configuration requirements (device hardening, network segmentation, least privilege).

• Additional testing and validation efforts related to security of the system in addition to functionality.

• Increased documentation requirements.

• Client provided or configured equipment.

Cyber-ready systems as described above normally do not require contractors or vendors to employ cybersecurity experts for implementation. More complex designs meant to lower risk will require increasing the technical acumen to configure devices and networks for security, in addition to system functionality. Highly secured systems may require contractors to include dedicated cybersecurity staff to work with vendors to implement or verify the system.

Everyone in the planning, design and construction life cycle has a role to play in cybersecurity. Cyber adversaries will continue to implement new tactics and techniques, cyber mitigation requirements will adjust to the changing threat and the design and construction industry will adapt to a new playing field where cybersecurity is an integral part of project risk management and a construction implementation requirement.

Do you have experience and expertise with the topics mentioned in this content? You should consider contributing to our CFE Media editorial team and getting the recognition you and your company deserve. Click here to start this process.