Construction Contractors Used as Unwitting Launching Pads for Cyberattacks on Utilities
The Wall Street Journal recently reported that cyberattacks by foreign governments into the nation’s electric grid are utilizing what it called "the system’s unprotected underbelly," the contractors and subcontractors that work for the utilities. For many of us, this brings back memories of another company's data breach, where attackers used an HVAC contractor as the launching pad for what became one of the largest and most damaging data breaches of its time, costing the company millions of dollars in lost business, reputational harm, remediation, and litigation costs.
According to the Journal’s reporting, a 15-person construction contractor in Salem, Oregon had fallen victim to a cyber attack, one that the Department of Homeland Security said was most likely carried out by a foreign government. The contractor had been what cyber attackers often refer to as a “soft” or easy target because it had no reason to be on high alert against a cyberattack. As an employee of All-Ways Excavating USA, the contractor who was breached, stated: “They were intercepting my every email. What the hell? I’m nobody.” Tellingly, DHS replied, “It’s not you. It’s who you know.”
The article details a common practice among hackers. They often exploit the cyber vulnerabilities of unsuspecting contractors, many of them from the construction industry, as launching pads for attacks on larger clients, including the utility companies and the government. In this case, the attackers used the construction companies to gain access to utilities’ corporate networks, and then sought to gain access to the utilities’ critical control networks by targeting “jump boxes,” computers that move information between the corporate and critical control networks. According to the article, at least 60 utilities were targeted, about two dozen were breached, and the attackers successfully gained access to the critical control systems at eight or more utilities.
The attack started with hackers planting malware on sites of online publications frequently read by utility engineers and by sending out fake resumes with tainted attachments pretending to be job seekers. Once the hackers had computer network credentials, they slipped through hidden portals used by utility technicians, in some cases getting into computer systems that monitor and control electricity flows. Further underscoring the severity and potential consequences of these attacks: One of the targeted utilities was an energy company that had built a small power plant that allows Fort Drum in western New York to operate even if the civilian power grid collapses. Fort Drum is under consideration to be the site of a $3.6 billion interceptor to defend the East Coast from intercontinental ballistic missiles.
In the US, there are no mandatory cybersecurity regulations applicable to design and construction companies, except for those involved in government contracting. However, the decentralized and interconnected nature of the construction industry, combined with the industry's ready access to clients’ information systems, and a prevalent lack of focus in the industry on technological and cybersecurity issues, makes design firms and construction contractors an attractive target for back door access to their clients’ systems. Hence it is extremely important for architects, engineers and construction contractors, especially those working with government and utility clients, to have a robust cybersecurity risk management program.
The incidents reported in the WSJ article underscore the importance of vendor due diligence regarding cybersecurity practices. This should include identifying vendors that have access to the owner’s systems, categorizing them based on the level of access, and creating specific cybersecurity policies for each category of vendor. Vendor cybersecurity checklists can be an invaluable tool in assessing the cyber hygiene of a prospective contractor or subcontractor, and all contracts should be carefully reviewed to include appropriate representations and warranties regarding cybersecurity and data privacy practice, as well as appropriate limitations of liability and hold harmless provisions that allocate risk among the parties in the event of a significant cyber incident. In addition to a review of the cybersecurity practices of individual vendors, the availability of cyber insurance should also be considered as a supplement to the typical insurance obtained for construction projects; this insurance review should include consideration of cyber insurance (which often focuses on the costs of forensic investigation and data breach notifications) as well as the potential need for other lines of insurance to address the property damage, personal injury, environmental damage, and other types of harm that could result if a cyber attacker is successful in gaining control of physical devices or systems, such as industrial control systems. The guidelines provided in NIST SP 800-171 provide a good starting point, but will need to be customized for each entity. Please contact the authors with any questions or for help with your cybersecurity needs.