Sustainable Construction & Its Underlying OpSec
Why the Construction Industry Needs to Protect its “Green” Assets from Online Attacks
Threats to cybersecurity have grown exponentially in recent years as more of our technologies and vital infrastructure have become connected to the internet. We know that construction is uniquely vulnerable to cyber attacks, and that everything from “smart cities” to the ever expanding Internet of Things (IoT) is rife with opportunities for hackers to exploit.
There is, however, a less obvious weak point that industry leaders would be wise to focus their attention on: Many of our green solutions and sustainable technologies in the digital age are also connected to the internet, opening up whole new attack surfaces that all too often go woefully undefended. Indeed, a recent survey by Deloitte shows that more than half of energy, resources, and industrial companies don’t factor cybersecurity into the design and execution of green technologies.
“If these technologies are not secure by design,” the survey authors write, “the efficiency of any later security measures cannot be guaranteed, rendering the technology detrimental to both security and climate transformation.”
In this article, we will explain why construction needs to prioritize cybersecurity when adopting sustainable solutions, lay out the overall state of cybersecurity in the industry, and discuss several areas that are vulnerable to attack Finally, we will provide some pointers on how to bolster the cybersecurity of your sustainable technologies and green assets.
Why Is Cybersecurity Important in Sustainable Construction?
Of all the revolutions that construction is experiencing right now, the shift to sustainability is by far the most important.
Climate change is worsening. Some of the harmful impacts that only a few years ago were believed to be decades into the future–extreme weather events and mass ecosystem collapses–are happening right now, and can no longer be reversed. The new reality we face is dire, but the latest IPCC report makes it clear that we still have time to prevent some of the most catastrophic outcomes while also preparing for the effects that are here to stay.
As one of the largest contributors to climate change, construction has a leading role to play in this global struggle. The future of human life on Earth depends a great deal on the green technologies and sustainability practices that are only now beginning to gain meaningful traction in the construction industry.
While a growing number of construction firms are embracing more eco-friendly construction approaches, our future remains on shaky ground. Achieving a more harmonious balance with nature will require an enormous amount of cooperation, investment, and public trust, all of which can be swiftly undermined by even a single well-placed cyber attack.
Given the stakes of the climate crisis, it’s imperative that industry leaders act now to secure the green assets that much of humanity’s future survival will ultimately depend on.
The State of Cybersecurity in Construction
The construction industry already has a serious cybersecurity problem. According to Nordlocker, construction businesses were the number one target of ransomware attacks in 2021. These types of attacks can cause irreparable damage to a company and cost millions of dollars to recover from.
Part of what makes construction so vulnerable is that the industry has begun to embrace a wide range of digital technologies. Everything from project design to inventory management happens on the cloud these days, yet cybersecurity has remained an afterthought, with many companies slow to integrate IT professionals and construction technologists into their teams.
To be fair, cyber threats are on the rise everywhere. According to the 2022 Cyberthreat Report by cybersecurity firm Sonicwall, there were 623.3 million ransomware attacks across the globe in 2021, a 105% increase from the previous year. And that’s just ransomware. It’s a bitter twist of irony that even software updates–a routine and essential form of cybersecurity hygiene–have been weaponized in recent years as potent vectors for malware infections.
Cyber Threats to Green Technologies
The consequences to a construction company and its clients can be devastating if cybersecurity is not taken seriously. A recent paper by the Royal United Services Institute highlighted several major vulnerabilities–ranging from the vast scale of entire energy systems to the intimate confines of the home–that construction and other industry players should be aware of when implementing sustainable technologies.
Let’s dive in.
- Weak legacy technology
- Supply chain attacks
- Lithium-ion batteries
- EV chargers
- Internet of Things
The mass transition to renewable energy sources like solar, wind, and geothermal heat is a critically important part of the global response to climate change. Though greenwashing remains pervasive, some nations and green cities like Copenhagen, Denmark have taken concrete steps toward dramatically reducing or eliminating carbon emissions entirely. This slow but rising sea change is being driven by forward-looking climate policies like President Joe Biden’s recent invocation of the Defense Production Act and the fact that as of 2020, most renewable energy is now cheaper than fossil fuels.
While there has been some progress, it’s going to take more than a handful of residential solar panels to complete the global transition to renewable energy. What we need is to replace fossil fuels with massive grids of solar and wind power; and to perform effectively, these renewable power grids require the creation and upkeep of new forms of physical and digital infrastructure.
On the digital side of things, utility grids often run on something called a SCADA, or a supervisory control and data acquisition system. SCADAs are the central command posts from which the distributed networks of large scale utility operations like energy grids and wastewater treatment plants are monitored and controlled. The RUI paper flags SCADAs as a ripe target for cyber attacks, as they are connected to many other devices and programs that offer a dense swiss cheese of backdoors for hackers to exploit.
If SCADA systems are compromised, cyber criminals could shut down entire energy grids, throwing cities and regions into darkness with the flick of a switch. This isn’t just a hypothetical. Numerous existing SCADA systems have already been hacked to devastating effect. In 2010, the Stuxnet virus caused enormous damage to the centrifuges of an Iranian nuclear power plant. Another alarming attack occurred in 2021, when a hacker breached the SCADA system of a water treatment plant in Oldsmar, Florida and attempted to poison the community’s water supply. These are just two high profile examples among many.
Wi-fi connection points and VPNs are the most likely places that a breach can occur in a SCADA system, the RUI paper states. Another growing concern is the introduction of automation into SCADA systems, with artificial intelligence programs bringing their own range of potential backdoors for hackers to walk through.
Weak legacy technology
The old age of technological systems is another major weakness that cyber attackers can take advantage of. The RUI paper’s authors were focused on the United Kingdom, but their observations regarding the outdatedness of national energy grids is just as valid here in the United States. Renewable energy may still be new, but much of the physical and digital infrastructure via which it’s distributed is old, and wasn’t designed with cybersecurity in mind. Since much of this technology still functions, however, there is little incentive for grid operators to update to more secure systems, as doing so would entail enormous up-front costs.
Supply chain attacks
To invoke a trope of horror cinema, the call isn’t always coming from inside the house. Organizations and industries don’t exist within vacuums. Everything is connected in the global economy, and construction in particular is an industry that’s heavily reliant on globe spanning supply chains. As such, industry leaders need to be mindful not only of their own cybersecurity, but that of the many partners, vendors, contractors, and subcontractors that they do business with every day.
By necessity, the digital databanks of all these disparate organizations are often inextricably intertwined. A breach anywhere within this chain of relationships can expose sensitive client, financial, and project information to the unscrupulous eyes of hackers with bad intentions. The SolarWinds hack is a recent example of how the hacking of a widely used piece of software at its source can infect anyone who uses it down the line. Mapping out the possible vulnerabilities of a supply chain is a Herculean task, given the vast array of companies, nations, and other entry points involved. The problem is exacerbated by the lack of transparency and communication between organizations about the state of their idiosyncratic cybersecurity protocols.
One of the biggest challenges of renewable energy is power storage. The sun doesn’t always shine and the wind doesn’t always blow. As such, we’ve had to find novel ways to capture and store surplus renewable energy for a rainy day. One of the most effective solutions we’ve developed so far is the lithium-ion battery. The problem is that they’re uniquely vulnerable to cyber attacks.
Lithium-ion batteries use battery management systems (BMS), which monitor the unit’s charge, overall health, and connection to external circuits. These multi-layered systems are often connected to the internet. The RUI paper warns that weaknesses in encryption, authorization, and Wi-Fi remote access are all potential entry points for hackers, opening up everything from large-scale infrastructure to home appliances to cyber attack.
The power stations that recharge electric vehicles (EVs) are another possible entry point for cyber criminals. Global sales of electric vehicles have been on the rise in recent years, a trend that’s getting a boost from the skyrocketing price of gas. Construction equipment is also beginning to take the electric leap, as EVs are quieter and more energy efficient than gas powered machines.
There’s just one major drawback. You guessed it: EV chargers are vulnerable to cyber attacks. Researchers at the University of Oxford recently identified a method of attack called Brokenwire that can prevent electric power stations from recharging vehicles. Cybersecurity firm Pen Test Partners has identified multiple systems vulnerabilities that could lead to the infection of millions of EV chargers. Imagine an entire fleet of electric construction vehicles suddenly grinding to a halt, causing massive project delays and costing potentially millions of dollars in damage. Once infected, the RUI paper states, EV vehicles could also serve as entry points to other parts of a company’s network.
The Internet of Things
An ever-expanding list of everyday objects and workplace devices are connected to each other online these days. The interconnectivity of the Internet of Things (IoT) brings with it a host of advantages, enabling consumers and professionals alike to remotely control everything from smart thermostats to smart tools. Milwaukee® Tool’s ONE-KEY™ platform is a prime example of how the IoT can be effectively harnessed to track, organize, and calibrate entire inventories of power tools and equipment.
The downside of course (*when not properly configured/secured*) is that the interconnectivity and constant data-sharing between IoT devices and hubs opens up a rich field of backdoors for cyber criminals to break in through. The potential for attacks is limitless. Indeed, there have already been some eye-opening examples of IoT attacks. In 2016, the Mirai botnet infected thousands of IoT devices and shutdown a large swath of the internet, including Twitter, Netflix, and CNN. In 2017, a series of cardiac devices at St. Jude’s Medical were revealed to be vulnerable to attacks that would allow hackers to remotely deplete the battery or administer shocks.
From a sustainability perspective, smart thermostats (which are great energy saving measures) can also be easily breached, as a couple in Wisconsin recently learned when a hacker reportedly gained access to their Google Nest. Over a 24 hour period, the attacker raised their home’s temperature and taunted them through the system’s camera.
Build Up Your Cyber Defenses
Now that you have an idea of what kind of cyber threats are out there, you’re probably wondering how to protect your fleet of EVs and other green assets from attack.
How to Protect Your Sustainable Tech and Other Green Assets from Attack:
- Practice cyber hygiene
- Hire a construction technologist
- Create a cyber attack response plan
- Back up your data and systems
- Train your workers
Practice good hygiene
A lot of cyber attacks can be prevented by practicing good computer hygiene. Make sure you’re using passwords that are more alphanumerically complex than 1-2-3-4. Change your passwords regularly and use two-factor authentication. Use a secure VPN, make sure your operating system is up to date, and that you have good security software installed. These steps are simple and likely nothing you haven’t heard before, but they are a good starting point for introducing more cybersecurity into your organization.
Hire a construction technologist
Don’t know how to protect your digital infrastructure? One of the quickest and most effective solutions is to hire someone who does. Construction technologists are the IT experts you need to ensure that all the computer systems and digital tech within your company runs smoothly and above all else, securely. Construction technologists are responsible for implementing cybersecurity protocols, providing trainings to personnel, and creating robust cyber attack response plans.
Create a cyber attack response plan
Speaking of cyber attack response plans–make one! Cyber attacks can’t always be prevented, but you can salvage assets and prevent a bad situation from getting a lot worse if you’ve mapped out what steps to take in the event of a breach.
Train your workers
Technology is only as secure as the people using it. Make sure everyone who has access to your digital infrastructure is trained on cybersecurity protocols.
Backup your data and systems
A great way to soften the impact of cyber attacks is to have backup systems ready to go at a moment’s notice. Talk to your construction technologist about creating an automatic backup system that creates duplicates of all your data and stores the copies in a separate, secure, offline, and encrypted location that only a select few individuals within your organization have access to.
Climate change is a very real and growing threat to the future of humanity. If we are to secure a more sustainable future on this planet, then the construction industry in particular must undergo a revolution the likes of which hasn’t been seen since the dawn of the industrial age. The transformation has already begun. New jobs like solar photovoltaic installers and wind turbine technicians are leading the way, while green HVAC and plumbing systems are making our buildings and cities more energy efficient. All of our past and future gains can go up in smoke, however, if the digital systems that undergird them are left unprotected. Industry leaders should therefore act today to ensure the cybersecurity of the green assets that are being used to build the world of tomorrow.