Combined With Increased Vulnerabilities Is The Fact That Cybercriminals Understand That Construction Is A High-Cash-Flow Business.
By Erik Dullea
Road and highway budgets for state Departments of Transportation (state DOTs) have been squeezed this year due to the COVID-19 pandemic and economic contraction. Notwithstanding those challenges, state DOTs and their road and highway contractors, who employ essential workers, have continued to build and repair roads, and in some cases, expedite the projects to take advantage of reduced vehicle traffic. However, these businesses face challenges not just from the physical world but also the cyber world.
Road and highway contractors, like most other businesses, rely on technology to succeed. This increased reliance is seen by contractors’ routine use of computers, smartphones and “smart” construction equipment. However, this increase in network connectivity increases their vulnerability to cyberattacks. This vulnerability is compounded by the fact COVID-19 forced the entire private sector to adopt Work From Home protocols to varying degrees, which expands the attack surface for cyberattacks against contractors.
Not an Uncommon Occurrence
Not only are cybercriminals aware of these increased vulnerabilities, cybercriminals understand that construction is a high-cash-flow business. For example, in April 2019, near the end of a $5.5-million construction project, an Ohio contractor informed its customer that the final $1.7 million payment had not been made. An investigation into the missing payment revealed that the customer’s email system had been breached and the intruder had changed the routing numbers for the payment.
This type of crime is not uncommon. Two Florida cities were victims of large cyber thefts in 2019, when criminals used information from a legitimate invoice to convince the city to redirect a $742,000 payment to a fake bank account. A similar phishing scam using construction invoices led another Florida city to send $700,000.00 to a fake account. These cybercrimes not only occur between customers and contractors, they happen between prime contractors, their subcontractors, and their suppliers.
To the extent that the aggregates and construction industries have lagged in their cybersecurity measures, cybercriminals will attack easy, lucrative targets before attacking other industry sectors with hardened defenses. The following industry breakdown of cyberattacks supports this premise, with the construction industry sector having the third-highest victimization rate (13.2%), trailing manufacturing (13.9%) and state/local governmental entities (15.4%). Conversely, attacks against educational institutions and financial institutions were the lowest sectors victimized at 5% and 4.6%, respectively.
These industry breakdowns are due in part to the fact cybercriminals recognize that small and mid-sized businesses tend not to invest heavily in cybersecurity. One reason for this lack of investment is that these businesses subscribe to the “it won’t happen to me” mindset. That is a risky and self-destructive mindset when small businesses are the victims of more than 50% of cyberattacks. Compounding this problem is that in many cases, cybercriminals will replicate successful attacks against victims over and over again, including corrupting and deleting a portion of the company’s records to pressure the victim into paying the ransom demands.
Even though small businesses suffer a large number of cyberattacks, the consequences from these attacks are felt up and down the supply chain. Regardless of the cybercriminal’s ultimate goal, the total cost of a ransomware attack exceeds the payout of a ransom. The financial, operational and reputational harm can be grave for a small business, but large general contractors who rely on small business subcontractors are also taking on those risks, particularly when the general contractors have not properly vetted the subcontractors’ and suppliers’ cybersecurity procedures.
Any breach or technology interruption that disrupts critical workflows and operations can lead to substantial losses for contractors and other project stakeholders, including government customers paying for the highway project. These overlapping concerns and risks have already motivated the federal government to add cybersecurity requirements to its procurement language, and state governments are beginning to follow suit.
Governments Expanding Requirements
The Federal Acquisition Regulation (FAR) contains the rules and contractual provisions for federal procurement activities. Currently, the FAR contains a provision requiring contractors to implement “basic safeguarding requirements and procedures to protect covered contractor information systems.” These safeguarding requirements must be included in subcontracts where the subcontractors may have federal contract information residing in or transiting through its information systems. FAR 52.204-21.
The Department of Defense (DoD), which uses more than 300,000 contractors, considers cybersecurity weaknesses in their supply chain as a critical threat. To counter this threat, the DoD drafted new standards for cybersecurity preparedness and documents the process for its contractors. While the DoD requirements are unlikely to apply to construction contracts for roads and highways, it is common for the rest of the federal agencies to follow DoD’s lead on contracting initiatives.
Accordingly, once the DoD has ironed out the details of these requirements, it is highly likely that other federal agencies and state governments will implement similar requirements. Because highways and roads are designated as critical infrastructure, the aggregates and paving industries should be prepared for the federal government to prioritize adding cybersecurity requirements similar to DoD’s requirements for critical infrastructure contracts.
California and New York already require businesses to implement reasonable security measures to protect the personal information of its residents. New York requires these security measures to focus on the administrative, technological and physical challenges in cybersecurity. California’s attorney general considers “reasonable security measures” to be the practices and procedures proposed by the non-profit Center for Internet Security, generally known as the CIS Controls.
While these two laws are geared toward consumer protection, legislatures and courts are expanding the requirements for businesses to implement cybersecurity protections. California’s legislature is now debating a bill that would require California contractors receiving or accessing personal information to carry cyber insurance sufficient to cover all losses resulting from potential unlawful access to or disclosure of personal information. In 2019, the Pennsylvania Supreme Court allowed a group of employees to bring a class action lawsuit against the University of Pittsburgh Medical Center (UPMC) for failing to implement reasonable cybersecurity measures to protect their personal information. Regardless of the final outcome of the California legislation and the UPMC lawsuit, the imposition of cybersecurity measures on state contractors and employers will continue.
Best Practices to Consider
The risks and consequences of cyberattacks are too important for business owners to view as something that is the sole responsibility of a vendor or the company’s “IT guy.” Business owners must treat cybersecurity like other business risks that would have adverse financial, operational, and reputational impacts. A comprehensive approach – with inputs from corporate officers, human resources, legal, marketing, public relations and information technology – are key components of the administrative, technological and physical pillars for a reasonable cybersecurity program.
On the administrative front, contractors should limit which employees are authorized to access data and systems, and perform due diligence reviews of the contracts with subcontractors and suppliers to mitigating the risk posed by third-parties that can access the contractors’ networks. This due diligence should include the subcontractors’ representations and warranties and the terms and conditions of standard contracts include indemnification provisions that are appropriate for the circumstances. Because the risks of a cyberattack cannot be eliminated, contractors can buttress their cyber risk management programs with cyber insurance coverage that is suitable to the assessed risks, and review those policies annually.
On the technological front, contractors should take preventative cybersecurity measures, including requirements for regular backups of essential data, complex passwords, segmented networks, two-factor authentication, and systemic installation of software patches and updates.
Fortunately, contractors are already proficient with the requirements to have physical security at a worksite to protect equipment and materials from theft. On the cybersecurity front, these safeguards should focus on protecting laptops and electronic devices from physical theft and limiting access to the computer servers in corporate offices.
Contractors who invest in cybersecurity measure today, will not only reduce their risk of operational interruptions from cyberattacks, they are better positioned to be vetted by prime contractors and government agencies during competitive bids for new business.
Erik Dullea is senior counsel at Husch Blackwell. As a member of its Technology, Manufacturing & Transportation team, he focuses on administrative/regulatory law, with an emphasis on heavily regulated industries and government contractors.He can be reached at [email protected].