Implications of IoT Security in Construction Applications
Farai MazhanduFarai Mazhandu
The security of IoT implementations continues to be the leading impediment to deploying IoT initiatives in the construction industry. In addition to a reliance on mobile devices such as smartphones and laptops, the construction industry is increasingly adopting new technologies like IoT to improve productivity, efficiency and safety. IoT sensors are useful because they provide real-time monitoring and data collection, while virtual reality can create simulations of building designs. Additionally, IoT sensors can be used to access data, the causes of physical malfunction of physical infrastructure, building information modeling (BIM), digital twins and geographic information systems (GIS).
Integrated project delivery through IoT technologies opens a world of safety, training and efficiency opportunities, but also increases vulnerabilities of attacks from malicious actors. The characteristics of the construction industry make it a challenging environment to implement ubiquitous technologies like IoT. First, the construction industry’s workforce is fluid; many construction industry employees work in the field — using laptops, smartphones, and tablets — rather than traditional office environments. Second, reliance on subcontractors can present unique challenges, including training. Finally, the completion of any project typically involves dozens of companies the sharing of vast quantities of confidential data including bids, blueprints, employee records and financial information.
Forward-looking construction companies now rely heavily on cloud infrastructure to manage project blueprints and sensitive customer data needed for multi-million-dollar projects across wide geographical areas. As the adoption of IoT technology continues to grow rapidly, security teams have to consider new approaches to detect stealthy insiders and respond to sophisticated threats across a dispersed digital infrastructure. In addition to the worksite challenges faced by construction companies, additional hurdles include the lack of adequately skilled staff, inadequate budgets and change management issues. In particular, top management in the sector underestimates the threats and risks that arise because of IoT deployments. They lack guidance on particulars and scope to enable them to assess threats and manage risk.
The construction sector is impacted by cyber risks that arise from enterprise-system technology and project-specific technology. Enterprise-related risks (IT or OT security) are well understood and include the loss of client data or confidential project information data, intellectual property and sensitive commercial material, employee data, subcontractor and supply chain management data and/or financials and outage or disruption related to critical software, applications, data or networks. IoT security falls under project-specific technology. Project-specific technologies could relate to asset management and control systems, site access, concrete maturity monitoring, structural health monitoring systems or other operating systems.
IoT security is the protection of the confidentiality, integrity and availability of an IoT solution or device. IoT security is a journey which starts by making sure the organization has enough knowledge on what devices/solutions to buy, how to perform secure integrations, how to ensure that the solution or device operates smoothly and efficiently at scale and how to enable safe and secure communications. It's about making sure the IoT device/solution operates as expected, communicates securely and has enough resilience to absorb attacks. Beyond that, good IoT security practices ensure that no rogue devices connect to the IoT infrastructure and prevents the user of a solution/device from doing anything unintended by the designers of the device or owners of the data, whether by accident or malice. IoT security is about making everything work as expected and keeping unauthorized users and authorized users who could be a threat from potentially doing anything that compromises the IoT system.
IoT is the best space to launch an attack. The systems are usually less mature in terms of security than server and PC systems. The remoteness of some of the devices allows for the attackers to be physically present and manipulate hardware at their leisure which would not happen in a secure office setting.
The best approach to IoT security is built around the "before/during/after" approach. Before: prevent system compromise and unauthorized access. During: monitor and detect a breach as quickly as possible. After: quickly assess and minimize damage. IoT security focuses on the following broad areas; device security (the physical destruction or attack on terminal devices such as sensors and RFID tags), data security (data loss or tampering), access management (privacy and confidentiality) and active security (maintenance of control).
Every organization that deploys IoT solutions must have a plan to ensure trust, identity, privacy, protection, safety and security of devices and people. It's important to recognize that an IoT device or solution is likely to be attacked or compromised at some point in its lifecycle. Leading organizations treat security as a manageable risk to be considered and countered along with all other risks they manage.
The first step in managing cyber risk is to identify sources of potential risk. Construction companies should conduct audits that gauge employee access to and use of critical and sensitive data, including personally identifiable information and proprietary corporate assets. This audit should determine who has access to such information and critical systems and take stock of existing capabilities for monitoring inappropriate system access and potential security events.
Once completed, businesses should develop formal, written policies regarding the use of corporate networks, and ensure that access to sensitive data is restricted only to parties that require it. While IoT security practices are still evolving, a set of best practices is emerging:
Make IoT security inherent in the IoT process from the start. Use hardware that incorporates security features beyond encryption or physically secure critical technologies. Laptops, smartphones, tablets and portable media devices — along with emerging technologies that are often present on construction sites, such as wearable devices — can present significant data security threats if lost, stolen or hacked.
Make security a priority for everybody involved with the organization. Educate, share and discuss IoT security best practices. Stay abreast of developments in IoT security and regularly update employees, partners and vendors on how to identify, avoid and report potentially malicious activity on corporate networks. The most effective way to handle IoT security is to treat it as a journey; be smart and proactive when it comes to IoT risks. Make security a top priority for everybody in the organization as well as outside partners and vendors. Don’t be naive and appreciate that there are many reasons somebody would hack your IoT solution ranging from thrill, political statements, an act of war or terror, expectations of financial gain by stealing data or trade secrets for competitive advantage, hobble you as a competitor, disrupt your business strategy or an employee attempting to exact revenge.
You should reward users who find and report bugs especially defects likely to expose zero-day exploits. The construction industry is heavily decentralized and involves several stakeholders. Without thorough and regular training and buy-in from all personnel, even the most robust cyber risk management plans can be rendered ineffective. Businesses should also implement strong internal controls, including the resetting of passwords every 90 days, multi-factor authentication and randomized default passwords.
In IoT security, concerns and confusion remain. An IoT security strategy for a construction company has to focus on not only preventing intrusion but also quick detection and recovery.
Use the most current operating system and libraries with updated firewalls and security patches. Despite the added expense, investing in a robust set of firewalls that require user authentication can be beneficial. Businesses should also institute secure file sharing, advanced email and web filtering and separate WiFi networks for subcontractors, architects and engineers. Use automatic updates to fix and patch bugs and vulnerabilities in field devices.
Closely monitor third-party risk. Assess the cybersecurity processes of any third parties that access or retain critical data. Seek to build favorable hold harmless agreements into contracts with third-party vendors. Also, establish procedures to evaluate any third-party service providers (if applicable) and, as discussed, review their agreements, limiting as much liability to your company as possible, and assess their cybersecurity processes.
Develop detailed data breach response plans. Planning can enable an organization to act swiftly, decisively and effectively to minimize damage from a breach and any resulting claims or regulatory actions.
Purchase cyber insurance. A cybersecurity breach is not a matter of if but when. Having insurance coverage against cyberattacks makes business sense. Understand that IoT doesn’t have a security silver bullet. The scope and variety of IoT solutions effectively prevent the emergence of faultless security defense. IoT technology is fluid, the solutions are continually evolving and so too are the threats and attack vectors. IoT solutions are constantly evolving and so should your IoT defense strategy. While cyber insurance policies have historically been most often associated with data and privacy breaches, today’s cyber policies cover the failure of technology and the resulting interruption or loss of revenue.
Be smart and practice good cyber hygiene practices: use secure passwords from password generators and implement multi-factor authentication among other standard security measures. Most security breaches take advantage of well-known vulnerabilities that haven’t been addressed despite ample alerts and most attackers are known to you: employees, contractors or partners.
Deploy end to end security, from the device to the cloud. Collaborate with partners and vendors as a security strategy. Choose the best partners and build security into your IoT ecosystem from the start e.g. Darktrace, Intertrust, Device Authority, Sectigo, Rubicon Labs, Kudelski IoT Security, Patreon, Ockam and Blackridge Technology are IoT security-focused companies among others. IoT security isn't something you should tackle alone. Find and collaborate with partners inside and outside your organization. Extend IT security architecture to OT and then augment it with specific security needs, issues and concerns in mind.
Go to IoT security conferences, especially events where your peers showcase practical implementations being deployed and share best practices.
Adopt industry-supported standards everywhere they're available. Treat proprietary solutions with caution. Be guided by standards bodies and trade associations. E.g. IEEE, ITU Study Group 20, oneM2M Consortium, IIC, Open Connectivity Foundation, Open Fog Consortium, etc. The IoT industry is increasingly coming together to drive common security standards and best practices.
Seek top management support for security initiatives. Make them aware that IoT security is another business-critical challenge they need to consider.
Automate and monitor IoT security end to end. Manual efforts cannot keep pace with the volume of events in an IoT ecosystem. Co-create solutions with IT vendors to expand software capabilities to handle IoT security vulnerabilities.
Investment in IoT security has to be commensurate with the likelihood of risk and the potential value of the loss or damage. Different types and levels of vulnerability produce different threats with the potential for different damage. The best way to protect your organization is to start with solid risk identification, assessment and management.
Like all businesses, construction companies must adopt a robust cybersecurity risk management strategy and take the time to understand the exposures associated with IoT deployments. IoT technology can be a source of strength, but any breach or technology interruption that disrupts critical workflows and operations can lead to project delays and substantial losses for the business and other project stakeholders. However, security is not a technology issue. Deploying IoT means your organization is becoming a digital enterprise which needs an integrated, companywide security strategy and risk management plan that involves employees at every level. More emphasis has to be placed on security policies, best practices and tools that autonomously prioritize, contain and defeat attacks based on sound risk management as part of everything the company does.
Separation of systems or staying offline as a security strategy is no longer imaginable and neither is it the most effective approach of operating a modern business. Without seamless interoperability and integration, there is little improvement in business outcomes and hence no reason for IoT.
The Most Comprehensive IoT Newsletter for Enterprises
Showcasing the highest-quality content, resources, news, and insights from the world of the Internet of Things. Subscribe to remain informed and up-to-date.
New Podcast Episode
Related Articles