Cyber Security in Construction & Infrastructure

By Luke Smits - Founder & Operations Manager
A bring under construction

The Last 3-4 decades were a boom, for Australia, in terms of construction and demand on infrastructure growth (thanks to a soaring population). This has meant that a significant amount of our underpinning IT infrastructure was constructed pre-millennium, in a time before cyber-attacks, meaning it’s now aging and unprotected.

“much of [a] Nation’s CI depends on ICS such as supervisory control and data acquisition (SCADA) systems and distributed control systems (DCS), which rely on programmable logic controllers (PLC) to manage essential and complex operational processes.” Source

“Prior to SCADA, industrial systems required numerous personnel to continuously monitor and coordinate activities, often by pre-digital analog devices. Personnel would monitor industrials systems and relay information to the main operator. As industrial complexity grew, sites became larger and as demand grew, sites often became more remote. In response, human-enabled analog systems become more cumbersome, time consuming, and uneconomical, and just in time digital technology grew and is pervasive today across industry.”

Global news, has highlighted for us, the effects cybercrime can have on infrastructure and economic damage to countries. Here’s an example of Russia’s cyber-attacks on Ukraine’s infrastructure, and here is one from North Korean attacking US and European infrastructure.

Countries and their governments have become hyper vigilant about the potentially catastrophic results that cyber attacks could have, should they cause partial or permanent damage to critical infrastructure and construction.

Let’s dive into a bit more about cyber security in construction and infrastructure…

Why is Cyber Security important in Construction?

As mentioned, attacks on infrastructure could have catastrophic results for a country. But what about the construction industry? As well as being an integral part of building infrastructure, it’s also vulnerable to cyber-attacks.

Did you know, construction is one of the most targeted industries for cybercrime?

Construction projects increasingly rely on technology and interconnected systems. Cybersecurity safeguards the critical infrastructure and equipment from cyber-attacks, which could disrupt operations, cause safety hazards, or lead to expensive repairs.

Other areas of construction that could be impacted by cyber-attacks include:

  • Data Protection: Construction companies handle a significant amount of sensitive data, including financial records, blueprints, designs, project plans, and customer information. Proper cybersecurity measures safeguard this data from unauthorized access, theft, or manipulation, protecting the company and its stakeholders from potential financial and legal liabilities.
  • Intellectual Property Protection: Construction firms invest substantial resources in research and development to create innovative designs and technologies. Cybersecurity ensures that these intellectual properties are safeguarded from cyber-espionage or theft by competitors or malicious actors.
  • Infrastructure and Equipment Security: In today's digital age, construction projects increasingly rely on technology and interconnected systems.

As well as damaging Supply chains, Reptation and trust, compliance and regulatory requirements, operational continuity.

Does a Construction Company need to have Cyber Security?

A successful cyber-attack on a construction company could cause:

  1. Delays or permanent disruption on a project
  2. Additional costs
  3. Data theft
  4. Fraudulent wire transfers

But, beyond these tangible damages, is the less tangible and sometimes overlooked brand impact. A business that is lax with the security of its data can be seen as negligent and untrustworthy, a wounding PR blow, for any business.

Construction companies are notorious for inadequate firewalls and poor cyber security defences, making them a tantalising target for bad actors.

Let’s put it this way:

If you own a construction company: are you prepared for a project to halt, due to a breach?

If you own, or manage a construction company, and it was attacked by cyber-criminals, could afford to halt a project due to disruption?

What about the fines you’d receive for data protection negligence? We have information on the fines corporations can expect to pay for poor data protection.

The damage your construction business could face from a cyber-attacks are incalculable and potentially fatal to a business.

Construction companies that have been hacked

British construction group Interserve were fined £4.4m for failing to protect personal and financial information of their 113,000 employees. “The attack led to 283 systems and 16 accounts being compromised, uninstalled Interserve’s anti-virus system and encrypted all current and former employees’ information.”

Canada’s Bird Construction, a preferred military contractor were hit back in 2019, by a ransomware attack that crippled a computer system, while the attackers demanded millions of dollars in cryptocurrency.

One of Ireland’s largest construction businesses, Lagan Specialist Contracting Group was attacked this year, again through ransomware.

These are not small, local businesses; these are large, influential market leaders and they were not immune to significant breaches.

What is Critical Infrastructure Protection?

Critical Infrastructure Protection (CIP) refers to the safeguarding and resilience of essential systems, assets, and services that are vital to the functioning of a nation, society, or organisation (like a private construction business).

These critical infrastructures are considered so crucial that their disruption or destruction could have a debilitating impact on public health, safety, the economy, national security, or any combination of these factors. Protecting these assets from physical and cyber threats is of utmost importance to ensure the continuous operation and functioning of a nation or an organisation.

Critical infrastructure includes various sectors and assets, such as:

  1. Energy Sector: Power plants, electrical grids, and oil and gas facilities.
  2. Transportation: Roads, bridges, airports, seaports, and rail systems.
  3. Water Systems: Water treatment plants, dams, and water distribution networks.
  4. Communication: Telecommunications networks and data centres
  5. Emergency Services: Police, fire, and medical services.
  6. Healthcare: Hospitals and medical facilities.
  7. Financial Services: Banks and financial institutions.
  8. Government Facilities: Military bases, government offices, and national landmarks.
  9. Food and Agriculture: Farms, food processing plants, and distribution networks.

The protection of critical infrastructure involves various strategies, policies, and measures to address both physical and cyber threats. Some key aspects of Critical Infrastructure Protection include:

  1. Risk Assessment: Identifying and evaluating potential threats, vulnerabilities, and consequences related to critical infrastructure.
  2. Mitigation and Resilience: Implementing measures to reduce the impact of potential disruptions and enhancing the ability to recover quickly from adverse events.
  3. Information Sharing and Coordination: Collaborating with government agencies, private sector entities, and international partners to share threat intelligence and best practices.
  4. Cybersecurity: Protecting critical infrastructure from cyber threats, such as hacking, data breaches, ransomware, and other malicious activities.
  5. Physical Security: Implementing physical security measures, such as access controls, surveillance systems, and perimeter protection.
  6. Training and Awareness: Educating employees and stakeholders about potential threats and best practices for safeguarding critical assets.
  7. Emergency Response and Continuity Planning: Developing plans and procedures to respond effectively to incidents and ensure continuous operations during emergencies.

Critical Infrastructure Protection is a critical component of national security and economic stability. Governments, private sector organizations, and international entities work together to develop and implement strategies that ensure the security and resilience of essential infrastructure against a wide range of threats, including natural disasters, terrorist attacks, cyber-attacks, and other potential hazards.

A Cyber Resilient Framework

A Cyber Resilient Framework is a comprehensive approach that construction companies and infrastructure facilities can adopt to enhance their ability to withstand, respond to, and recover from cyber-attacks and other cybersecurity incidents. The framework is designed to strengthen their cybersecurity posture, minimise the impact of cyber threats, and maintain essential operations even in the face of adversities.

The core principle of a Cyber Resilient Framework is resilience, which focuses on the ability to adapt and recover quickly from disruptions while continuing to deliver critical services and protect sensitive data. It goes beyond traditional cybersecurity measures, which primarily focus on preventing attacks, and recognises that no system can be completely immune to cyber threats. Instead, the framework emphasises a proactive and adaptive approach to cybersecurity.

A typical Cyber Resilient Framework consists of the key components listed in the previous section.


To discuss cyber security for your business, whether you’re involved in construction, infrastructure, or other, we can help.

To request an audit or ask a question about Cyber Security - Get in touch

Back to News