Contractors and construction sites are becoming more digitised – leaving them exposed to cyber risks. But why would a hacker target a construction contractor?


Contractors actually make surprisingly soft targets. Construction is an extremely capital-intensive sector, with a single site often counting thousands of tradespeople among its daily workforce. Those workers are often employed by dozens of different contractors, all of whom may have access to a single database of information about the project.

Contractors are not known for their advanced cyber security and that can leave dozens of digital backdoors that hackers could use to get their hands on that single data repository.

If hackers choose to encrypt it and the computers it sits on – in effect, holding both machines and data to ransom – they know they have serious leverage, as workers will be forced to down tools, costing tens of thousands of pounds an hour.

Spying activities

And there’s another reason to target construction firms. They work on some pretty sensitive projects, like nuclear power stations or military bases.

Swiss Re Corporate Solutions cyber expert Francois Brisson says there have been a number of cyber-attacks by malicious states trying to get their hands on another country’s intellectual property.

“It’s spying activities”, Brisson says, explaining that national actors are motivated not only by politics but also by unfair competition during the request for proposal period.

Increased use of Internet of Things-connected devices on construction sites, like sensors, power systems, energy management tools and cameras, could leave the sector more vulnerable

North Korea is a prime example. Just last month, a confidential United Nations report revealed that Pyongyang had targeted banks and crypto-currency exchanges to steal £1.6bn to support its weapons programme.

The construction sector could be next. Last year, thousands of confidential documents, including plans for everything from power stations to prisons, were stolen from French firm Ingerop. It is not known who was behind the hack.

To protect every device

Brisson says the increased use of Internet of Things-connected devices on construction sites, like sensors, power systems, energy management tools and cameras, could leave the sector more vulnerable to these kinds of attacks. Sites will soon employ thousands of these devices and each one could provide a backdoor into the network.

“Most of IoT devices are delivered with a default password to access to it,” says Brisson. “The management on all this equipment will be highly complex.”

And the potential losses in real GDP will, undoubtedly, force businesses to “have IT security by design for new product and services”, he adds.

Cyber protection: under construction

Despite these vulnerabilities, Brisson says there have been very few examples of cyber claims from construction firms, probably because the sector is largely uninsured by cyber stand-alone cover.

And even if there had, they may not have been covered by traditional insurance construction policies. Brisson explains that there is a notable difference between the cover available in the US and the policies sold by insurers in Europe.

In America, cyber risk is often excluded from construction casualty insurance, whereas in Europe, where the marketplace is more competitive, companies can get a cyber endorsement.

“A lot of US risks come into the London market to find broader policies,” Brisson says.

And, now, those policies are even starting to cover physical loss from a hack, something that had previously been generally excluded. Brisson says that some policies will even replace equipment that cannot be cleaned up or guaranteed to be safe after a cyber-attack, although the potential coverage is still limited.

The market for cyber cover in the construction sector is still a building site, where the need for Cyber standalone policies, offering specific coverage for the sector, is not fully understood.