- Project plans
- Project activities
- Legislation and standards
- Industry context
Last edited 28 Sep 2017
Infrastructure and cyber attacks
Kim Van Rooyen and Nathan Jones, both experts from Turner & Townsend, give their thoughts on cyber security in the built environment.
 What types of cyber attacks are there?
Cyber attacks come in many different forms. Nowadays, when people think of cyber attacks they think large-scale – a group of hackers working on behalf of governments trying to find out state secrets for example. However, cyber attacks can come from anywhere – teenagers seeing what they can do on a computer or a disgruntled employee looking to get some money or information out of their company.
Some attacks don’t even require a large amount of technical know-how. It could be that software is not updated for a while or even giving open access to WiFi. Sometimes it can be as simple as the building management team not changing a password from its standardised settings so the building could be accessed by anyone.
Disrupted Denial of Service (DDoS) is a fairly recent form of cyber attack and is becoming more commonly used. Essentially, the network of an organisation is ‘flooded’ with data meaning the organisation cannot function. No damage is done nor data stolen, but the hacker can hold the organisation to ransom.
 How safe are we from a cyber attack?
No network is 100% secure. Organisations have different levels of maturity in their cyber defences. The government has started taking cyber security much more seriously and recently launched the National Cyber Security Centre, a division of GCHQ that will be a new nerve centre to manage cyber incidents.
Take an example of malicious software (malware) being embedded into the system of a crane that had been delivered to a sensitive construction site. The crane needed to be connected to the sites network to enable ‘reachback’ (where the device talks back to the manufacturer or supplier) for system monitoring and performance. In this case, the site security procedures were watertight – every device that needed to connect to the network needed to be scanned and in this case the malware was found.
The market for the 'internet of things’ is constantly expanding, so it has to be taken as given that it will continue to be a more connected world. That doesn’t necessarily mean that there has to be more risk of cyber attacks. Instead, people need to be savvier about what they do. How many people leave their Bluetooth on, or choose an obvious password?
People going onto a construction site today will be given a safety briefing and protective equipment, and checked to ensure they are in the right condition to go on site. Yet, the site may have an open WiFi, leaving it open to attack. Cyber security needs to be considered in the same way that the health and safety of people is approached, and that will take a cultural shift.
Cities like London are becoming ‘smarter’; people, places, spaces, buildings, infrastructure and devices are becoming ‘connected’ to one another.
Already the technology is available to monitor how many vehicles are on a particular stretch of motorway at any one time. Using this, it could be possible, if that motorway was particularly busy, to redirect drivers via an alternative route.
This technology is needed and wanted as it will make all infrastructure systems more efficient and make them easier to maintain. However, this infrastructure could also become more vulnerable to cyber attacks. It is important to consider the threat early enough so it can be mitigated easily and cheaply.
Everything electronic emits a signal which can be interrogated from afar. Smart devices are never off (unless their power source is removed) so thought needs to be placed around fabric of buildings and how material and equipment is designed.
It is necessary to think about how buildings can be made more secure. This involves thinking about things like the locations of server or hub rooms in relation to other equipment or the positioning of screens so that they are not in clear view through a window. Even where cables go and whether they are made from copper or fibre are considerations in making somewhere cyber secure.
 What can civil engineers do to prevent attacks?
Being cyber secure is not about investing in more cyber. Civil engineers could have biometric sensors that check the identity of everyone coming in and out of a site, but if the database with those identities is insecure then it certainly isn’t helping to protect people.
Instead, it’s about being aware of how civil engineers could be at risk. If they have hard drives with files on it, then those files can be accessed, so properly disposing of them is vital. Even computer screens can have images burned onto them if they are used frequently, meaning someone can access information even from a blank screen.
For civil engineers, this is particularly important. They need to be aware (and are becoming increasingly so) of the forms that threats could take and how to protect the systems they use.
This article was originally published here on 27 Feb 2017 by ICE.
 Related articles on Designing Buildings Wiki
- Articles by ICE on Designing Buildings Wiki.
- Big data.
- Critical infrastructure is more vulnerable than ever. It doesn’t have to be that way.
- Cyber security and engineering.
- Cyber threats to building automation and control systems.
- Digital communications and infrastructure dependencies.
- Engineering resilience to human threats.
- Information and communications technology in construction.
- Intelligent building management systems IBMS.
- Internet of things.
- Security and the built environment.
- Smart buildings.
- Smart technology.
- Vital infrastructure and redevelopment.
Featured articles and news
From the decorative to the utilitarian, and from the photographed to the forgotten.
New BRE book considers the progression from project-based knowledge creation to whole-life urban knowledge management.
This CIOB article explores the concept of value in building design and construction.
BREEAM and Measurabl announce integration to improve the financial performance of commercial real estate.
Rogers Stirk Harbour + Partners' release new images of soon-to-open 3WTC tower in New York.
A document can be called a bond or a guarantee. Does the name matter and what is the difference between them?
New briefing note is launched focusing on increasing knowledge of housing that promotes health and wellbeing.
Arbitration is a private, contractual form of dispute resolution used in the construction industry.
The European Parliament has approved a revised Energy Performance of Buildings directive.
One in six MPs supports the ring-fencing of retentions as proposed in the 'Aldous Bill'.
A stakeholder is anyone who has an interest in the process or outcome of a construction project.