Until now, the construction industry was not at the top of the list of sectors targeted by attackers, preferring finance, health, and justice. However, we have recently witnessed a paradigm shift.
Today, it doesn’t matter what sector a company is in, what size it is, or what field it is in. Cybersecurity concerns everyone.
Construction companies, real estate in general, architecture and engineering, are not ignoring the threat.
As in other sectors, the trend is to accelerate the digitization and the evolution of working methods (remote work, cloud …) of the real estate sector.
The sector has become aware of the risk and is strengthening its security posture.
Is this now sufficient? What are the characteristics of this rapidly changing sector?
State of the art
What is the real estate sector?
The real estate sector can be divided into 3 main professions:
- The production and promotion business
- The profession of transaction
- The profession of property management
The list of actors is long.
We find real estate agencies, real estate promoters, real estate negotiators, property administrators, property management agencies, rental and co-ownership managers, but also architects, construction companies, all activities in civil engineering, engineers, etc. ….
This represents in France 213 534 companies. In Spain, the economy is mainly made up of micro-companies, with the highest percentage belonging to the service sector.
Why is the construction industry, and more generally the real estate sector, an easy target for cyber attackers?
- Construction companies’ investments in this field are lagging behind other sectors.
- This lack of maturity in cyber matters can be explained by the absence of regulations, but also by the lack of preparation. 74% of companies in the real estate sector are not prepared for cyber attacks.
- Another important point is that the lack of awareness among employees also leads to vulnerability, which opens a royal road to cyber attackers.
- The sector hires a lot of contract workers, temporary employees, who do not always master the cyber issues.
- The industry also has a very large cash flow. It will represent 15 billion dollars by 2030. The global industry is expected to grow by 42%. This may suggest that companies would pay more easily in case of ransomware…
- Another important element is that the industry has important resources that make attackers’ eyes shine: strategic data. This is the case, for example, during the construction of nuclear or hydroelectric power plants. These construction sites are highly strategic for a state or a competitor.
- Finally, the real estate sector has an interesting amount of personal data, the oil of the 21st century. Confidential or financial information, employee or customer data are interesting for a hacker.
- Finally, the sector is in the midst of a technological transformation (virtual reality, robotics, Machine Learning), this transformation is both a strength and a weakness. A weakness because not all the equipment is adequately secured. This transformation increases the digital footprint and, with it, the attack surface of building companies.
In a few figures:
In two years, the number of cyberattacks against real estate players has increased tenfold in the United States, with total losses amounting to $56 million.
These statistics are confirmed by another survey, the Real Estate Industry Survey by KPMG in 2021 found that “30% of organizations had experienced a cybersecurity event in the past two years, and only 50% of organizations said they were sufficiently prepared to prevent or mitigate a cyberattack.”
Nature of the attacks
The motivation of the attackers remains mostly financial gain.
“71% of all cyberattacks are financially motivated,” but sabotage, to eliminate or weaken the competition, and espionage come next.
Overall, the construction industry faces the same threats as other industries; namely:
Cybercriminals could take control of computer networks and monetize them or obtain information that could be used to commit fraud and other crimes.
Real estate is targeted for financial reasons, attackers do not hesitate to practice double or even triple extortion.
Here are some examples:
- Bird Construction, a Canadian company, suffered a ransomware attack orchestrated by the Maze group in December 2019. The ransomware demanded $9,000,000.
- In January 2020, the company Bouygues Construction was the victim of a ransomware attack. 237 workstations had been encrypted.
- Bam Construct was the victim of a cyberattack following a vulnerability discovered in the company’s website in May 2020.
- Ronmor Holdings, a real estate developer, was hit in late September 2021 by ransomware. Behind the REvil attack. 755 GB of stolen data.
Phishing attacks are commonplace, with the goal being to gather personal information.
The most common attacks are business email compromise (BEC) or whaling attacks and spear-phishing.
Here are some examples:
- Solid Bridge Construction, an American company was a victim. The cost of the operation was $210,312.00.
- In December 2021, a French real estate developer (Sefri-Cime) lost 35 million euros, with the attacker posing as the company’s boss and demanding wire transfers.
Construction companies hold very sensitive information that may be of interest to both a competitor and a state.
Intellectual property, patents, or company know-how are a gold mine for attackers. Bidding data can be a competitive advantage. All this data will catch the eye of a cybercriminal.
Here’s an example:
- In 2019, First American suffered a data breach, 885 million customers were exposed.
Vector of attacks
- The internal threat is common in this environment. The case of the employee who divulges data is unfortunately frequent and is not only explained by the lure of gain. Very often the motivation is elsewhere, it can come from a lack of recognition, or a thirst for ambition, pride leading the individual to steal information from the company to succeed in another. Revenge is also an explanation.
- Other threats come directly from state sources when it is a question of extremely strategic real estate projects. This is the case for the construction of nuclear power plants, hydraulic dams for example…
- The supply chain: construction projects often involve several entities such as suppliers, subcontractors and partners, which weakens the security chain. If these entities are compromised, then the entire chain potentially fails.
- Criminals also target cloud providers to gain access to It is important to understand the risks of storing sensitive data without proper security precautions.
- IOTs: Smart buildings are composed of complex interconnected systems with vulnerabilities that provide entry points for cybercriminals. Currently, there are more than 12 billion connected objects in the world.
At the level of legislation
Each company must ensure the protection and confidentiality of customer data, secure online purchases and banking data of customers, suppliers … In Europe, non-compliance with the RGPD can result in legal and financial penalties.
In France, there is now a label called R2S for ready2services. The Smart Building Alliance and Certivéa have set up this label for commercial buildings. This label aims to evaluate the quality of IT services via 4 levels of certification offered by a site and their interoperability. https://r2s.certivea.fr/
At the financial level
Even the smallest system failure can have serious financial consequences.
- A data security breach can have a major impact on the business. A machine that stops working, a computer system that is inoperable, and the entire project falls behind schedule with daily financial penalties. The construction industry relies heavily on the ability to deliver projects on time.
- It can also result in an inability to bid on a project, and the loss of huge contracts.
- An attack damages the trust relationship between a company and its customers and can tarnish its image and e-reputation.
- To this, one must add the indirect costs, in particular of data reconstitution, personnel costs, equipment, expert fees…
At the security level
A security incident can lead to chaos. Critical infrastructure protection must remain a priority. Imagine a connected crane that is out of control.
We can expect (and in fact, this is already the case) increasingly sophisticated threats, especially with the advent of AI, machine learning and quantum computing, which will require a great deal of adaptation and specific skills.
Understand the risk
Not all companies in the construction industry face the same level of risk. It will depend on
- The type of business
- The jurisdiction
- The amount and nature of personal information held
- How prepared an organization is to handle a security incident
It is therefore relevant for these organizations to make a clear assessment of the strategic risks. Everyone is involved in this process.
The risks must be quantified and qualified and reported in a simple language to the management, which will open budgets, and initiate a real protection strategy, by implementing the most appropriate technology.
On this point, the priority is to detect and neutralize incoming attacks, before they harm the company, and this is the added value of TEHTRIS on a daily basis.
TEHTRIS works with real estate companies to strengthen their security posture and protect them from cybercriminals.
Companies in the real estate sector need to protect their entire information system, to deploy the chosen solution easily and quickly, or to find a solution that is compatible with all the OSs in their fleet.
Thanks to automatic remediation, IT and production tools are not impacted. The information system is 360° protected against the most advanced threats with TEHTRIS CYBERIA hyper-automation and artificial intelligence, and TEHTRIS CTI Cyber Threat. Deployment is fast and TEHTRIS offers support in monitoring the cybersecurity roadmap.
TEHTRIS EDR and TEHTRIS MTD are two modules of the TEHTRIS XDR Platform. This modular and configurable trust platform is the solution for enhanced detection and response to fast-moving cyber threats.
TEHTRIS XDR Platform monitors, analyzes, detects, and neutralizes threats worldwide for major players in real estate, industry, transportation, engineering, services, and government.
With the Cybersecurity Made in Europe label, TEHTRIS is also the only vendor in the European Union recognized by Gartner® as a representative XDR vendor in the Market Guide for eXtended Detection and Response 2021.TEHTRIS is also a representative vendor in the Market Guide for Mobile Threat Detection 2021.
By constantly monitoring cybercrime and listening to its customers, our goal is to reduce the risks as much as possible, in order to face the unpredictable.
KPMG. Securing real estate assets in a digital world.2018