As the construction industry becomes increasingly digitalised, the associated risk of a cybersecurity breach is also growing. Protecting building information management (BIM) models, smart infrastructure, supply chains, and critical data is now a priority for the industry. The risk is not just theoretical – in 2024 alone, ransomware attacks against the construction industry rose 41 per cent, with 481 construction companies publicly listed on data-leak sites.
According to David McNamara, founder of cybersecurity firm CommSec, construction has effectively caught up with digital manufacturing. “Modern building sites run like modern assembly lines,” he points out. “The projects now run on connected systems, shared data and cloud collaboration.” This has improved productivity, but it also means a cyber attack can stop a project just as quickly as a physical incident on site.
Today’s construction firms rely on digital platforms for design files, project management, procurement and payments, McNamara says. “If those systems are compromised, the impact is immediate. Projects can stall, sensitive intellectual property can be stolen, and payments can be redirected through fraud.”
CommSec is already seeing construction firms targeted by criminal groups such as the LockBit ransomware group and Clop ransomware group. “These groups encrypt critical data and threaten to leak sensitive information unless a ransom is paid,” McNamara explains. “In a sector where deadlines and penalties are strict, that type of disruption can be extremely damaging.”
READ MORE
And even though many construction firms fall outside the direct legal scope of the EU cybersecurity law NIS2, they are increasingly bound by its standards through the supply chain. McNamara explains that large-scale clients in critical sectors are now legally mandated to ensure their vendors maintain rigorous controls, including incident response protocols, good cyber hygiene – such as the use of multi-factor authentication (MFA) and strong passwords – and robust patch management. “This makes cyber resilience a prerequisite for winning tenders and avoiding the catastrophic financial and reputational fallout of a data breach,” he says.
BIM models play a critical role in modern construction projects, acting as the digital blueprint of any building. These platforms hold detailed information about structures, layouts, materials and building systems – making them both critical and highly vulnerable.
“Access is shared across multiple users and collaborators such as architects, contractors, engineers and suppliers,” says McNamara. “That level of collaboration creates the same exposure we see across many cloud services, where leaked or stolen credentials can allow attackers to access sensitive environments if identity and access controls are not properly enforced. If someone compromises that environment, they can steal the design or manipulate the data that engineers and contractors rely on.”
An attacker does not necessarily need to cause obvious damage, McNamara adds. “Even small changes to design data could lead to costly construction errors or delays. Sometimes, disruption is the objective, rather than financial rewards.”
The solution is to treat BIM platforms as critical infrastructure. “Organisations should enforce strong identity management, strict access permissions, and secure, encrypted collaboration environments,” McNamara advises. “Continuous monitoring of user activity and model changes is also important. In addition, connected devices on site, such as IoT sensors and smart equipment, should be kept secure through regular operating system and firmware updates, supported by a clear patch-management process.”
Many other aspects of modern construction are ripe for cyber attacks. McNamara says the biggest cyber risk in the sector is possibly the size of the digital supply chain. “A single project can involve dozens of contractors, suppliers and consultants, all accessing the same systems,” he explains. “Attackers often exploit weaker security in smaller suppliers to gain access to larger organisations.” Advanced threat groups such as APT41 have targeted engineering and construction networks to steal valuable intellectual property and project data.
Financial systems are another common target. “Business email compromise attacks, often delivered through malware campaigns like Emotet malware, can allow attackers to intercept invoices and redirect payments,” McNamara says.
Connected site technology also introduces risk, he adds, and IoT sensors, drones and smart building systems can become entry points into corporate networks if they are not properly secured. “Construction firms must track which devices are connected to their networks, keep firmware updated, and separate them from key business systems to reduce risk.”
McNamara is unequivocal when he says cybersecurity should be a priority for building enterprises of all sizes. “As construction becomes more connected, firms need to protect their digital infrastructure with the same discipline they apply to health and safety on the physical site.”
