Building on Solid Foundations: Cybersecurity in Architecture

Great architects design their buildings to survive for hundreds of years, but what happens when their cybersecurity is built on sand? Danny Bradbury questions why architects and the companies they work with in construction and engineering are among those least prepared for a cybersecurity attack

When it comes to architecture, it’s time to draw up a security blueprint for the modern era.

As service providers specialising in intellectual property, architectural companies are a lot like legal firms, which many call the soft underbelly of the internet. They gather sensitive information from multiple parties as part of a project, ranging from sensitive facility designs to critical bidding information, making them especially attractive to attack.

Yet despite their appeal to cyber attackers, firms in the architecture, engineering, and construction (AEC) sector are often ill-prepared to deal with the problem, says Bharadwaj Mantha, assistant professor in the Department of Civil and Environmental Engineering at the University of Sharjah. He studies security in the AEC sector.

“The AEC industry, in general, has been reluctant to adopt technology,” he says, adding that those who do often don’t understand the dangers. “We don’t have that future outlook in terms of looking at its disadvantages.”

Architectural firms adopting technology without a secure approach to managing their data run the risk of cybersecurity issues. For example, file-sharing company Egnyte documented a 23.4% compound annual growth in the number of individual files that its 3,000 AEC companies stored between 2017 and 2021. Between Q4 2020 and Q4 2021, it also tracked a 325% increase in high-severity issues among AEC companies from 2,793 to 16,122.

Many AEC companies that Mantha spoke to had little cybersecurity training, policies, or tools to counter the fallout from a successful attack, which is incomprehensible given that the stakes are so high.

In 2020, a previously unheard-of ransomware group called Light successfully hacked architectural company Zaha Hadid Architects, encrypting and stealing files in a double-dipping attack. Payroll records, employee PII and contracts, and email inbox dumps were all taken, along with the SSL certificates for the firm’s website and its Active Directory credentials. More recently, architect Sheppard Robson discovered a ransomware attack in July 2022 and refused to pay any money to the attackers.

A complex web of stakeholders

Attacks like these are common, according to Kevin Soohoo, head of the AEC practice at Egnyte. Architecture, engineering, and construction are intrinsically connected because of their close relationship on major projects, he explains. An architecture firm is just one participant in a project involving dozens of other companies involving hundreds of millions of dollars. When the project is done, the participants disband.

“When you have 20, 30, or 40 different entities involved, you don’t know who’s who all the time,” Soohoo points out, adding that these contractors and subcontractors can span different geographies. “Attackers use that to try and get someone to engage.”

Add the sense of urgency that often arises in AEC projects, and you have a recipe for elevated risk. AEC projects run to tight schedules. Missed deadlines can be costly, with financial penalties – not to mention reputation damage, says Soohoo. If a company misses a deadline to finish a critical job component, word gets around.

Attackers can use these time pressures to mount phishing and business email compromise (BEC) attacks, he warns. For example, an attacker pretending to be a supplier asking for payment and threatening the non-delivery of a critical component such as materials or critical engineering information would understandably cause panic at an AEC company.

“Someone tends to react to that and pay because they don’t want their project to suffer or fall behind,” Soohoo says.

Only as strong as the weakest link

The complex web of relationships between players in an AEC project also renders all of them, including architectural companies, vulnerable to supply chain attacks, warns Mantha.

“Just because you’re secure doesn’t mean that the people you’re communicating with will be secure,” he says, pointing out that many subcontractors in AEC value chains are small to medium-sized companies that might not be very tech-savvy. “Forget them being cyber secure; I don’t even know if they understand what it means in the first place,” he says.

If that insecure SME is compromised, it’s possible that whatever hit them could spread to your company via the complex network of stakeholders. Mantha, who has co-authored several papers on AEC security, modelled the flow of communication between the different players in a typical AEC project. He wanted to see how a cyber compromise might spread from what he calls a low-hanging fruit  ̶  for example, a construction labourer or supervisor using an iPad in the field  ̶ through the network to other players such as architects, consultants, and clients.

“Given the amount of bilateral communication that we have among these participants, it’s very, very likely that a significant portion of the network can get impacted,” he says.

Massive implications from malware

While a BEC can have immediate financial implications, a ransomware attack can cause operational disruption and legal problems, Soohoo explains. AEC industry participants depend on the information that is updated daily. For example, a construction company might need live design changes from an architectural firm in the field. If that information is unavailable, project schedules suffer.

The legal and reputation implications of a data breach are also potentially dire. Many clients, especially those in critical infrastructure, might place architectural firms under non-disclosure agreements.

“If criminals have your information and they’re going to release it, you have now violated that NDA as an AEC firm,” Soohoo says. “That leads to reputational risk, whether that means you get actually kicked off the project or don’t get invited to the next one.”

How can security professionals model the threats facing AEC environments? There are some more generic threat modelling frameworks already available for documenting threat models in large, distributed, and loosely coupled project teams. However, they are not specific to the AEC sector. While they’re a good start, they’re often limited in scope, suffer poor documentation, and need more domain-specific expertise, says Mantha.

“The AEC industry, in general, has been reluctant to adopt technology”Bharadwaj Mantha

He hopes to see a formal approach to understanding the security risks implicit in the AEC sector, but it’s a tough ask.

“We tried to get as many stakeholders involved as possible, including architects,” he says. “Surprisingly, most of them are still in denial regarding cybersecurity because they still believe that there wouldn’t be a significant impact, even if something were to happen.”

Solutions for today and tomorrow

COVID was a wake-up call for the AEC sector, and companies are gradually getting clued up about the problem, say experts. Soohoo says that moving to the cloud will be helpful for many architectural firms. They are well-equipped to handle security and version control on documents using on-premises systems, especially when those files are often gigabytes in size.

Given the volatile nature of project teams, better access control is also important. With stakeholders changing on a per-project basis, managing privileges and permissions from a central location can help close loopholes that could allow inappropriate access, Soohoo adds.

In the future, the industry might slowly adopt other forms of secure communication and validation between large, loosely-coupled groups. One potential technology is blockchain, which could be a way to codify legal, financial, or operational transactions between architectural firms and others on a project. Participants might use private blockchain infrastructure to record everything from orders and deliveries to document edits and approvals, creating an immutable record of who did what.

For now, though, more is needed to get all players in an AEC project, including architectural firms, to collaborate in a unified and secure way. Agreeing on a project-wide communication and data storage mechanism is a tough challenge replete with political, technical, and economic barriers. Building these foundations just might be the toughest project of all.