Construction Equipment Guide
470 Maryland Drive
Fort Washington, PA 19034
800-523-2200
Wed June 02, 2021 - National Edition #12
Challenge-junkie cybercriminals have moved on from hacking personal information. Now corporate intelligence, infrastructure and even heavy equipment are targets. Though currently cybersecurity threats are incidental in the construction industry, the potential for widespread damage exists. What can contractors do to protect their company data and heavy machinery assets?
"We've crossed the rubicon," said Erol Ahmed; director of communications of Built Robotics, San Francisco. Cybercrime is "now moving on to critical infrastructure, pipelines and potentially heavy equipment."
Ahmed believes these large-scale operations make more attractive targets because the software used to run them is easy and accessible to criminals.
"So, it's important to provide the right protection for users as much as possible."
The bottom line, said Ahmed is yes, "we're seeing an increase in ransomware and hacking, but we have the capabilities to fight back and keep our equipment running smoothly and safely."
In early May, Colonial Pipeline suffered a ransomware cyberattack that impacted computerized pipeline management equipment.
The pipeline originates in Houston, Texas, and carries gasoline and jet fuel mainly to the southeastern United States.
Colonial Pipeline Company halted all of the pipeline's operations and paid the requested ransom of nearly $5 million within several hours after the attack.
The hackers then sent Colonial Pipeline a software application to restore their network.
It was determined to be the largest cyberattack in U.S. history on oil infrastructure.
In 2019, two white-hat hackers selling security software from Japan-based Trend Micro proved how easy it would be to hack a construction crane.
With permission from machinery owners, while sitting in their car, the two hacked cranes and other construction machinery at 14 different sites in Italy.
The cranes' vulnerability lies in their communication systems, which connect machine to controller.
According to wonderfulengineering.com, "the simplicity of the hack signifies just how disastrous it can be if the cranes were to be hacked with malicious intent."
The two Trend Micro staffers believe the damage could vary from theft and extortion to sabotage and injury.
Equipment rental company BigRentz came up with a list of 15 surprisingly hackable items used every day. The company attributes the ease of hacking to the Internet.
"Now, the Internet of Things has made it possible to hack items you may never even realize were hackable," the company wrote. "Hackers can infiltrate everything from trucks and equipment to building heating systems and even your office coffee pot."
And, the article noted, RFID tags and sensors have made shipping containers and boxes of inventory vulnerable.
"Generally, the more places you store data, the more risk it presents," said Ahmed. "The more parties that have access to that info, the more risk you have."
So, connecting a device to a machine, being near that machine to access data, then uploading that data into the Cloud creates vulnerabilities.
Once in The Cloud, it can be exposed to an attack from the dealer's or owner's computer.
"The less places data lives, the safer it is," said Ahmed. "But that's kind of impractical in today's world where people want data from anywhere."
The company has developed an AI guidance system, hardware and software that lives on the equipment.
For example, it can be mounted on the back of an excavator so it runs autonomously.
The system is fully wired to The Cloud or the Internet. Data can be accessed remotely through the Internet, but the system is closed, which means it's not tied to a network.
Built Robotics believes in encrypting data to make it as safe as possible to ensure less worry, Ahmed said.
Beyond car keys and coffee pots, BigRentz noted building cameras, office printers, security systems and smart refrigerators are vulnerable.
In the construction industry, GPS systems, drones, wearables and heavy machinery can be hacked.
"To get into a piece of heavy equipment, it has to be a new model," said Ahmed. Older machines that don't involve sophisticated computer technology are generally safe in this regard.
More industrial types of machines are being ransomed because they're very expensive, Ahmed noted.
Newer models record location info along with metrics on that particular unit, such as fuel levels, cycle times, operating hours, distance traveled.
"At first glance, it doesn't seem like revealing info, but that depends on what the hacker wants to do with the data," he said, adding that location data is most critical.
BIM software is commonly used these days. Key questions users ask of it most often is "where's my machine?" "is it on?" and "is it operating?" Ahmed said "that's what owners and operators, and thus hackers, care about."
Most popular drone models can be taken over by a hacker who can then lock out the owner, preventing them from regaining control.
"Once the hacker has control of the drone, they can steal it, crash it or use it to damage other equipment on the site," noted BigRentz.
If hacked, wearables can tell an attacker the crew's comings and goings and allow access to protected files, such as blueprints and site worker credentials.
"In places like airports, city skyscrapers or government buildings, a hacker could sell information gained via wearables to criminals, leaving the location vulnerable to physical attack," said BigRentz.
In the Trend Micro crane-hacking demonstration, the two researchers noted that a hacker could steal equipment, use it to cause damage to property or people or even for extortion.
And those are the obvious direct damages. More costly can be indirect losses, noted Secuvent, a cyber threat analytics and risk advisory service based in Salt Lake City, Utah.
"As dealers, once the knowledge of compromised information is known in the marketplace, customers tend to shift their business elsewhere, and the dealers' brand name suffers long term," the company noted in a blog. "As manufacturers, delays up to multiple weeks are detrimental to an organization's ability to deliver products on time and ruin an organization's timelines."
Other indirect costs are the breach of intellectual property, such as blueprints or schematics; the leaking of sensitive data associated with an organization's competitive advantage, such as their bid data and strategy; and losses related to the sabotaging of autonomous or precision farming equipment.
"These indirect costs typically affect agriculture and construction equipment organizations disproportionately, compared with other industries," the company noted.
While larger manufacturers and dealers are better equipped and have more resources, they are only as prepared as the capabilities and strength in business understanding they have in place, believes Secuvent.
Smaller manufacturers, suppliers and dealers normally have fewer resources available for cybersecurity. An intrusion can be more devastating if it leads to the business's entire closure.
Ahmed of Built Robotics reminds contractors there are basic common-sense actions they can take, the same advice given to prevent personal info from being stolen: Choose strong passwords and practice good data hygiene as a dealer, end user or manufacturer.
Make sure your data is encrypted. Monitor unusual connections to servers from people trying to break in.
"Hackers will try, so we have to have ways to keep an eye on those things." It's all a part of being proactive, he said.
BigRentz said if you can register your device with the manufacturer, make sure you do.
"This will put you on the mailing list that companies use when they roll out security upgrades after they become aware of a new hack their product might be vulnerable to."
Then, said the equipment provider, make sure you stay up-to-date on all patches and install them as soon as they are released.
"Most hackers find their targets using a search engine that returns lists of IoT-connected devices in a particular area."
Hackers will search for the type of device they're targeting and look for any that haven't upgraded their security recently.
So, if you frequently install security patches, you're unlikely to appear on the list of vulnerable devices the hackers will target, said BigRentz.
"Finally, any equipment that you don't use frequently, consider renting on a case-by-case basis instead."
Each Internet-connected item that resides on your work site or in your warehouse is a potential point of entry for a hacker to access your entire network.
"By limiting the number of machines you own, you lower the possible points of entry hackers can use and make yourself and your firm more secure."
Built Robotics' heavy machinery works within a geofence. Ahmed said that keeps it safe within a certain area.
It helps, too, to know what your state requires in the way of equipment registration and proof of ownership. You can take advantage of these laws.
For example, "theft can be difficult in California, because all heavy machines have an identification number on them," said Ahmed. "So even if you could steal a machine, it might be hard to resell."
Ahmed stressed that the hacking threat to construction equipment is pretty small for the time being. He said he knows of no public cases of it happening on a large scale.
"We consider it a minor occurrence, and it has been for a while. The number of people affected by hacking is related to how likely something might be hacked," he said. "Because there aren't as many machines as there are cars or trucks, we don't see a focus on construction equipment right now."
He said heavy machinery manufacturers are devoting resources to working on autonomous technology. It's been in place since the 1990s in the mining industry.
"Mining is ahead of construction in that regard. But construction is a more dynamic environment."
And he suggested the next security dilemma may be even more critical. Beyond autonomous machines and industrial vehicles, there are bricklaying robots and rebar-tying robots.
"What happens when these robots start talking to each other? It brings in another security layer."
Be proactive, said BigRentz. "The best way to defend against an attack is to educate yourself on your own devices and learn how hackers might be able to target them." CEG
Lucy Perry has 30 years of experience covering the U.S. construction industry. She has served as Editor of paving and lifting magazines, and has created content for many national and international construction trade publications. A native of Baton Rouge, Louisiana, she has a Journalism degree from Louisiana State University, and is an avid fan of all LSU sports. She resides in Kansas City, Missouri, with her husband, who has turned her into a major fan of the NFL Kansas City Chiefs. When she's not chasing after Lucy, their dachshund, Lucy likes to create mixed-media art.