Cybersecurity Challenges, Risks and Solutions for AEC Companies

September 11, 2023
IT Security

As is the case with most industries, companies in the architecture, engineering, and construction (AEC) industries have benefitted greatly from technological advances ranging from the Internet of Things (IoT) to artificial intelligence (AI). Also, like in most industries, AEC companies — particularly engineering firms — have seen an increase in cyberattacks due to the expanding attack vector courtesy of those technological advances.

That’s not surprising, given that implementing new technologies and interconnected networks opens up the possibilities of more IT vulnerabilities and more points of entry for an attack — as well as more challenges for IT security teams. But just how pervasive are these attacks — and are the effects really that bad? Consider these highlights of cyberattacks in 2023.

  • Morgan Advanced Materials, a British engineering company, experienced a cybersecurity incident in January 2023. The company announced that recovery could cost up to £12 million, and operating profit for the fiscal year would be 10-15% below previous expectations.
  • The London-based engineering company Vesuvius reported that it fell victim to a cybersecurity breach in February. Its shares fell by as much as 3.1% in early trading the next day.
  • Black & McDonald, a Toronto-based engineering company, was hit with a ransomware attack in March 2023. The attack created a significant threat to Canada’s national security and critical infrastructure because the company works on military bases and electricity generation plants.

It’s not just engineering companies outside the US getting hit. Three of the eight engineering firms reported as victims of cyberattacks on May 31 in Konbriefing’s list of ransomware and cyberattacks in 2023 were in the US. All three were victims of an exploited vulnerability in the file transfer software MOVEit. That vulnerability is now known to be behind more than 600 other cyberattacks around the world, including one that struck San Francisco, CA-based Gensler, the international AEC giant.

Engineering Company Cybersecurity Challenges

The use of new technologies isn’t the only driver behind increasing the risks and incidences of cyberattacks in engineering companies and related sectors such as architecture and construction. These companies face many of the same challenges other companies do in terms of combatting cyber threats. Among them:

  • Competing budget priorities
  • Lack of upper management support (often due to their lack of understanding of the risks and the repercussions of attacks and the many pressures they face to meet shareholder expectations, etc.)
  • Lack of in-house IT security expertise and resources (and/or the ability to recruit and retain IT security experts)
  • Ineffective or inconsistent employee security training
  • Difficulty staying on top of emerging threats
  • Shadow IT
  • Employee turnover (in IT and throughout the company) makes it difficult to stay on top of IT access permissions, etc.
  • Prioritization of implementing and maintaining technologies over IT security (often due to management pressure)
  • The daily challenges of IT operations (balancing all the various responsibilities isn’t easy)

Engineering Company Cybersecurity Risks

Given that cybercrime continues to evolve and grow — and new threats always appear, it seems inevitable that almost every company in the AEC world can expect to experience some cyber threat eventually. Not being prepared for the inevitable won’t be good. They’ve been noted many times before, but the repercussions of cyberattacks can include:

  • Business-disrupting downtime (accompanied by lost revenue, lost productivity, missed deadlines, and more)
  • Costs for clean up and recovery (and potentially for paying for ransoms if the company goes that route, although it’s not recommended), as well as rework
  • Bad press and reputational damage among customers and suppliers, leading to a loss of business and shareholder confidence (in the case of public companies)
  • Fines and penalties from regulatory agencies
  • Market share losses when intellectual property theft creates competitors

Steps to Strengthen Engineering Company IT Security

Combatting cybercriminals isn’t easy, regardless of industry. However, the steps that follow can help strengthen a company’s overall security posture — lessening the risks and repercussions of cyberattacks.

1. Assess cybersecurity resources and risks.

    This will be a multi-part exercise. It will require an audit of all IT infrastructure, systems, software, etc (You can’t protect what you don’t know you have). Shadow IT will need to be considered as well.

    Look at your current IT security and cybersecurity-specific processes, protocols, technologies, and training programs. You’ll also need to determine all possible scenarios for risks. This will all help identify the following:

    • Known and previously unknown risks
    • Gaps in cybersecurity defenses and responses, as well as other resources
    • Employee and vendor cybersecurity awareness
    • Training and resource needs
    • Insufficient cybersecurity maturity exhibited by application software or the software-as-a-service (SaaS) vendors
    • Varying supply chain vendor cybersecurity maturity

    2. Take the next steps.

    Once the assessment is done, follow up with a report containing recommendations for addressing the findings. Work with outside IT security companies and/or your cloud service provider (CSP) to offer solutions and associated budget numbers. Include information regarding the risks of not making the necessary changes. Making a strong business case for improving your company’s overall IT security is essential.

    3. Review of, or development of, an incident response plan (IRP).

      IT security incidents happen. It’s imperative to have a plan in place to deal with them when they do. If you have an IRP, review it frequently, test it, and update it accordingly. If you don’t have one, make creating one a priority. Contact third-party companies, such as a cloud service provider like US Signal, to help if you lack the time, resources, or expertise internally.

      4. Understand and meet your compliance requirements.

        Most regulatory requirements and other compliance obligations entail a certain IT security level. First, ensure you understand which of them you must meet. Then, make sure you meet them by achieving and maintaining compliance. If your organization achieves compliance, it will be better positioned to manage IT security risks.

        Each of these following regulations notes requirements with which engineering companies must comply.

        • Health Insurance Portability and Accountability Act (HIPAA)
        • Payment Card Industry Security Council’s Data Security Standard (PCI DSS)
        • Federal Information Security Management Act (FISMA)
        • General Data Protection Regulation (GDPR)
        • ISO 27001 Information security management
        • ISO 27002 Information security, cybersecurity, and privacy protection
        • National Institute of Standards and Technology (NIST Cybersecurity Framework)
        • North American Electric Reliability Corporation Reliability Standards (NERC-CIP)
        • Service Organization Control (SOC) Type 2.

        5. Extend your IT security and cybersecurity measures to all vendors, suppliers, and partners.

        As a normal part of business, engineering companies, as well as those in architecture and construction, must work with a lot of different companies and suppliers. In many cases, they must share data and work with the same IT systems and technologies. Without the right security mechanisms and processes in place, it’s easier for cybercriminals to find and exploit vulnerabilities.

        Among the things you can do:

        • Limit access to IT systems and data to only those who absolutely must have access to do their jobs. Monitor that access and end it when it’s no longer needed. Continuously review permissions to identify misconfigured permissions, over-permissioned accounts, and roles.
        • Implement multi-factor authentication (MFA) for access to IT systems and data.
        • Specify security requirements for all vendors, suppliers, and partners.
        • Require documentation from all vendors, suppliers, and partners of their IT security and cybersecurity processes.
        • Require IT security/cybersecurity training of vendors, suppliers, and partners as appropriate.
        • If you’ll be using custom application programming interfaces (APIs) for integrating databases or to allow software developers of external partners to access specific applications within your company’s computing environment, test them thoroughly. Change authorized credentials to access the API regularly. Log use of the API and review the log regularly. Store the API source code securely, and don’t publish it at an open-source repository.

        Additional Actions

        There are many more actions you can take to up your IT security and cybersecurity. And it’s important to remember you can never have too much security. However, what really matters is having the right security in place – when and where it’s needed. In addition to the security built into US Signal’s products and services, we offer a wide range of security services and security advisory services. Our solutions teams will be happy to work with you to identify and assess your security needs and offer solutions for meeting them. Contact us for more information.