Wake-up call for Cybersecurity in the Construction Industry: Contractor Falls Victim to Cyber Attack

The Wall Street Journal recently reported that cyber-attacks by foreign governments into the nation’s electric grid are utilizing what it called “the system’s unprotected underbelly,” the contractors and subcontractors that work for the utilities. According to the Journal’s reporting, a 15-person construction contractor in Salem, Oregon had fallen victim to a cyber attack, one that the Department of Homeland Security said was most likely carried out by a foreign government. 

The contractor had been what cyber attackers often refer to as a “soft” or easy target because it had no reason to be on high alert against a cyberattack.   As an employee of All-Ways Excavating USA, the contractor who was breached, stated: “They were intercepting my every email. What the hell? I’m nobody.”  Tellingly, DHS replied, “It’s not you.  It’s who you know.” This scenario exemplifies a common practice among hackers wherein they exploit the cyber vulnerabilities of unsuspecting contractors, many of them from the construction industry, as launching pads for attacks on larger clients, including utility companies and government.

The incidents reported in the WSJ article underscore the importance of vendor due diligence regarding cybersecurity practices. In a recent client alert, we discuss the hacker practice brought to light by this recent news. We also provide insight as to how vendors should proceed, including vendor cybersecurity checklists. Read the publication here. Please contact the authors with any questions or for help with your cybersecurity needs.