This past week I was privileged to host an informative panel discussion at the CMAA National Conference. Kahua’s CTO Colin Whitlatch was joined by cyber-security researcher Chase Hatton. We used the following article, recently published in GovTech Magazine, as the six-point outline for our conversation.
As I listened to these two experts, it struck me that they represented opposite sides of the cyber-security conversation. Chase Hatton spends his days attacking his client’s technology infrastructure. We referred to him as “good bad-actor”, like a guy paid to break in to your house but not steal anything.
By looking for these weaknesses he is able to inform his clients where they are vulnerable, before a true bad-actor finds the open door. Colin Whitlatch, on the other hand, spends his days leading a team of professionals dedicated to preventing these intrusions. It was offense versus defense on the speaker’s platform. A bit like offense versus defense in a ball game. But cyber-security is not a game, so we hope you enjoy the following blog post.
As you peruse the latest trade magazine or construction website, doesn’t it seem like there is always another report of a serious hack or data breach? Statista.com reports that in 2022, there were 1,800+ such incidents reported in the United States alone, which impacted 422 million individuals.
Globally things are not any better, and perhaps they are more frightening. Twice – in 2016 and 2018 – the number affected globally exceeded 2 billion individuals. And these are just the ones that are reported. Many breaches do not get announced to avoid public scrutiny or embarrassment.
Perhaps you have received a letter which informs you that a bank or creditor or merchant you use has experienced such a breach. The letter tells you that “your information may have been accessed.” The vendor then goes on to say they are making it right by offering a year’s worth of some credit monitoring.
Recently while visiting with a leading construction program management firm in Houston, I heard of two such attacks inflicted on its clients. One was a school district in Texas which paid $35k in Bitcoin to have its data – and doors – unlocked. The hackers had not only taken over the district’s servers, but they also entered the building security system and locked all the doors and entry ways at several schools. School actually had to be canceled for a week!
In looking for more information on this incident, I learned that dozens and dozens of Texas school districts have paid this kind of ransom. The most common practice is to just pay the hackers and try to beef up security later.
The second attack was on a private company, a design firm involved in hundreds of projects, which runs its business with multiple internet-based communication and information management systems. This firm did not disclose how much it cost to get out of this jam.
Most of these attacks are not intended to harm the attacked; they are done for profit. Week after week in 2019, another Texas school district was hit. Each time, the ransom amount was based on the district’s size, wealth and ability to pay. The attackers kept the number just low enough to make paying ransom easier than trying to regain control of its IT infrastructure.
Schools are particularly vulnerable because they are under such public scrutiny, they are under prepared, and they tend to pay these ransoms quickly. Understaffed/under resourced is a common condition for most government agencies. Few have staff dedicated to cyber-security.
Other industries are attacked even more often. Healthcare, financial services and manufacturing top the list of the most attacked industries. And the attacks can be malicious. Hacktivists, as they are called, work to cause damage and interfere with the supply chain, based on ideologic views. Last year a group called Predatory Sparrow caused a fire in an Iranian steel mill in response to unspecified acts of aggression carried out by the Islamic Republic.
Previously the same group had taken Iran’s national fuel station payment system offline and highjacked digital billboards, posting questions to Ayatollah Ali Khamenei, the country’s supreme leader, asking “Where is our fuel?”
What should we do? With such a volume of bad actors trying to access data, what can organizations that hold sensitive data do to protect themselves?
Start with your Employees
Security professionals agree that the first place to focus is training your employees. Every individual must understand the constant threat and the potential harm to the entire organization. Companies must establish policies and practices that reflect how serious the threat is. Requiring strong passwords – which are changed every few months – using multifactor authentication and establishing appropriate internet use guidelines are just a few basic ideas.
More importantly, companies must work to create a culture of data security.
The Henry M. Jackson Foundation is a non-profit focused on military medical research. Using an outside consultant, it conducted an internal phishing scam, sending emails to all employees, but at varying times. These emails asked for sensitive information, for example, “Update Your Account Profile.”
If employees clicked the phishing link, they were greeted with a pop-up alerting them to the scam and providing instructions on how to avoid making this mistake in the future. Initially the click rate was 27%. By continuing this internal campaign, the company was able to reduce the click rate to just 3%. (Source: Cyber Security Hub, cshub.com)
Security must become part of your culture. And company leaders must set an example.
Keep Software Updated
Outdated security software is an invitation to hackers. We all live and work in cyberspace, and every desktop, laptop and mobile device is a possible open door. IT staff must be diligent about maintaining the latest security software and appropriate updates on all these doors, in the same way building managers must be sure that no one outside the organization is given access to the physical facilities.
For construction owners, this problem is exacerbated because so much building equipment is now controlled with software via Wi-Fi. If you have a Wi-Fi thermostat at home, you have a potential entry point for hackers. Construction owners have various equipment specified, procured, shipped, installed, commissioned, and put into service long before they have proper data delivered on how to maintain and operate this equipment.
It’s a problem that has existed for some time, often referred to as “Asset Data Handoff” or “the project after the project.” This lack of data at startup leaves the owner incredibly vulnerable because his equipment is put into service having missed several versions of security updates.
Recall the 2018 story of a Las Vegas casino having been hacked through the Wi-Fi-enabled thermometer on a fish tank. What did they steal? The personal data of all the individuals on the casinos “high roller” list.
Construction owners can combat this threat by adopting a new method called Asset Centric Project Management (ACPM). ACPM delivers the necessary asset data – including equipment software information – to the owner’s operation and maintenance systems as it is authored during design or procurement or any pre-occupancy phase. The owner can now insist on all security patches being updated as part of the commissioning process. (Read more about ACPM here.)
Have a Security Plan
Your security plan is your summary of practices in place to keep your data secure. It should spell out what hardware and software you have in place to enhance security. It should also include your security policies and training practices which support the policies. And you should have given thought to what you’ll do when a breach happens. Do you have the best backup procedures possible? Do you secure backup data differently? Do you have cyber insurance that will pay ransomware demands?
Consider Hiring Third Party Security Experts
If your team does not have the experience or the time needed to dedicate to security, you’d be better off hiring an outside firm to help in this area. Data security can’t be an issue you avoid dealing with, not for any reason. If your team can’t make it a high priority, you must expand your team.
Apply the Gold Standard
Established by a memo from President Obama’s Office of Management and Budget in 2011, the Federal Risk Authorization and Management Program (FedRAMP) delivers consistent, best-practice security protocols for cloud service providers (CSP) serving the federal government. A year after the idea was born, the General Services Administration (GSA) created the FedRAMP Project Management Office (PMO) and began creating what is now the national Gold Standard for cloud computing security.
FedRAMP requires software and infrastructure providers to adhere to strict requirements and to be constantly audited for compliance. For example, my firm, Kahua, had to implement 327 different controls to achieve FedRAMP “moderate” authorization in January of 2022. The iterative process took 43 months, with no unusual delays. We spent thousands and thousands of hours working to achieve the authorization, and today Kahua is still the only full-featured project information management system (PMIS) to be FedRAMP authorized.
A fully authorized FedRAMP platform authorizes the infrastructure of the system as well as the software that runs on top of that infrastructure. An organization can have confidence in these systems properly protecting their data no matter where it is within that system. Here is a difference owners need to carefully note: Solutions that simply host their services on FedRAMP authorized infrastructure are only providing protection for that data at-rest. All other aspects of the system are unknown and put an organization's data at serious risk.
When federal agencies are purchasing software to manage project information, they are now beginning to require FedRAMP. In 2020, a non-profit was created to help state and local government entities achieve the same kinds of security standards. “StateRAMP” is now being deployed in 20 states and more local government agencies. As you would expect, StateRAMP is now required in many solicitations and RFPs.
Speaking about the process of achieving FedRAMP authorization, Kahua CIO Colin Whitlatch said, “We spent several thousand man-hours achieving this goal. That said, much of the investment has had a positive effect on everything else we do. This process allowed us to put controls in place to deliver a more secure platform for all our clients, not just our FedRAMP clients.”
Cloud-based PMIS solutions offer scalability, flexibility, and remote access, enhancing project management efficiency. However, these advantages need to be balanced with stringent security measures, which FedRAMP addresses.
Government construction projects often require collaboration among multiple agencies, contractors and stakeholders. A FedRAMP authorized PMIS provides a secure platform for seamless collaboration while maintaining data confidentiality and integrity. By using a PMIS that aligns with FedRAMP standards, agencies can ensure a consistent approach to security across different projects and systems.
Do not settle. Do not rest.
The final thought on this issue is to take it seriously. If your data is important, treat it like it is. Do not settle for lax policies, standards or people. Insist on making data security a high priority. And do not rest. Technology is ever advancing, and your methods for protecting your data must advance at the same intense pace. You will never get to a point where you can say, “That’s it. We are now secure.” Think like the bad actors, who will not stop in their attempts to rob you.
I'd love to learn your thoughts on cyber-security and how we can make our information safer. Share your comments below!