Construction Leaders Podcast: Cybersecurity and Safety in Construction Projects
Hosted by the Construction Management Association of America
Release Date: July 1, 2024

Introduction

In Season Three, Episode Seven of the Construction Leaders Podcast, the Construction Management Association of America (CMAA) delves into the critical intersection of cybersecurity and safety within the construction industry. Hosted by Carly Trout and Nick Soto, this episode features a compelling discussion with The Honorable Lucian Niemeyer, CEO of Building Cybersecurity. Niemeyer brings a wealth of experience as a cybersecurity professional, retired Air Force veteran, former White House official, and Assistant Secretary of Defense. His insights shed light on the pressing need for robust cybersecurity measures in construction projects to safeguard critical infrastructure against escalating cyber threats.

The Escalating Threat Landscape

The episode opens with an acknowledgment of the increasing prominence of cyber threats targeting essential infrastructure. Niemeyer emphasizes the severity and immediacy of these threats:

“We have a new type of threat, a threat directly to the public safety of our nation.”
— Lucian Niemeyer [01:53]

Niemeyer highlights that both nation-state actors and criminal organizations are leveraging cyberattacks to disrupt vital systems such as power, water, communications, and automated equipment. These attacks pose significant risks, including data breaches, sabotage of systems, and threats to human safety. The construction industry, integral to building and maintaining this infrastructure, is uniquely positioned yet currently underprepared to counter these threats effectively.

Understanding IT vs. OT in Construction

A pivotal part of the discussion revolves around distinguishing Information Technology (IT) from Operational Technology (OT):

“Cyber physical systems is when a keyboard can actually control a physical action.”
— Lucian Niemeyer [02:58]

Niemeyer explains that OT encompasses systems where digital inputs directly influence physical processes, such as HVAC systems, elevators, and fire controls within buildings. Unlike IT, which deals primarily with data and information processing, OT integrates cyber elements with the physical infrastructure, making them susceptible to cyber manipulations that can have tangible safety implications.

Establishing a Standard of Care in Cybersecurity

Niemeyer advocates for the creation of a standard of care specific to cybersecurity in the construction and engineering sectors. Drawing parallels to the rigorous standards upheld by licensed engineers for safety and structural integrity, he calls for similar standards to govern cyber safety:

“We need to establish a specific engineering standard of care to protect the networks and the connected systems.”
— Lucian Niemeyer [04:20]

This standard would require engineers to integrate cybersecurity measures from the initial design phase through the entire lifecycle of a building, ensuring that all connected systems are safeguarded against potential cyber threats. Such an approach would institutionalize cybersecurity as a fundamental aspect of construction practices, akin to traditional safety protocols.

The Role of AI and Machine Learning

Artificial Intelligence (AI) and Machine Learning (ML) emerge as transformative tools in enhancing both design efficiency and cybersecurity:

“AI can be trained to understand all building codes... and assist an engineer to improve operational efficiency and structural integrity.”
— Lucian Niemeyer [06:13]

Niemeyer envisions AI-driven tools like digital twins enabling engineers to create virtual models of buildings, allowing for sophisticated simulations and real-time monitoring. These technologies can preemptively identify anomalies and potential cyber threats, thereby facilitating proactive maintenance and enhancing overall building safety and performance.

Digital Twins: A Paradigm Shift in Construction

Digital twins, as explained by Niemeyer, represent virtual replicas of physical structures that integrate real-time data and sensor inputs to monitor and manage building systems:

“A digital twin is a virtual reproduction of a physical building or machine... it can serve as the basis for commissioning and cyber commissioning.”
— Lucian Niemeyer [08:08]

By leveraging digital twins, construction professionals can simulate various scenarios, assess the impact of cyber interventions, and ensure that all systems operate within safe parameters. This technology not only aids in the design and construction phases but also plays a crucial role in the ongoing operation and maintenance of buildings, providing continuous oversight and enhancing cybersecurity resilience.

Balancing Connectivity: Risks and Rewards

As buildings become increasingly interconnected, the benefits of smart technologies are accompanied by heightened cybersecurity risks:

“Every one of them potentially poses a vector for exploitation or nefarious activity.”
— Lucian Niemeyer [11:01]

Niemeyer underscores that the proliferation of connected devices—ranging from smart thermostats to advanced HVAC systems—increases the attack surface for cyber threats. While these technologies offer improved efficiency and sustainability, they also introduce vulnerabilities that must be meticulously managed through comprehensive cybersecurity strategies and standards.

Cyber Commissioning vs. Building Commissioning

Introducing cyber commissioning as an extension of traditional building commissioning, Niemeyer outlines the necessity of evaluating and securing the digital aspects of building systems:

“Cyber commissioning would be a separate team... checking the configurations for all the systems in the building.”
— Lucian Niemeyer [15:45]

Building commissioning focuses on verifying the physical systems' performance, whereas cyber commissioning involves assessing the cybersecurity configurations, ensuring that there are no default passwords, unauthorized access points, or other digital vulnerabilities. This dual approach ensures that both the physical and digital infrastructures are secure and functioning as intended.

Building Cybersecurity.org: Setting Industry Standards

Niemeyer’s nonprofit, BuildingCybersecurity.org, plays a pivotal role in translating complex cybersecurity standards into practical, actionable guidelines for the construction industry:

“We have to translate these standards in a way that can be used.”
— Lucian Niemeyer [16:40]

The organization collaborates with global standards bodies and industry stakeholders to develop frameworks that address the unique cybersecurity challenges in construction. By simplifying and disseminating these standards, BuildingCybersecurity.org empowers building owners, engineers, and construction managers to implement effective cybersecurity measures that protect both infrastructure and human lives.

Certification Program and Industry Adoption

The podcast details the envisioned certification program designed to incentivize and formalize cybersecurity practices within the construction industry:

“Building owners is going to want to get certified... to show their insurer where we've taken these steps.”
— Lucian Niemeyer [20:28]

This certification would operate similarly to insurance discounts for physical security measures, rewarding building owners who adopt robust cybersecurity practices with lower insurance premiums. By integrating certification into Request for Information (RFIs) and Request for Quotation (RFQs) processes, the industry can standardize cybersecurity expectations and promote widespread adoption of best practices.

Next Steps: Addressing the Cybersecurity Threat

Concluding the episode, Niemeyer outlines the urgent steps needed to mitigate cybersecurity risks in construction:

“Cyber safety has to be mandatory.”
— Lucian Niemeyer [22:38]

He calls for a national imperative to establish and enforce cybersecurity standards across all stages of construction and infrastructure management. This includes integrating cybersecurity considerations into engineering education, design processes, and operational protocols. By recognizing cybersecurity as a fundamental safety issue, the industry can prioritize investments in protective measures, thereby reducing risks to property and human safety.

Conclusion

Season Three, Episode Seven of the Construction Leaders Podcast effectively underscores the critical importance of integrating cybersecurity into construction practices. Through the expertise of Lucian Niemeyer, listeners gain a comprehensive understanding of the current threat landscape, the necessity for standardized cybersecurity measures, and the transformative potential of emerging technologies like AI and digital twins. As the construction industry continues to embrace digital advancements, the insights from this episode serve as a vital guide for constructing safer, more resilient infrastructure in an increasingly connected world.

Key Takeaways:

• Immediate Action Required: The construction industry must prioritize cybersecurity to protect critical infrastructure and public safety.
• Standard of Care: Establishing rigorous cybersecurity standards akin to traditional engineering safety protocols is essential.
• Emerging Technologies: AI, machine learning, and digital twins offer significant opportunities to enhance design efficiency and cybersecurity resilience.
• Certification and Incentives: Implementing certification programs can incentivize the adoption of best cybersecurity practices and reduce insurance costs.
• Industry Collaboration: BuildingCybersecurity.org exemplifies the importance of collaborative efforts in developing and disseminating practical cybersecurity standards.

For more information on building cybersecurity standards and certification, visit BuildingCybersecurity.org.