Figure 5 - uploaded by Borja García de Soto
Content may be subject to copyright.
(a) Attack tree for the Tampering Threat Class

(a) Attack tree for the Tampering Threat Class

Source publication
Conference Paper
Full-text available
Cybersecurity threats related to new technologies get little attention until an incident occurs, and vulnerabilities are highlighted. In the case of construction projects, any cyber breach, either malicious or incidental, has the potential to cause significant damage. This varies from unauthorized access of sensitive project information to hijackin...

Similar publications

Chapter
Full-text available
Maximizing the production process in modern industry, as proposed by Industry 4.0, requires extensive use of Cyber-Physical Systems (CbPS). Artificial intelligence technologies, through CbPS, allow monitoring of natural processes, making autonomous, decentralized and optimal decisions. Collection of information that optimizes the effectiveness of d...
Preprint
Full-text available
During the last two decades, distributed energy systems, especially renewable energy sources (RES), have become more economically viable with increasing market share and penetration levels on power systems. In addition to decarbonization and decentralization of energy systems, digitalization has also become very important. The use of artificial int...
Preprint
Full-text available
Industrial cyber-physical systems (ICPSs) manage critical infrastructures by controlling the processes based on the "physics" data gathered by edge sensor networks. Recent innovations in ubiquitous computing and communication technologies have prompted the rapid integration of highly interconnected systems to ICPSs. Hence, the "security by obscurit...
Preprint
Full-text available
A design framework recently has been developed to stabilize interconnected multiagent systems in a distributed manner, and systematically capture the architectural aspect of cyber-physical systems. Such a control theoretic framework, however, results in a stabilization protocol which is passive with respect to the cyber attacks and conservative reg...
Preprint
Full-text available
Modern electric power grid, known as the Smart Grid, has fast transformed the isolated and centrally controlled power system to a fast and massively connected cyber-physical system that benefits from the revolutions happening in the communications and the fast adoption of Internet of Things devices. While the synergy of a vast number of cyber-physi...

Citations

... Due to the risks and challenges outlined above, construction companies are significantly vulnerable to cyberattacks (Doss and Saul Ewing Arnstein & Lehr LLP, 2019;Mantha et al., 2020Mantha et al., , 2021Mantha and García de Soto, 2019;Pärn and Edwards, 2019;Pärn and García de Soto, 2020;Richey and Sawyer, 2015) and should be proactive in implementing strategies and educating employees to secure data. However, the reality is that awareness and investment in high-level security in the industry are still very low, making this industry susceptible and particularly attractive to hackers (Ghadiminia et al., 2021;Mohamed Shibly and García de Soto, 2020). Therefore, an essential element for the successful transition into the digitalization of the industry is the consideration of cybersecurity. ...
Article
Full-text available
One of the key concepts of Construction 4.0 is cyber-physical systems. The construction industry is increasingly creating valuable digital assets, but it is also gradually using digital technology to plan, design, build, monitor, and control the physical ones. This makes construction sites and operations vulnerable to cyber-attacks. While the damage to digital assets can have financial implications, attacks on digitally-controlled physical assets may impact people's well-being and, in worst-case scenarios, result in casualties. The problem is amplified by the emerging cyber-physical nature of the systems, where the human checks may be left out. The construction industry could draw inspiration from the work done in critical infrastructures (CI). Construction is the prelude of any socio-technical asset tagged as a CI. While most assets may not be critical in the CI sense, they are essential to a business' operations and the people directly or indirectly associated with them. This study presents a literature review on the previous CI protection (CIP) efforts and construction cybersecurity studies to show their synergy. Recommendations based on well-established CIP processes to make construction more cyber-secure are provided. It is expected that this study will create awareness about cybersecurity practices within the construction industry. Ongoing work includes understanding where construction stands and developing a framework to address cybersecurity throughout the different project phases.
... Therefore, understanding the potential threats against OT on construction sites, detecting security vulnerabilities, and providing mitigation methods are paramount. A few studies have focused on the OT cybersecurity aspects of construction sites, such as [9] that proposed a preliminary threat modeling method for construction projects based on the Quantitative Threat Modeling Method (QuantitativeTMM) and demonstrated it with a 3D concrete printer, [10] [11] that implemented the Common Vulnerability Scoring System (CVSS) to evaluate and quantify the vulnerabilities of construction networks, [12] that investigated the gaps in the cybersecurity of OT utilized in construction and suggested future directions for the industry and academia, and [13] that pointed out the potential physical damages that might occur as a result of hijacked autonomous construction equipment. To the authors' knowledge, there is no previous study investigating the use of cybersecurity frameworks during the construction phase. ...
Conference Paper
Full-text available
The construction industry is increasingly using information technologies (IT) and operational technologies (OT) to enhance processes and operations through digitalization. Creating, editing, storing, and sharing information in digital environments is only one side of the coin; the other involves monitoring and controlling physical processes on construction sites. Given the nature of construction sites, where humans and machines/equipment work collaboratively, safety concerns arise. Utilizing interconnected and cyber-physical systems such as (semi)autonomous and remote-controlled machines on-site magnifies the importance of robust cybersecurity. Therefore, it becomes necessary to understand the threats against each networked equipment, analyze the vulnerabilities, assess the risks, and provide mitigation methods. Cybersecurity frameworks are effective solutions for this purpose; however, they are usually generic and thus require customization to be employed in the construction site environment. Against this background, this paper reviews existing cybersecurity frameworks/standards and selects the most suitable one to implement in the construction environment. The implementation was performed by customizing the selected generic framework considering the needs of a hypothetical construction site that utilizes autonomous earthmoving equipment. For the evaluation, a scoring system that was not included in the original framework was proposed. Given the paucity of studies in this field and lack of cybersecurity awareness in the construction industry, this study aims (1) to raise awareness about the potential cyber threats against construction sites that are increasingly interconnected, (2) to point out the need for a customized cyber assessment method on-site, and (3) help building a security-minded approach within the construction industry.
... The objective is to understand the "how, where, why, and by whom" of an attack. To the best of the authors' knowledge, very few studies (e.g., Andersson et al., 2019;Mohamed Shibly & García de Soto, 2020) are available regarding cybersecurity threat models in construction projects. An everyday simplistic example of threat modeling is when users install antivirus in a laptop to protect themselves from hackers gaining access to personal data through malware injection. ...
Article
Digitalization and automation are making the architecture, engineering, and construction (AEC) industry more vulnerable to cyberattacks. Existing literature suggests that industry-specific studies need to be conducted. The work presented in this study shows a preliminary cybersecurity threat model relevant to the AEC industry. To that end, threat models for each of the life cycle phases are proposed. The feasibility of the proposed approach is illustrated with an example from the commissioning phase of a building, which includes an autonomous robotic system to collect data as a possible countermeasure. The suggested countermeasure shows promise to address some of the cybersecurity challenges faced in the building certification and commissioning process. The results show that the likelihood of detecting rogue sensors increases with additional constraints in the monitoring robot, such as minimum and maximum distance. The illustrative models suggest that the proposed framework will help to address the safety and cyber security of stakeholders and systems during crucial phases of construction projects.
Article
Full-text available
The digital transformation in the construction industry affects how information is exchanged and disrupts the way construction sites operate. The levels of operational technology (OT) to control and monitor site activities by utilizing robotic, autonomous, and remotely controlled machines raise cybersecurity concerns. As construction sites are places where humans and machines work together, the potential safety outcomes of cybersecurity vulnerabilities are magnified. This study's motivation was to understand the current state of the art and identify gaps to suggest future directions regarding OT in construction from the cybersecurity perspective. To achieve that, a bibliometric analysis was conducted. The analysis utilized the Scopus database to retrieve related publications and VOSviewer version 1.6.15 software to visualize bibliometric networks. Main research themes were identified, and each theme was reviewed from a cybersecurity perspective. The limitations of the analysis include the lack of industry-based categorization, the domination of publications focusing on the cybersecurity of industrial control systems (ICSs), and the set of keyword combinations used for the literature search that could be expanded to cover a broader range of research topics. The findings reveal the lack of focus on the construction phase in the construction cybersecurity research. Moreover, cybersecurity aspects are absent in the construction automation studies, and there is a need for bespoke threat modeling and intrusion detection systems for all the phases of construction projects. Suggestions for further research on the potential threats against the construction phase are provided. Future directions include possible adaptations of the available cybersecurity frameworks considering the utilization of OT on construction sites and investigating the methods to evaluate security levels on construction sites and countermeasures against cyberattacks.
Article
Full-text available
The architecture, engineering, and construction (AEC) industry is increasingly becoming digital and more prone to cyber-attacks. Although there are several studies and standards in the cybersecurity domain, experts suggest that domain-specific studies need to be conducted to address the unique challenges faced within each of the different industries. Therefore, several cybersecurity studies have been undertaken for various industries, such as healthcare, manufacturing, telecommunication, and energy. However, this type of study is largely missing in the AEC industry due to different reasons, including lack of awareness. To address that, this study aims to (a) compare and analyze the number of cybersecurity-related documents in the AEC industry with several other industries, and (b) extract and analyze the cybersecurity-related documents data to identify potential future research trends and topics for the AEC community. The Web of Science (WOS) database, consisting of significant and influential journal publications, was used for document retrieval. VOSviewer was used to identify key research topics and trends in the cybersecurity domain and define future cybersecurity research in the AEC industry. WOS document retrieval results that compared the total number of publications corroborated the little to no attention received to cybersecurity investigation in the AEC industry. In addition, the VOSviewer analysis revealed three significant areas of research in the cybersecurity community that provide a reasonably justified roadmap for conducting cybersecurity research in the AEC industry. This study could greatly benefit the AEC research community and potential reaping benefits to the industry by creating more awareness among different stakeholders.