By Lauren Wain, General Manager, Credence Security

An increasing number of high-profile and large-scale engineering projects, ranging from oil pipelines to nuclear power stations, put the spotlight on the growing vulnerability of the supply chain involved in any major engineering initiative. There are a vast number of steps to project delivery. There are a huge number of third-party partners, contractors and suppliers involved.

Compounding the complexity associated with these numbers is the fact that most projects are global in nature, involving people and companies from all over the world. Partners and organisations involved will range from builders, engineers and architects, to equipment and tool suppliers, and those who handle admin, HR and the back end. Not to mention finance, catering, employment agencies and similar. It’s easy to see why they are attractive targets for cyber attackers.

Internet securityEngineering firms also have access to plenty of data that is of value to cyber criminals. From blueprints and proprietary information, to financial logins and other details, all this information is worth something. There’s also employee data, and the personal information of everyone involved in these projects to think about.

Moreover, as the industry becomes increasingly connected to the internet via various solutions and systems, such as telematics and project management apps and software, more opportunities exist for threat actors to commit an attack.

At the same time that technology brings efficiencies and cost savings, it also comes hand in hand with a whole slew of vulnerabilities. To deliver projects on time, and on budget, engineering firms depend largely on collaboration. That means having the ability to share and exchange large amounts of data and information across integrated systems via the cloud. The nature of this information varies, and while some might be commonplace, other data is highly confidential in nature, highlighting the need for proper security controls and good governance.

In addition, as the supply chain becomes more sprawled, more vulnerabilities come into the picture, meaning that any individual connected to a site’s systems could be used as a point of entry to the network, and as a stepping stone to carry out a breach. Although a supplier may be perceived as having information of little importance, he could be used as a conduit to more sensitive and valuable data.

In terms of governance, engineering firms have to have a clear and accurate picture of who they are connected to, and who has access to their systems. The intricate network of suppliers and contractors forms a web of connections, and any one of these could be a weak link in the security chain. Each supplier or contractor has to have measures and controls in place to ensure that they are not the weakest link, and as such, standards for security must be included in any contracts, and procedures must be enforced. Engineering firms should also consider training and awareness around these issues are mandatory for all partners, and are made available to all.

Finally, understanding of cyber risk needs to be built in at every stage of the process, and should be an important part of even the planning stages. This means addressing security risks with governance, policies and processes that enforce best practices across the industry. Although security technologies are essential to protecting systems, on their own they are not enough.

More and more layers of technology will not help if the parties involved are not up to speed with best practices. Creating and imbuing a culture of cyber security awareness and prevention is essential to ensure individuals don’t fall prey to phishing attacks, and don’t do stupid things like clicking on suspicious attachments and links in an email.

Image credit: Copyright: hywards / 123RF Stock Photo

Contact Crown

Web Manager: Karen Smith
Email: admin(@)

Phone: +27 11 622 4770
Fax: +27 11 615 6108

Crown House
2 Theunis Street
Cnr Sovereign Street
Bedford Gardens
Bedfordview 2007
P.O. Box 140
Bedfordview 2008