Nathan Charles, head of customer success at OryxAlign, discusses IoT and smart construction to secure connected systems against threats.
The post Securing IoT and smart construction appeared first on Planning, Building & Construction Today. 
Nathan Charles, head of customer success at OryxAlign, discusses the cybersecurity risks of IoT in construction and the steps firms must take to secure their connected systems against evolving threats
In early 2024, security researchers uncovered a botnet operation known as “Matrix,” which exploited vulnerabilities in internet-connected devices to launch large-scale cyberattacks.
From industrial sensors to security cameras, the malware spread rapidly, taking advantage of weak authentication protocols and outdated software. While the primary targets were businesses in sectors such as healthcare and logistics, the attack served as a warning to any industry adopting the Internet of Things (IoT).
Why IoT is a security concern
Connected equipment like automated machinery and networked environmental sensors has become standard on modern construction sites. While these tools improve efficiency and site monitoring, they also introduce new vulnerabilities.
One of the main challenges is that many IoT devices lack built-in security protections. Unlike office-based IT systems, which benefit from centralised control and regular updates, construction IoT networks are often fragmented. Devices from multiple manufacturers may be deployed across a site, each with its own software vulnerabilities. If a security flaw is discovered in one sensor or camera, an attacker could use it as a gateway to infiltrate the entire system.
The reliance on third-party vendors also complicates security efforts. Many construction firms work with external providers for services like cloud storage and remote device management. If any of these suppliers suffer a breach, attackers could gain indirect access to project data. The risk isn’t just theoretical. Past cyberattacks on operational technology have shown that when attackers compromise one system, the consequences often cascade across an entire network.
But it’s not just devices that are at risk. Phishing scams and credential theft are among the most common entry points for cyber intrusions, and construction is no exception. With multiple contractors and suppliers accessing project management systems, the attack surface grows. A single compromised login could give a hacker the access they need to disable security cameras, alter sensor data or halt automated equipment.
Despite these risks, many firms remain unaware of the scale of the problem. Cybersecurity in construction has traditionally focused on protecting office-based IT infrastructure, with far less attention paid to field-deployed devices. As IoT adoption expands, this approach no longer suffices.
Real-world risks
Data breaches remain one of the most immediate risks. IoT devices track site layouts, equipment usage and, in some cases, biometric data for access control. If an attacker gains access, they could steal project details, exposing sensitive financial agreements or intellectual property. Large projects often involve multiple stakeholders, meaning a single breach could impact everyone from suppliers to clients.
Ransomware attacks are another growing concern. Attackers could take control of automated equipment or site networks, demanding payment to restore access. Such an attack on a construction site could halt operations entirely, pushing projects over budget and causing reputational damage.
Beyond financial losses, operational disruptions pose a serious safety risk. A cyberattack could manipulate sensor data, leading to inaccurate readings that cause structural miscalculations or safety breaches. If attackers gain access to heavy equipment, they could shut down operations or, in a worst-case scenario, create dangerous working conditions for on-site teams.
How to secure IoT
A robust cybersecurity strategy should extend beyond basic protections, like relying on the standard device encryption. It should instead incorporate continuous monitoring, strict access controls and workforce training to reduce risks.
Traditional cybersecurity models often operate on an implicit trust system, where once a user or device is inside the network, they are granted broad access. This approach leaves IoT environments vulnerable to insider threats and lateral movement by attackers. Instead, firms should adopt a zero-trust security model, which assumes that no device or user should be trusted by default.
Every connected device should undergo strict authentication before being granted network access. Role-based access controls (RBAC) can further limit exposure by ensuring that users can only access the systems and data necessary for their specific tasks. These permissions should be reviewed regularly, particularly for subcontractors and third-party vendors who may only need temporary access.
Just as businesses routinely test their office networks for vulnerabilities, construction firms should apply the same scrutiny to their IoT ecosystems. Cybercriminals actively search for weaknesses like outdated firmware, misconfigured sensors or unsecured remote access points. Regular security audits help identify these risks before they can be exploited.
Many IoT security breaches stem from poor device configurations. When manufacturers ship equipment with default passwords, these credentials are often publicly available or easily guessed, making them a common attack vector. Firms should ensure that all devices are reconfigured before deployment, replacing factory settings with unique, strong passwords and multi-factor authentication (MFA) where possible.
Beyond passwords, unused device features should be disabled to reduce potential attack surfaces. IoT sensors and cameras also generate large amounts of data, some of which may be sensitive. Encryption should be applied to data both at rest and in transit to prevent unauthorised access.
Many construction firms rely on a patchwork of security solutions, with different tools monitoring different systems. This fragmented approach makes it difficult to detect and respond to cyber threats efficiently. A more effective strategy is to consolidate security monitoring, ensuring that all IoT devices feed into a single dashboard for real-time threat detection.
Tools like extended detection and response (XDR) unify multiple security layers into a single, more manageable system. This method enables security teams to detect anomalies across IoT networks in real time, identifying potential breaches before they escalate.
Collaborating with trusted vendors
Construction firms often rely on third-party vendors to supply and manage their IoT devices, but not all vendors prioritise security. Before integrating new devices, firms should conduct vendor risk assessments, ensuring that suppliers adhere to strict cybersecurity standards.
Regular firmware updates and security patches are important, yet many IoT manufacturers provide limited support beyond the initial sale. Firms should establish long-term relationships with vendors that offer ongoing maintenance and proactive security updates. Deploying unpatched devices incurs added risk, as attackers frequently exploit known vulnerabilities that remain unfixed.
Training staff on IoT cybersecurity risks
Even with the best technical protections in place, a single mistake by an employee or contractor can compromise an entire system. The construction industry faces unique challenges in this area, as on-site workers may not have the same level of cybersecurity awareness as office-based staff.
Human error remains one of the biggest factors in cybersecurity breaches. According to industry research, 74 per cent of cybersecurity issues stem from human mistakes, such as falling for phishing scams or using weak passwords.
Workers should be trained to recognise phishing attacks that target IoT logins, as well as social engineering tactics used to trick them into revealing sensitive information. Security drills can be an effective way to test awareness, simulating IoT-related cyberattacks to evaluate how teams respond.
By combining technology-driven defences with human-centred security awareness, construction firms can significantly reduce their exposure to cyber threats.
Regulatory landscape & compliance
As construction firms integrate more IoT technology into their operations, the regulatory landscape is shifting. Cybersecurity laws are tightening, and firms must stay ahead of emerging rules to avoid penalties and reputational damage. Two key areas of compliance stand out: network security regulations and data protection laws.
The EU’s NIS2 Directive introduces stricter cybersecurity obligations for sectors deemed essential to national infrastructure. While construction isn’t explicitly listed, firms working on critical infrastructure projects, like energy, water and transport, may be affected. If classified under NIS2, companies must improve cyber defences, report security incidents within 24 hours and face stricter enforcement measures if they fail to comply. These include fines of up to €10m or 2 per cent of global annual turnover, binding security orders and potential personal liability for executives in cases of negligence. The UK, while no longer inside the EU, is expected to align with similar cybersecurity standards.
Many IoT devices in construction collect personal data, from wearables tracking worker safety to biometric access controls on-site. Under GDPR, firms must ensure that data is secure and processed transparently. This involves encrypting sensitive information and implementing strict access controls. Breaches can result in substantial fines of up to €20 million or 4 per cent of the company’s worldwide annual revenue from the preceding financial year, whichever is higher.
Lessons from the data centre industry
The UK’s decision to classify data centres as Critical National Infrastructure (CNI) signals a shift in how digital infrastructure is viewed. These facilities are now recognised as essential to the economy, requiring enhanced security measures and government-backed support. Construction firms, particularly those involved in major infrastructure projects, should take note. As digital connectivity becomes as important as physical infrastructure, IoT security in construction may soon face similar regulatory scrutiny.
Future challenges and trends
The growing use of IoT in construction is exposing firms to an evolving threat landscape. Attackers are becoming more sophisticated, and new technologies will reshape the risks facing connected sites. Firms that fail to anticipate these challenges risk being caught off guard.
One emerging concern is the use of artificial intelligence (AI) in cyberattacks. AI-powered malware can analyse network activity, adapt in real time and bypass security controls more effectively than traditional methods. While AI is also being used to strengthen cybersecurity, attackers are developing ways to automate intrusions and exploit IoT vulnerabilities at scale.
The Matrix botnet attack was a reminder of how quickly cyber threats can escalate. A single vulnerability in an IoT device can become the entry point for a far-reaching attack, with consequences spreading beyond the intended target.
The firms that act now will be better prepared for what’s ahead. Those that delay will be left scrambling when the next attack comes. The construction sector is transforming, but without stronger security, it is building on unstable ground.
The post Securing IoT and smart construction appeared first on Planning, Building & Construction Today.
About The Author
