> series: sector_under_the_microscope —— part: 06/10 —— sector: construction —— attack_surface: every_site<span class="cursor-blink">_</span>_
Construction is one of the UK's least cyber-mature sectors — and one of the most rapidly digitising. Building Information Modelling (BIM), cloud-based project management platforms, IoT sensors on construction sites, connected plant and machinery, drone surveys, and building management systems are transforming how projects are delivered. But the security foundations are not keeping pace with the digital ones.
This article examines the cyber threats specific to UK construction companies, the vulnerabilities we find during penetration testing engagements in the sector, and the practical security priorities for an industry where the attack surface grows with every new project.
We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.
Free Scoping Call| Finding | Construction-Specific Context |
|---|---|
| Cloud platform credentials shared across subcontractor teams | Project management platforms, BIM collaboration tools, and file sharing services with shared or default credentials used by dozens of subcontractor firms — any of whom could be compromised. Access is rarely revoked when subcontractors leave. |
| No segmentation between site and corporate networks | VPN tunnels from temporary site offices connecting directly into the corporate network with no segmentation. A compromised site office — or a malicious subcontractor — has the same network access as head office. |
| Building management systems accessible from the corporate network | BMS platforms (HVAC, access control, lighting, metering) on completed projects accessible via the corporate network with default credentials. Our BMS engagement article demonstrates the consequences. |
| Drone survey data stored without access control | Aerial survey imagery, LiDAR data, and photogrammetry outputs stored on network shares or cloud platforms without access restrictions — containing detailed site layouts, security configurations, and surrounding area intelligence. Our drone reconnaissance article explores this risk. |
| Unmanaged IoT on construction sites | Environmental sensors, security cameras, and connected plant equipment deployed on site networks with default credentials and no firmware updates. These devices provide persistent network access that outlasts the subcontractor who installed them. |
For construction companies, security must account for the transient, multi-party, multi-site nature of the business. The priorities should focus on the head office environment first (where corporate data, financial systems, and project management platforms are hosted), then extend to site networks, subcontractor access management, and cloud platform security.
Cyber Essentials certification is increasingly required for public sector construction contracts and is a growing expectation from major clients. For ongoing protection of head office infrastructure and cloud platforms, SOC in a Box provides 24/7 monitoring — detecting payment fraud attempts, credential compromise, and anomalous access to project data systems. For organisations deploying drones, our UAV penetration testing and airspace security services assess the unique risks of aerial platforms.
Next week, we examine the retail sector — where PCI DSS compliance, e-commerce platform security, and the pressure of peak trading seasons create a distinctive threat landscape for both online and physical retailers.
We deliver penetration testing for construction firms that covers corporate infrastructure, cloud platforms, BMS systems, site networks, and <a href="/penetration-testing/uav-drone">drone security</a>. Our <a href="/cyber-essentials">Cyber Essentials certification</a> service gets you tender-ready, and <a href="https://www.socinabox.co.uk">SOC in a Box</a> provides the ongoing monitoring that project-based security cannot.
We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.
Free Scoping Call