table of contents
- 01.Security challenges in the construction industry
- 02.What are the “Information Security Guidelines for Construction Sites”?
- 03.What items of the “Information Security Guidelines for Construction Sites” can be addressed by LANSCOPE?
The construction industry, which has been said to be slower than other industries in adopting paperless systems, is gradually beginning to see progress in digital transformation (DX). However, due to reasons unique to the industry, many companies are not yet fully equipped with security measures suited to digitalization.
The construction industry often plays an important role in protecting infrastructure, and requires particularly careful measures against incidents such as cyber attacks. In
this article, we will explain the security measures that should be implemented using the “Information Security Guidelines for Construction Sites,” which were created for the construction industry.
Security challenges in the construction industry
The “2024 Problem” facing the construction industry
The construction industry is facing a challenge known as the “2024 Problem.” This refers to labor environment issues that the industry must address in order to comply with the Work Style Reform Act, which came into effect in April 2024. The
Work Style Reform Act, which came into effect in 2019, provided a five-year grace period for capping overtime work in the construction industry. This was due to the fact that a variety of factors, including an aging workforce, labor shortages, and the normalization of long working hours, would make it difficult to immediately implement work style reforms.
To comply with work style reforms, construction companies must actively engage in digitalization and the digital transformation (DX) that follows, improving operational efficiency and labor savings. Furthermore, when promoting digital transformation, it is essential to simultaneously advance cybersecurity preparations. However, enhancing security presents unique challenges in the industry.
Challenges unique to construction sites
Construction sites have unique conditions that differ from typical offices, and there are many constraints on implementing information security measures. The Japan Federation of Construction Contractors (JFCC) describes the constraints on information security measures at construction sites as follows:
① Because construction work products are produced individually and individually, various conditions such as use, structure, scale, and construction method vary, making it difficult to standardize work and rules that can be applied to all construction sites.
② Construction sites are designed with temporary specifications that are intended for use for a limited period of time, during the construction period, so simple IT equipment is used that can be flexibly changed or removed . (Equipment that is installed permanently in a permanent office is difficult to install permanently at a construction site.)
3) Because the cost of setting up and operating a site office is a site expense, there are significant limitations on the amount of money that can be invested . Furthermore, if the site office needs to be relocated or increased or decreased during the construction period, the physical, time, and financial constraints become even greater.
4) Construction sites are staffed not only by the main contractor, but also by many other parties , including the client, designers, subcontractors, and equipment manufacturers. In addition, the people involved change depending on the progress of the construction work, so there is a greater risk of information leaks than in a regular office, and it takes a lot of effort to instill information security education .
⑤In terms of the environment, it is difficult to ensure stable operation of information equipment due to the high level of dust and the use of temporary power sources . Drawings and documents are constantly being changed, so managing the originals and the latest versions is a significant burden .
Due to these factors, it can be said that thorough security at construction sites is a high hurdle.
So, how should construction companies implement security measures?
What are the “Information Security Guidelines for Construction Sites”?
To properly recognize the unique environment surrounding construction sites and implement appropriate information security measures, it is effective to provide guidelines on setting information security standards and how to specifically achieve them. Against this background, the “Information Security Guidelines for Construction Sites” were created. The
“Information Security Guidelines for Construction Sites” provide guidance on addressing security risks unique to the construction industry. The first edition was published in November 2008, revised in November 2020, and amended in February 2024. The “Information Security Guidelines
for Construction Sites” are structured as follows:
[1] Introduction:
Introduction to the necessity and overview of the guidelines;
[2] Procedures for establishing and operating an information security management system for construction sites; [3]
Description of procedures for establishing and operating an information security management system ; Specific examples of what should be done to implement
information security measures.
The structure is very simple, and the content is easy to understand for the target users, who are responsible for building information security systems at each company, and the site managers or implementation managers who are responsible for implementing information security measures at each construction site.
When actually using these guidelines, you will need to look at the specific examples listed in “(3) Implementation of information security measures” and respond accordingly.
| 3. Implementation of information security measures | ||
|---|---|---|
| 3.1 Construction site office area classification and information security measures | ||
| 3.2 Information Asset Management | ||
| 3.3 Maintenance and management of information devices | 3.3.1 | Operation and management of information devices |
| 3.3.2 | Access Control | |
| 3.3.3 | Antivirus | |
| 3.3.4 | Installing the software | |
| 3.3.5 | Log management | |
In particular, “3.3 Maintenance and Management of Information Devices” lists five basic items that should be implemented as security measures when using information devices such as PCs and smartphones for business purposes. It is especially recommended for company personnel who are promoting digitalization in the future to read through this.
Safety checks for other organizations
It is important that business partners and other organizations also use these guidelines and the guidelines described below to encourage them to strengthen their cybersecurity measures.
The 2024 revision added the following as a requirement for requesting strengthened information security measures from partner companies: “Toward Building Partnerships with Business Partners to Improve Cybersecurity Across the Supply Chain (Ministry of Economy, Trade and Industry, Japan Fair Trade Commission, October 28, 2022).”
While stating that “depending on the method and content of the request, caution is required as it may be problematic as an abuse of a dominant bargaining position under the Antimonopoly Act,” it also states that “strengthening cybersecurity measures across the supply chain is an important initiative to prevent damage from cyberattacks from disrupting the supply chain and disrupting the stable supply of goods and services.”
Compliance with the guidelines is an effective guideline for ensuring the security of business partners.
In addition to the “Information Security Guidelines for Construction Sites,” there are other guidelines that can be used as reference if you want to strengthen your cybersecurity measures.
(Reference) “Guidelines for Cyber-Physical Security Measures in Building Systems”
Smart buildings, where data sharing between devices and buildings is progressing, are becoming more common. As a result, the risk of building systems being subject to cyberattacks is increasing, and cybersecurity measures to prevent this are becoming increasingly important. However, due to the constraints of existing systems and cost issues, sufficient measures are often not being taken. The “Guidelines for Cyber-Physical Security Measures in Building Systems” published by the Ministry of Economy, Trade and Industry summarizes vulnerabilities, risks, security measures, etc. and provides guidelines for cybersecurity measures for all stakeholders involved in all types of buildings and building systems.
(Reference) Cybersecurity Management Guidelines Ver. 3.0
The “Cybersecurity Management Guidelines Ver. 3.0” published by the Information-Technology Promotion Agency (IPA), an independent administrative institution under the Ministry of Economy, Trade and Industry,
is aimed at managers of large and small companies (excluding micro-businesses) regardless of industry. These guidelines emphasize the importance of management’s active involvement in cybersecurity measures and their integration into overall strategy. Specifically, they outline three fundamental principles: 1) incorporating cybersecurity into management strategy, 2) leadership by management, and 3) continuous improvement. Information security managers are also required to implement specific measures and improvements, including risk assessment, security policy development, incident response plans, education and training, and external partner management. Regardless of whether you’re in the construction industry or elsewhere, we recommend that you also refer to the “Cybersecurity Management Guidelines Ver. 3.0” if you want to strengthen your company’s overall security posture.
What items of the “Information Security Guidelines for Construction Sites” can be addressed by LANSCOPE?
From here, we will introduce how to specifically comply with the items outlined in the “Information Security Guidelines for Construction Sites,” using examples of items introduced in the guidelines.
<Items that can be handled by LANSCOPE Endpoint Manager Cloud Edition>
| 3.3.1 Operation and management of information devices | (3) Management of taking out information devices ■ Examples of measures : In case of theft or loss, etc., measures such as using password protected files or encrypting the files should be taken. |
|---|
LANSCOPE Endpoint Manager Cloud Edition can locate lost devices using their location information, and can remotely lock or wipe them to prevent information leaks. It can obtain location information not only for Windows PCs, but also for iOS and Android smartphones.
| 3.3.1 Operation and management of information devices | (5) Management and operation of removable storage media ■Examples of measures : Only use media with security features such as password locks loaned by the company, and do not use personal media. |
|---|
LANSCOPE Endpoint Manager Cloud Edition allows you to restrict the use of personal storage media by restricting the use of only specific storage media (such as USB memory sticks) provided by the company. In addition, you can set basic policies to prohibit, read-only, or allow on a group basis, so in addition to allowing only specific storage media, you can also flexibly set permissions for specific PCs, or temporarily allow only specific dates and times.
<Items that can be addressed with LANSCOPE Cyber Protection>
| 3.3.3 Antivirus measures | ■Examples of countermeasures (some excerpts) ・Antivirus software (products that can be updated automatically) must be installed on computers and servers in field offices. ・Antivirus software must always use the latest pattern files and search engines .・Information security personnel must regularly check whether the pattern files on each computer have been updated. |
|---|
If a computer connected to a network becomes infected with a virus, it could shut down the systems of not only the field office but also external parties and related companies. Virus infections could also lead to information leaks, which could result in a loss of trust in business partners and lead to liability issues.
LANSCOPE Cyber Protection is a next-generation antivirus tool that utilizes AI. It is capable of detecting unknown malware that is difficult to detect with conventional methods with an accuracy of 99% (*). Furthermore, since it does not use pattern files, daily updates are not required. Depending on the application, you can choose from two types of next-generation AI antivirus: “CylancePROTECT” and “Deep Instinct.” It detects threats such as malware with high accuracy and prevents infection before an attack occurs. (*EDR is available as an option for CylancePROTECT)
