The cyber security heads of major contractors working in the UK are drawing up guidance for dealing with online attacks and other cyber security matters, especially when working in joint ventures.

At least five major construction companies operating in Britain have been victims of cyber-attacks in the past 18 months. Also, a payroll company used by architectural consultants Arup was hit last January.

The specially formed Chief Information Security Officer Forum is meeting regularly to work out how to contain the increasing threat to the industry.

A document with a clear set of rules around access requirements and cyber security responsibilities in joint ventures is being worked out by the group.

The draft will be shared with government cyber experts for their input and eventually disseminated throughout the industry.

“One of the biggest challenges we have is joint ventures because in some instances we are in competition with each other, but at the same time we’re in a joint venture with each other,” Ian Hill, group director of cyber security at Dutch-based Royal Bam, was quoted as saying by sector journal Construction News.

“We need to collaborate more, particularly when bidding for large government contracts. We need to show our customers that we are joined up and collaborative in the security space because that gives them confidence that we’re not doing these things in isolation and, even though technically we’re in competition, in the interest of customers we’re working together.”

With cyber-crime incidents rising around the world, Hill said it is crucial construction companies are on their guard and work together to stop attackers.

“If you look at the increased level of threats against electrical and water systems – things that we as construction companies build and maintain a lot of – we are going to definitely see more attacks against infrastructure that we’re involved in,” he added.

“There is the potential for obvious attack where a threat actor has broken into a computer system that controls the environment of a building or a water-treatment plant.”

In early February a hacker tried to add a dangerous amount of toxic sodium hydroxide into the water system at Oldsmar, Florida. A remote-working operator averted the threat to public health by changing the concentration back to normal as soon as the attacker left the system.

Hill also said: “With digital construction, BIM modelling and things like that, [the attacks] can also be quite subtle.” BIM refers to the 3D digital modelling process used in building design and management.

He added: “What if a threat actor was able to break into one of our systems and modify BIM details? [They could] change something in a structure under construction, potentially weakening it.

“These are potential attacks that wouldn’t necessarily manifest themselves straight away but could have catastrophic implications.”

Register to receive the latest cyber security news and analysis straight to your inbox