Cybersecurity and BIM: what issues are being overlooked?

Cyber-Security in M&A: what you need to know

Cyber-crime is a growth industry; the crime statistics published by the Office for National Statistics for 2015 recorded 2.5 million cyber-crime offences.  The vast majority of this crime wave is directed at attempts to defraud financial institutions or obtain information on their customers rather than focussed on the construction industry, however the cyber-attack on the US retail chain, Target, in December 2013 is said to have originated in the firms building control system and compromised an estimated 40 million credit and debit card accounts. 

The U.S. Department of Commerce recognised in 2011 that control systems used in buildings and industrial processes were adopting IT solutions to promote connectivity and in order to enable the systems to be remotely accessed, which in turn increased the vulnerability of those systems to cyber-attack.  Industries which the state department identified as particularly prone to using centralised control to acquire data and control systems of dispersed assets included the utilities, oil and natural gas industry, the chemical and pharmaceutical industry, automotive and aerospace manufacturing and the food industry. 

The UK Centre for the Protection of National Infrastructure similarly identified a number of building types and infrastructure which could be threatened by hostile, malicious, fraudulent or criminal activities.  In particular they recommended that owners of such facilities should, as a minimum, consider whether the following could be used to significantly compromise the integrity of the building, infrastructure or impair its ability to function:

i) The control systems in the building;
ii) The permanent plant and machinery;
iii) Structural design details;
iv) Security and other control rooms;
v) Areas that house regulated substances (e.g. nuclear isotopes and bio-hazards) or information
vi) The technical specification of security products and features

The owner of such buildings/infrastructure should understand and routinely apply appropriate and proportionate security measures so as to deter or disrupt the threat of hostile, malicious, fraudulent or criminal activities.

The Construction Industry Council’s BIM2050 team also identified the threat of cyber-attack in its report  noting that “digital connected infrastructure and business systems are vulnerable to electronic terrorism and sabotage.  Just because your information is secure now, it does not mean that it will be secure in the near future”. 

In their recommendations the BIM2050 team suggest “Organisations need to review their data residency, integrity strategies and agreements to proactively defend our digital and physical assets from cyber-attacks.” 

At BIM Level 2, where consultants produce models stored on their own servers with limited inter-operability or connectivity between their model and the models prepared and held by the other consultants, with one Project Information Model (“PIM”) held by the Employer, organisations need to consider the physical or geographical location of data and information, and develop strategies to maintain and assure the accuracy and consistency of that data over its entire life-cycle.  However as the industry moves towards BIM Level 3 with integrated electronic information, fully automated connectivity and a web stored PIM, the idea of data residency becomes outdated.  Information stored in the cloud is stored in different data bases often through chains of sub-contractors and in numerous geographical locations the tension between greater collaboration and connectivity that BIM encourages and cyber security which ideally would limit access to the BIM data and/or its connectivity with third parties becomes increasingly difficult to reconcile.

Both the U.S. Department of Commerce and the UK Centre for Protection of National Infrastructure recommend any employer should be aware of the range of potential security issues which are applicable to its business, the infrastructure it uses and the buildings it occupies.  If there is any uncertainty, the recommendation is that the employer should seek advice from appropriate security advisors. In the UK this would be a member of the Register of Security Engineers and Specialists.  This advice should typically cover personnel, the physical security of the building and cyber-security.  Further advice may also be obtained from the police architectural liaison officer (or in London the crime prevention advisor) who will be embedded in the Local Authority Planning Office.  There is therefore a need for the employer to consider security generally and cyber security in particular, at the outset of a project. The employer should appoint a suitably qualified and experienced individual  to advise and manage the security issues and threats which may occur during the lifecycle of the building/infrastructure.  In particular the individual concerned should be responsible for the development of the built asset security strategy which identifies the employer’s security requirements. This strategy should then be used to develop the built asset security management plan (“BASMP”) which should address the specific security risks which have been identified and implement and maintain the security measures to counter those risks. 

If the employer is intending to carry out a building project, the contents of the BASMP should be used to inform and develop the security requirements in the Employer’s Information Requirements (“EIR”). This is the foundation document for any BIM project, which specifies the information to be delivered and the standards and processes to be adopted, (including security processes) by the suppliers as part of the BIM process.  As noted in the ACE (UK) BIM Technology Protocol  “All project BIM data developed within the CDE [common data environment] should be subject to the necessary security requirements as specified in the EIR”

The CIC BIM Protocol  requires the employer to appoint an Information Manager who has no design related duties, though the expectation is that the role will form part of wider duties undertaken by either the ‘Design Lead’ or the ‘Project Lead’.  The Information Manager is responsible for managing the CDE, managing project information and supporting collaborative working, information exchange and the project team.  The employer’s own security advisor who has prepared the BASMP should, in my view, work closely with the Information Manager to ensure that security standards are maintained because, despite one of the proposed duties of the Information Manager being to “maintain the Information Model to meet integrity and security standards in accordance with the Employer’s Information Requirements” during the project , the CIC BIM Protocol also states at Clause 5.1, that a Project Team Member (the Information Manager being one of the Project Team) gives no warranty as to the integrity of the electronic data and at clause 5.2 excludes liability for any corruption or unintended amendments etc. of the electronic data which occurs after transmission of a Model by a Project Team Member, unless caused by a failure to comply with the BIM Protocol.  This does not encourage Project Team Members to take appropriate steps to assure the integrity and security of the BIM data. 

In addition the possibility that professional indemnity insurers may seek to exclude liability in respect of losses, damage or amendment to electronic documents, lead to the conclusion that liability for the integrity of the electronic data remains with the employer under the CIC BIM protocol, and consequently the employer needs to manage that risk. 

A more practical reason for suggesting the employer’s own security advisor should be working closely with the Information Manager is because as the project progresses from design and construction through to commissioning and operation, the PIM will (or should be) used to commission and operate the building or facility.  The PIM may need to interface with facility management systems and operational management systems.  The responsibility for the PIM should therefore transfer from the Project Team to the employer’s operational staff.  The employer’s security advisor could manage that transfer and put in place procedures to ensure that confidentiality of the PIM is maintained and access to it is controlled as personnel and contractors change during the operational life of the facility.  The integrity of the PIM will also need to be maintained and continuously up-dated to reflect changes to the asset during it life cycle if the PIM is to continue to be a useful working tool for the operation and maintenance of the facility.  Similarly, the ability to access the PIM will need to be maintained as information and storage technologies change over the lifecycle of the facility. 

It is in the interest of the employer therefore to be involved throughout the project if it is to obtain the advantages of BIM while protecting itself from the potential security threats which arise through the increased use of information technology and collaborative working which BIM demands. 

Office for National Statistics 2015 crime statistics.
National Institute of Standards and Technology  - US Department of Commerce  special Publication 800-82 – Guide to Industrial Control Systems (ICS) Security
PAS 1192-5:2015 Specification for security-minded building information modelling, digital built environment sand smart asset management
Built environment 2050 – A Report on Our Digital Future
Defined in PAS 1192-5:2015 as the “built asset security manager”
Practical implementation of BIM for the UK Architectural, Engineering and Construction (ACE) industry  Version 2.1.1 June 2015 – section 4.4
Building Information Model (BIM) Protocol CIC/BIM Pro published by the Construction Industry Council
Outline scope of services for the role of Information Manager CIC/INF MAN/S published by the Construction Industry Council

By Matthew Needham-Laing, Head of Construction & Engineering
Article first published in BUILD Magazine, March 2016

Search our site