December 2016’s ThinkBIM was particularly memorable for an eye-opening and occasionally frightening view of just how vulnerable the built environment might be to cyber attack, writes Paul Wilkinson of pwcom and thinkBIM Steering Group member.
In May 2015, PAS1192-5 – “Specification for security-minded building information modelling, digital built environments and smart asset management” – became the latest addition to the suite of UK BIM documents, and Turner & Townsend’s Nathan Jones gave us the benefit of a non-construction person’s view of this document. Nathan was recruited into the construction industry after working in the armed forces specialising in military grade IT and security-related technologies.
From his presentation and roundtable contributions, it was clear that he felt existing construction industry IT practices lag behind most other industry sectors in respect of security (“Often IT security is a bit backward in construction”).
This is, of course, hardly surprising. Within the living memory of many people still working in the sector, we mostly exchanged information by paper. But now, in the early years of the 21st century, we are increasingly sharing ‘electronic paper’ – emails instead of letters, Word documents instead of typed reports, PDFs or native files instead of drawings, etc. We already must be vigilant about security: guarding against software viruses, ‘phishing’, hacking, and theft or loss of devices, while also continuing to track, store and protect our communications and intellectual property. (And not always successfully: details of the internal layout of a Royal Palace were recently freely distributed to potential tenderers via an email attachment, Nathan said.)
However, the next stages in the digital transformation of the built environment sector are set to make information management more challenging from a security point of view.
From BIM to BASM
As firms begin to share and to combine or ‘federate’ data-rich 3D, 4D (time) and 5D (cost) models, project teams will need to heighten their cyber-security regimes.
A shared 3D model may expose intellectual property to competitors. Moreover, a walk-through visualisation of a new building might expose sensitive information about the building’s design – key structural components, locations of key building services, placement of CCTV or other security equipment, for example. Shared 4D models might reveal periods when assets might be susceptible to sabotage or sites could be vulnerable to theft, while a 5D model could reveal commercially sensitive pricing information to competitors.
Published by the British Standards Institute and the Centre for Protection of National Infrastructure (CPNI), PAS1192-5 is intended to help teams identify and guard against risks including:
- hostile reconnaissance
- malicious acts
- loss or disclosure of intellectual property
- loss or disclosure of commercially sensitive information, and
- release of personally identifiable information.
And our already abbreviation-heavy glossary of BIM terms now includes BASM – built asset security management – as a new discipline. Early engagement with a BAS manager will help a project team and the asset owner develop a strong built asset security strategy (BASS) and management plan (BASMP), said Nathan.
People can be our greatest asset, but also our weakest link
Such measures will become more important in an increasingly connected world of not just ‘smart buildings’ but ‘Smart Cities’. We will need to protect information created during delivery of a new built asset, and – just as importantly, and depending on the asset’s sensitivity – protect some or all of the data created by the people and systems in and around that asset, and in any connected assets or infrastructure.
At the people level, precautions might include procedures limiting information access to those with defined roles (I was encouraged that Nathan identified that some Software-as-a-Service collaboration platforms do this well: restricting access to certain files, models or data only to people with defined responsibilities), supported by systems of passes, logins, keys or other forms of authentication.
BASM – it’s about people
As with other aspects of BIM, this is certainly not just about technology, but people and process. Awareness raising and training will be important: working practices learned in the days of paper or “spray and pray” email will need to be amended, and data vulnerabilities addressed. Often the weak link will not be the software or hardware, but the people that use them (users noting passwords and PINs on Post-It notes next to their computers, for example), and, as risks cannot be entirely eliminated, Nathan also advised that organisations need plans and processes dictating how they will respond to security breaches.
In one of the roundtable sessions, John Lorimer asked Nathan if this heightened focus on security might counteract recent years’ efforts to get companies and people to share information more readily. “Security should not stop collaboration, so long as it is controlled and people are aware,” Nathan replied, “BIM is actually helping to trigger some security-minded conversations much earlier. We may soon be segmenting our construction supply chains according to those who are security-aware, and those who aren’t.”