If you run your own construction business or manage large building projects, you will know about the many professions and trades that need to come together to contribute to a modern building or refurbishment. But does information risk and cyber security come into your thinking? If not, it should.
Such projects require detailed information to be transferred between partners such as designers and architects at the planning stage, followed by the construction teams. A variety of software tools are available to support this process such as 3D modelling packages, CAD software and project management tools.
All of this generates large volumes of data that must be accurate and which has to get to the right people on time. What’s more, it has to be safe from threats – and remain that way.
In the first of a two part series, we look at what Building Information Modelling (BIM) is and then discuss the kind of data at risk in a building project. Part two will then look at how to manage BIM implementation and how to ensure risk management beyond the build.
What is Building Information Modelling (BIM)?
Under an initiative to reduce costs in delivering, managing and maintaining public buildings, the UK Government mandated the use of Building Information Modelling (BIM) in 2011 in the Government Construction Strategy.
Specifically this required that by 2016 collaborative 3D BIM (with all project and asset information, documentation and data being electronic) would be used on all government projects. As a consequence BIM has also been widely adopted for most private sector construction projects.
BIM is not a single piece of software or model, but a new form of information processing and collaboration for construction projects with data embedded within a model. BIM puts information management and data exchange at the heart of the design process. Each discipline or organisation creates its own model, and these are subsequently amalgamated to provide a combined view of the entire project using laser scanned information and detailed photographs to build the combined model.
The British Standards Institute has published PAS 1192 (parts 1-4) as the standard for how to implement BIM. The Centre for the Protection of the National Infrastructure (CPNI) sponsored Part 5 of the standard and this provides guidance on how to keep BIM models and the information on the buildings they represent safe from threats during the design, construction and operational phases.
What data is at risk in building projects?
The modelling information and metadata will be stored, processed and transferred digitally and this leaves any information system prone to cyber (and other) threats. That’s why cyber security needs to be an integral part of public construction and refurbishment projects.
If the project is to build a block of flats then a simple risk assessment will determine if the “built asset” (i.e. the flats) is a sensitive asset or not. If the built asset is going to be a public building, from offices for government personnel to a prison, then the assessment will show that it is sensitive.
Given the modern day threats from terrorists and other attackers, information such as 3D models with embedded metadata on building architecture which shows the location of sensitive rooms, features such as heating and air conditioning controls and security systems such as CCTV cameras and alarms will be vulnerable.
This type of data must be protected from potential attackers who could use it to plan physical attacks, to support hacking attacks or to threaten personnel.
Not all information on a building project is highly sensitive all of the time to everyone. Crucially, even the most sensitive information will have to be shared at some point otherwise the project will never be completed.
The objective is that the value of the various information assets is understood and that information is shared in a secure manner with only those who need to have it.
The data involved in modern construction projects has the potential to reveal much of what is of interest to external threat actors.
That’s why the cyber security aspects of BIM are of relevance to any organisation working with BIM, digital built environments and smart asset management. Architects and builders should be able to demonstrate that they understand customer concerns over sensitive information and put appropriate security measures in place. Similarly, organisations outsourcing projects need to be intelligent customers who understand the risks to their information and put cyber security requirements into contracts.
In part two, we will look at how to manage BIM implementation using PAS1192-5 and explain why managing the risks to building information doesn’t stop at the end of the build.
How Ascentor can help
Ascentor has experience in developing a strategy for implementing the security aspects of BIM.
We understand the information security concerns around integrating sensitive information in models that have to be shared digitally with multiple users and have developed a pragmatic approach to assessing and managing the risks of BIM in Common Data Environments and down through the supply chain companies.
We can help organisations either as intelligent customers seeking to ensure that their information is secure during such projects or as intelligent suppliers demonstrating that they can manage customer information in a challenging scenario.
For further information
For help with BIM or any element of Information Assurance for your organisation or department, system or project, please get in touch.
Contact Steve Maddison at Ascentor for a no-obligation, confidential discussion:
Telephone: 01452 881633 or 07971559980
Email: [email protected]