Archive 2016 08

31 BIM: Don’t be lulled into a false sense of (cyber) security Graham Stewart, director and head of BIM/Integrated Business Technology at Ramboll UK, give his advice WITH the UK Government BIM Level 2 mandate coming into effect and the increasing growth of cybercrime as an industry, many in the construction sector are questioning just how safe Building Information Modelling is. The crime statistics published by the Office for National Statistics recorded 2.5 million cybercrime offences in 2015, and this is expected to rise. The vast majority of this crime wave is directed at attempts to obtain information on customers. However, the cyberattack on Target in 2013 is said to have originated in the firm’s building control system. Due to the vast amount of sensitive information stored in BIM, it would be foolish to ignore the potential for cyber threats. Potential risks We are seeing an increased concern from the government and clients alike about the amount of digital data stored in this building process. There is no doubt that BIM is a fantastic platform that allows projects to be built with greater collaboration, speed and ease. However, there are potential dangers regarding security. With contractors, engineering firms, architecture companies and developers all having access to detailed building plans, the risk of a leak is multiplied. Although building plans or project specifications may not immediately seem like particularly confidential information, the transparent nature of the process may be an opportunity for hostile individuals or groups to use these to their advantage; if the details of an airport terminal construction building were hacked, for example. Who is responsible? BIM Level 2 requires that on each project an Information Manager must be appointed, and this person is essentially responsible for maintaining the Information Model to meet integrity and security standards in compliance with the employer’s information requirements. The use of freelancers does not change this – the appointed Information Manager is responsible for receiving information into the Information Model in compliance with agreed processes and procedures. They must validate compliance with information requirements and advise on noncompliance, although contractors may be more sceptical to hire those not affiliated with a reputable company. The majority of freelancers are employed through an agency, which is responsible for ensuring they have carried out sufficient background checks. The current state of play BIM Level 2 was introduced in April of this year, and many are still digesting current regulations. This mandate represented a significant change to the definition of the BIM process, and there is often a misunderstanding of what the Level 2 directive actually involves. It is likely to take a couple of years before the industry is fully embedded, but it’s crucial we do not let security and the potential for cybercrime drop by the wayside in the meantime. In 2015, the British Standards Institute published PAS 1192-5 in an attempt to tackle growing security concerns. This is official guidance on how to keep BIM models and the buildings they represent safe from potential hackers. As well as this specific guidance on cybersecurity, within BIM Level 2 qualifying individuals must have the capability to assess a project’s firewall and whether the company is vulnerable to attack. However, there is no government regulation on the security clearance of those involved in projects, and this is an area many feel should change. The Data Protection Act 1998 requires every organisation that processes personal information to register a data controller with the Information Commissioner’s Office. Currently, though, details of BIM databases do not need to be registered. This is somewhat of a ticking timebomb, and is likely to see increased regulation soon. For example, there is an outline of Cookham Prison that can easily be found online as it was used as a demonstration for the Level 2 mandate, and this demonstrates a lack of understanding of the real cyber threat that BIM potentially presents. For the construction industry, greater regulation could present difficulties from an administrative point of view. With so much information stored in different types of databases, creating a central way of registering them all will no doubt be tricky. Future forecasting: what needs to be done? Increasingly firms and companies are creating their own levels of security clearance, ensuring tighter regulation over who has access to BIM data. MOD projects have an incredibly high level of security, but for the most part, clients rely on their engineering firm and Information Controller to set the boundaries. Given the level of sensitive data that could be stored in BIM databases, industry-wide regulation is needed to determine who has what level of access throughout the process, and it is likely we are soon to see these introduced, much like CRB checks are required to work with children. We need to regulate across different types of platforms and databases, as well as limiting who has access to BIM data in shared projects. With time, the Level 2 mandate will become widely understood and improved upon but we, along with the government, need to ensure cyber security is adequately addressed with greater regulation. n Graham Stewart Cyber Security

READ  Archive 2011 07

Builder & Engineer
To see the actual publication please follow the link above

Scroll to Top