The increased reliance of the IT Technology
Widely used cloud-based systems with file-sharing protocols have are the way of the future, but the use of such a platforms increase the potential of damage and disruption to the business. In order to minimise the risk Businesses should take appropriate steps to protect themselves from security risks to avoid ransomware attacks and other risks. With relation to Construction Industry, BIM, Common Data Environment (CDE) and built asset management, a comprehensive approach needs to address security around aspects of people, process, including physical and technological security.
In 2015 the first edition of Publicly Available Specification (PAS) – PAS 1192-5 Specification for security-minded building information modelling, digital built environments and smart asset management was published. PAS 1192-5 specifies the processes providing useful guidance of how to manage the risks that affect asset information created, processed or stored in cloud services or hosted outside the employer/asset owner’s organisation. Furthermore, in response to the UK Government BIM Strategy Beale & Company have drafted The BIM Protocol on behalf of the Construction Industry Council (CIC). The Protocol was written for use with contracts for design and construction in respect of an asset and support BIM working at Level 2. The Protocol when used puts into place specific contractual obligations, sets out the rights and liability of the Employer and the Project Team, identifies the information which members of the Project Team are required to produce and can request compliance with security standards and processes in line with Standard Protocol for use in projects using Building Information Models.
What are the cyber-security basic requirements?
One of the challenges is to make sure the information exchange is allowed between various platforms. The CDE service providers and all users must follow Transport Layer Security (TLS) or internet protocol security (IPsec).
Data at rest protection
The stored data must be secure and only accessible by authorised individuals (data sanitisation); typically, this would include encryption and physical security controls or a combination of both.
Once equipment used to deliver the CDE service reaches the end of its useful life, it should be disposed of in a way, which does not compromise the security of the service, or user data stored in the service (COMMON DATA ENVIRONMENTS A guide for BIM Level 2, 2017)
Malicious or compromised user
The service should not allow affecting other users if the security of one, were compromised. One of the solutions is user separation by application of virtualisation technologies.
Security minded management procedures
Each project should set up security policies, where project-specific security requirements are clearly defined together with specific requirements and identification of sensitive information, for example, it may be decided that sensitive information may not be shared in the CDE Process. Each member of the project must comply with the Information Particulars when producing, sharing and publishing the specified information.
The framework has been set up in Appendix 2 of the Standard Protocol for use in projects using Building Information Models
The process shown in figure 5 of the PAS 1192-5 recommends the use of security triage process in order to understand the security threat to the built asset. The Common Data Environments guide for BIM Level 2 includes further guidance aligned with CDE risks.
Following the use of the security triage process included in PAS 1192-5:2015, Common Data Environments a guide for BIM Level 2, recommends the application of 14 principles sumarised in Figure 1
The advisory recommendation for PAS 1192-5:2015 security triage process outcome of S1 or S2 is to apply all of its 14 Principles in line with the Built Asset Strategy. Implement Contractual commitment to meet security requirements – i.e., implement Standard Protocol for use in projects using Building Information Models. Moreover, to carry out independent validation of the CDE service provider assurances and certifications.
Triage process outcome of S3 or S4 is less onerous; generally the application of the 14 principles is still recommended, but it is left for the Information Risk Manager to decide whether the business will benefit from applying the guidance. The Contractual commitment to meet security requirements is not compulsory, and reliance on service provider claim of compliance may be sufficient without independent validation.
Fig.1 Summary of the 14 Principles
The security risks related to CDE environment must be managed within robust framework which follows industry guidance, local and international standards. Implementing Asset Management Standards enables an organisation to achieve its objectives through the successful and cost-effective management of its assets. The application of an asset management system provides reassurance that those objectives can be achieved consistently and sustainably over time.(British Standards Institution., 2014) While freedom of choice in the how the secure CDE solution is provided, it does not mean that there is an option to be less than robust in the understanding and application of standards, the results can only be achieved through good practice.Cybersecurity risk-Governance and management-Specification Publishing and copyright information, 2013 Furthermore, to comply with legal aspects, the following must be achieved:
- adequate data protection and privacy of personal information,
- appropriate record-keeping
- Controls are in place to ensure the fulfilment of commercial contractual obligations.
- Legal issues related to policies and procedures are dealt with.
- Disclaimers are checked for legal validity.
- Contracts with external support personnel cover all required aspects.
- Non-disclosure agreements are enforceable.
- Law enforcement requirements are addressed.
- Liability aspects are clear.
- Specific regulatory requirements are addressed.
- Prosecutions, or internal disciplinary procedures, can be successful.
- Legal aspects associated with monitoring techniques are addressed.
- Acceptable use policy is defined and communicated.
(BS ISO/IEC 27035-1:2016)