BIM Technology and Maintenance of Cybersecurity

7 January 2019 | Weronika Masternak | bim cybersecurity

BIM technology is still gaining popularity in the construction industry, but awareness about the dangers is not improving. Learn how to secure information related to the infrastructure project and find out about the security requirements of BIM technology.

From the article you will learn:

  • what is BIM technology;
  • what is the point of creating the Common Data Environment;
  • how should a safe cooperation within the project look like;
  • what are the consequences of attacks on investments created in the BIM technology;
  • what was the purpose of the PAS 1192-5: 2015 standard.

The growing popularity of the BIM technology in the construction industry does not go hand in hand with an increase in awareness of the possible dangers. BIM allows you to create digital 3D models of real objects that can be used at any stage of the investment process and efficient management in the future. What happens if an inadequately secured information about the project gets into the wrong hands?

Information as the basis for the existence of a BIM object

3D objects used in investment projects enable digital representation of the building preserving its physical and functional features. Objects and information contained in them allow for managing the whole life cycle of the investment (starting from conception, design, construction, delivery, servicing, maintenance, and ending with a demolition). To keep the information contained in the models useful, they have to be updated and always factually correct. Therefore, the Common Data Environment (CDE) is used, which allows for adding new data to 3D BIM objects at the time of any changes in the efficiency/use/maintenance of resources.

The Common Data Environment is created to facilitate the management of a project made in the BIM technology. CDE is a central repository that allows you to:

  • check the 3D models included in the project and their information;
  • facilitate communication and combine project teams;
  • read the documentation and confidential data about the project.

A properly secured Environment reduces the risk of errors and helps organisations to comply with the BIM standards. The transparency of the process seems to be an advantage – team members can easily access information at any time and place (thanks to the cloud); copy and store them on information systems or devices in many formats in various forms (from paper to digital). However, in fact, these features may cause delays in the delivery of the building, time-financial overheads, reputation losses and even closure or liquidation of investments.

Violation and theft of investment data

The cooperation within the BIM technology is very important, therefore ensuring a proper cybersecurity in the implementation of its processes and information flow systems becomes essential. As far as the security goes, all activities are focused on counteracting the attacks of cybercriminals directed at prepared and implemented IT tools that are used at various stages of the building’s life cycle. ”People are the weakest link in the security chain” – this is what Kevin Mitnick, the most renowned hacker, once regarded as the most dangerous in the world, thinks.

For this reason, employees should participate in training courses on information protection (personal/non-personal, patents, know-how) and organisation resources, to easily identify suspicious situations (e.g. in the form of e-mails, telephone calls). What’s important here is a quick response and sending an emergency report to the IT department or to an external security partner, and after that – following the security strategy.

Hacker attacks on the Common Data Environment

The majority of infrastructure projects in developed countries are being planned using the BIM technology and other digital systems, therefore a cyber-attack may lead to their total paralysis. Attacks by cybercriminals on CDE:

  • hinder accessing key data by the investment team;
  • make hackers gain insight into confidential information about the building;
  • give hackers access to data on the persons involved in the investment process (e.g. identity cards, contract content, ID numbers).

It is worth noting that loss of personal data due to failure to comply with obligations under the General Data Protection Regulation (GDPR) will be punishable, starting May 25, 2018. In the study conducted by the University of Bolton, 66% of respondents disagreed with the statement that ”the BIM models will not be useful for criminal organisations”. Currently, buildings and even whole cities are created in digital technology, embracing the concept of Internet of Things (IoT). Therefore, cybercriminals – after acquiring detailed plans of intelligent enterprises – can identify gaps and then use them to carry out an attack, causing material and non-material losses.

BIM technology security requirements

Representatives of the British government and experts from the AEC industry have created a number of proposals and regulations aimed at counteracting the threats to the BIM technology and using cloud computing to store project documentation. To help the construction sector adopt BIM level 2, the PAS 1192-5: 2015 standard was created – it’s a specification for security-minded building information modelling (BIM), digital built environments and smart asset management, which is also being successfully implemented in other countries around the world. This standard takes into account the steps that should be taken to create the ”safety culture” and assumes that all investment activities will be undertaken using appropriate security measures, regardless of its current stage.

Thanks to this, all sensitive data and other project assets will be properly secured, and the requests for access will be verified. Each person involved in the investment should remember to exercise special caution, starting from the client, to the project manager, designer, investor, contractor or construction team. They must be aware of the potential attack (its type and scale) and avoid mistakes caused by the human factor. It is worth to familiarise the members of the investment process with IT resilience standards and design a strategy related to the project documentation management (e.g. refraining from using file names that clearly indicate their content), as well as the procedures to be followed in the case of threats to digital investments.

An investment in security is an investment in the future

When planning a CDE, you should find all appropriate protective mechanisms and safeguards preventing an unauthorized access first. It is advisable to maintain order, consistency of information and clarity of the Environment, because at the time of data loss/theft it takes less time to identify the violation and then report it. In addition, it is worth using a multi-level authentication and creating an Identity and Access Management system, which allows you to monitor the movement of the project members in CDE on an ongoing basis and define their authorities.

Becoming aware of the existing dangers is important, and it is even more important to take rational actions to reduce the risk of interference, theft and destruction of resources. Planning and then implementing a security strategy, and conducting security audits, monitoring anomalies, can protect you against an attack on the investment and its critical elements.

Lemlock ebook. Expert Guidebook: Three vievs on cybersecurity

We would be happy to talk about your project!
Consent to  data processing for contact purposes
I confirm that I have read the  information clause of Sagiton Sp. z o.o.

I hereby give consent to the processing of my personal data by the Personal Data Controller (hereinafter: "PDC") – Sagiton Sp. z o.o. ul. Fabryczna 19, 53-609 Wrocław, within the scope of: full name, e-mail address or telephone number, for the purpose of sale of products and services of Sagiton Sp. z o.o. and for the purpose of sending me feedback and making contact with me by Sagiton Sp. z o.o.

At the same time, I acknowledge that: at any time I can request the removal of my personal data from the PDC Sagiton Sp. z o.o. database, by sending an e-mail to, or a letter to Sagiton Sp. z o.o., ul. Fabryczna 19, 53-609 Wrocław, with a statement containing the relevant request, which shall result in the deletion of my personal data from the PDC Sagiton Sp. z o.o. database; I have the right to access my data; providing my data is voluntary, however refusal to provide it is tantamount to not receiving information regarding sale of products and services of Sagiton Sp. z o.o., as well as not receiving feedback and making contact with me by Sagiton Sp. z o.o.

In accordance with Art. 13 section 1 of the General Data Protection Regulation of 27 April 2016, (GDPR), we would like to inform you that the controller of your personal data is Sagiton Sp. z o.o. with its registered office at ul. Fabryczna 19, 53-609 Wrocław, e-mail:

Your personal data shall be processed within the scope of: full name, e-mail address and/or telephone number in order to answer your question/request for contact and send feedback – pursuant to Art. 6 section 1 (a) of the GDPR, i.e. consent to the processing of personal data.

The data controller would like to inform you that your personal data shall not be disclosed to third parties.

Your data shall not be transferred outside of the European Economic Area or to international organizations.

Your personal data shall be processed until you withdraw your consent to the processing of data, as well as if the purpose for processing this data shall no longer be applicable.

You have the right to access your personal data, rectify it, delete it, restrict its processing, the right to transfer it, as well as the right to object.

In the case of giving your consent, you have the right to withdraw it at any time. Exercising the right to withdraw the consent does not affect the processing carried out before the consent was withdrawn.

You have the right to lodge a complaint with the supervisory body, i.e. the President of the Office for Personal Data Protection, ul. Stawki 2, 00-193 Warsaw.

Providing your personal data is a prerequisite for making contact with you by Sagiton Sp. z o.o. with its registered office at ul. Fabryczna 19, 53-609 Wrocław. In the case of not providing your personal data, Sagiton Sp. z o.o., shall not be able to contact you.

The Data Controller, Sagiton Sp. z o.o., would like to inform you that they shall not use your personal data for automated decision-making, which is based solely on automated processing, including profiling, and has legal effects for you or affects you significantly in a similar way.