BIM technology is still gaining popularity in the construction industry, but awareness about the dangers is not improving. Learn how to secure information related to the infrastructure project and find out about the security requirements of BIM technology.

From the article you will learn:

• what is BIM technology;
• what is the point of creating the Common Data Environment;
• how should a safe cooperation within the project look like;
• what are the consequences of attacks on investments created in the BIM technology;
• what was the purpose of the PAS 1192-5: 2015 standard.

 

The growing popularity of the BIM technology in the construction industry does not go hand in hand with an increase in awareness of the possible dangers. BIM allows you to create digital 3D models of real objects that can be used at any stage of the investment process and efficient management in the future. What happens if an inadequately secured information about the project gets into the wrong hands?

 

Information as the basis for the existence of a BIM object

3D objects used in investment projects enable digital representation of the building preserving its physical and functional features. Objects and information contained in them allow for managing the whole life cycle of the investment (starting from conception, design, construction, delivery, servicing, maintenance, and ending with a demolition). To keep the information contained in the models useful, they have to be updated and always factually correct. Therefore, the Common Data Environment (CDE) is used, which allows for adding new data to 3D BIM objects at the time of any changes in the efficiency/use/maintenance of resources.

The Common Data Environment is created to facilitate the management of a project made in the BIM technology. CDE is a central repository that allows you to:

• check the 3D models included in the project and their information;
• facilitate communication and combine project teams;
• read the documentation and confidential data about the project.

A properly secured Environment reduces the risk of errors and helps organisations to comply with the BIM standards. The transparency of the process seems to be an advantage – team members can easily access information at any time and place (thanks to the cloud); copy and store them on information systems or devices in many formats in various forms (from paper to digital). However, in fact, these features may cause delays in the delivery of the building, time-financial overheads, reputation losses and even closure or liquidation of investments.

 

Violation and theft of investment data

The cooperation within the BIM technology is very important, therefore ensuring a proper cybersecurity in the implementation of its processes and information flow systems becomes essential. As far as the security goes, all activities are focused on counteracting the attacks of cybercriminals directed at prepared and implemented IT tools that are used at various stages of the building’s life cycle. ”People are the weakest link in the security chain” – this is what Kevin Mitnick, the most renowned hacker, once regarded as the most dangerous in the world, thinks.

For this reason, employees should participate in training courses on information protection (personal/non-personal, patents, know-how) and organisation resources, to easily identify suspicious situations (e.g. in the form of e-mails, telephone calls). What’s important here is a quick response and sending an emergency report to the IT department or to an external security partner, and after that – following the security strategy.

Hacker attacks on the Common Data Environment

The majority of infrastructure projects in developed countries are being planned using the BIM technology and other digital systems, therefore a cyber-attack may lead to their total paralysis. Attacks by cybercriminals on CDE:

• hinder accessing key data by the investment team;
• make hackers gain insight into confidential information about the building;
• give hackers access to data on the persons involved in the investment process (e.g. identity cards, contract content, ID numbers).

It is worth noting that loss of personal data due to failure to comply with obligations under the General Data Protection Regulation (GDPR) will be punishable, starting May 25, 2018. In the study conducted by the University of Bolton, 66% of respondents disagreed with the statement that ”the BIM models will not be useful for criminal organisations”. Currently, buildings and even whole cities are created in digital technology, embracing the concept of Internet of Things (IoT). Therefore, cybercriminals – after acquiring detailed plans of intelligent enterprises – can identify gaps and then use them to carry out an attack, causing material and non-material losses.

BIM technology security requirements

Representatives of the British government and experts from the AEC industry have created a number of proposals and regulations aimed at counteracting the threats to the BIM technology and using cloud computing to store project documentation. To help the construction sector adopt BIM level 2, the PAS 1192-5: 2015 standard was created – it’s a specification for security-minded building information modelling (BIM), digital built environments and smart asset management, which is also being successfully implemented in other countries around the world. This standard takes into account the steps that should be taken to create the ”safety culture” and assumes that all investment activities will be undertaken using appropriate security measures, regardless of its current stage.

Thanks to this, all sensitive data and other project assets will be properly secured, and the requests for access will be verified. Each person involved in the investment should remember to exercise special caution, starting from the client, to the project manager, designer, investor, contractor or construction team. They must be aware of the potential attack (its type and scale) and avoid mistakes caused by the human factor. It is worth to familiarise the members of the investment process with IT resilience standards and design a strategy related to the project documentation management (e.g. refraining from using file names that clearly indicate their content), as well as the procedures to be followed in the case of threats to digital investments.

An investment in security is an investment in the future

When planning a CDE, you should find all appropriate protective mechanisms and safeguards preventing an unauthorized access first. It is advisable to maintain order, consistency of information and clarity of the Environment, because at the time of data loss/theft it takes less time to identify the violation and then report it. In addition, it is worth using a multi-level authentication and creating an Identity and Access Management system, which allows you to monitor the movement of the project members in CDE on an ongoing basis and define their authorities.

Becoming aware of the existing dangers is important, and it is even more important to take rational actions to reduce the risk of interference, theft and destruction of resources. Planning and then implementing a security strategy, and conducting security audits, monitoring anomalies, can protect you against an attack on the investment and its critical elements.