SaaS collaboration and cyber-security

December 2016’s ThinkBIM in Leeds provided an occasionally frightening view of just how vulnerable the built environment might be to cyber attack. It also highlighted how SaaS collaboration platforms might also help teams apply more rigorous security processes.

PAS1192pt5 - coverIn May 2015, PAS1192-5 – “Specification for security-minded building information modelling, digital built environments and smart asset management” – became the latest addition to the suite of UK documents focused on building information modelling (BIM). Other documents – notably PAS1192-2 – cover the adoption and use of a ‘common data environment’ (CDE), and this has been a key area for construction collaboration technology vendors, but they will also need to help their customers and project teams address some of their security requirements.

In Leeds, Turner & Townsend’s Nathan Jones gave us the benefit of a non-construction person’s view of the security document (Jones was recruited into the construction industry after working in the armed forces specialising in military grade IT and security-related technologies). From his presentation and roundtable contributions, it was clear that he felt existing construction industry IT practices lag behind most other industry sectors in respect of security (“Often IT security is a bit backward in construction”).

From paper to data

This is, of course, hardly surprising. In the early careers of many people still working in the sector, we mostly exchanged design and construction information by paper. But now, in the early years of the 21st century, we are mainly sharing ‘electronic paper’ – emails instead of letters, Word documents instead of typed reports, PDFs or native files instead of drawings, etc. And we are (or should be) vigilant about security: guarding against software viruses, ‘phishing’ and hacking, and against the theft or loss of our devices, while also continuing to track, store and protect our communications and intellectual property. (And not always successfully: Jones described how details of the internal layout of a Royal Palace were recently freely distributed to potential tenderers via an unprotected email attachment.)

However, the next stages in the digital transformation of the built environment sector are set to make information management more challenging from a security point of view.

Built Asset Security Management

As firms begin to share and to combine or ‘federate’ data-rich 3D, 4D (time) and 5D (cost) models in CDEs, project teams will need to heighten their cyber-security regimes, Jones said.

A shared 3D model may expose intellectual property to competitors. Moreover, a walk-through visualisation of a new building might expose sensitive information about the building’s design – key structural components, locations of key building services, placement of CCTV or other security equipment, for example. Shared 4D models might reveal periods when assets might be susceptible to sabotage or sites could be vulnerable to theft, while a 5D model could reveal commercially sensitive pricing information to competitors.

Published by the British Standards Institute and the Centre for Protection of National Infrastructure (CPNI), PAS1192-5 is intended to help teams identify and guard against risks including:

  • hostile reconnaissance
  • malicious acts
  • loss or disclosure of intellectual property
  • loss or disclosure of commercially sensitive information, and
  • release of personally identifiable information.

ThinkBIM December 2016And our already abbreviation-heavy glossary of BIM terms now includes BASM – built asset security management – as a new discipline. Jones repeatedly stressed the need to build security considerations into project delivery from the earliest stages. Early engagement with a BAS manager will help a project team and the asset owner develop a strong built asset security strategy (BASS) and management plan (BASMP), he said.

Such measures will become more important in an increasingly connected world of not just ‘smart buildings’ but ‘Smart Cities’. We will need to protect information created during delivery of a new built asset, and – just as importantly, and depending on the asset’s sensitivity – protect some or all of the data created by the people and systems in and around that asset, and in any connected or surrounding assets or infrastructure.

At the people level, precautions might include procedures limiting information access to those with defined roles (I was encouraged that Jones identified that some Software-as-a-Service collaboration or CDE platforms do this well: restricting access to certain files, models or data only to people with defined responsibilities), supported by systems of passes, logins, keys or other forms of authentication.

And talking to the SaaS vendor about their systems’ logical security measures won’t be enough. For any sensitive project, teams will need to know where the data is hosted and by who, how it is physically protected, what back-up regimes are applied, etc. (In the early 2000s, I wrote white papers outlining the physical, personal and logical precautions taken to safeguard data and applications by BIW Technologies – later Conject, now Aconex – and devoted a whole chapter of my book to data hosting. I was also reminded of this when I heard Microsoft describing construction and operation of their Azure cloud hosting facilities at Bentley’s November 2016 conference in London – post.)

BASM – it’s about people

As with other aspects of BIM, this is certainly not just about data centres and technology, but people and process. Awareness raising and training will be important: working practices learned in the days of paper or “spray and pray” email will need to be amended, and data vulnerabilities addressed. Often the weak link will not be the software or hardware, but the people that use them (users noting passwords on Post-It notes next to their computers, for example), and, as risks can never be entirely eliminated, Jones also advised that organisations need to plan from the outset how they will respond to security breaches.

In one of the roundtable sessions, former Manchester City Council head of estates John Lorimer asked Jones if this heightened focus on security might counteract recent years’ efforts to get companies and people to share information more readily. “Security should not stop collaboration, so long as it is controlled and people are aware,” Jones replied, “BIM is actually helping to trigger some security-minded conversations much earlier. We may soon be segmenting our construction supply chains according to those who are security-aware, and those who aren’t.” I expect this will also apply to SaaS vendors – how well they satisfy security-related requirements may determine whether or not their services are supplied in relation to sensitive projects.

Update (6pm) – Coincidentally, I just opened an e-newlettter from Steve Cooper, UK general manager of Aconex (formerly the Conject business) which says (after various product updates): “we are making significant investments to enhance our security capabilities to match or exceed Government demands.”

[Disclosure: This is a slightly expanded version of a post first published on the ThinkBIM blog, delivered as part of consultancy support for Leeds Beckett University.]

Permanent link to this article: