In today’s digital world, security needs to be a top priority in organisations across every industry. Cybercrime can severely cripple a company’s livelihood. Don’t lose your intellectual capital, avoid the risk. Leading UK security experts, Phil Brown and Steve Maddison, of Ascentor, provide insights to security in the construction industry, including security challenges for a market that is embracing digitisation & preparing for GDPR.
Security best ways to protect your intellectual capital
1. BIM, Security and the Building Lifecycle – UK Security Expo 2017
Featured Project:
Dubai International Airport | US $4.5B Value
Trusted by the world’s largest projects
Security: Best ways to protect your
intellectual capital
With
2. Agenda
Introduction
BIM, Security & the Building Lifecycle
Impacts of the GDPR
Aconex Response
Q&A
Steve Cooper, Aconex
Steve Maddison, Ascentor
Phil Brown, Ascentor
Steve Cooper, Aconex
All
4. Is information security relevant to
construction and refurbishment projects?
Information Security and the Building Lifecycle
Steve Maddison
Principal Consultant, Ascentor
Steve.maddison@ascentor.co.uk
5. BIM, Security and the Building Lifecycle – UK Security Expo 2017
Section1: BIM and Information Security:
What are the information security risks to implementing BIM?
Section 2: The Building Lifecycle:
How do risks to information using BIM change during the
building lifecycle?
Section 3: Managing BIM Information Security Risks:
What basic measures can help manage information security
risks?
Summary
Presentation outline
6. BIM, Security and the Building Lifecycle – UK Security Expo 2017
What is Building Information Modelling (BIM)?
BIM is not a single piece of software or model:
It is a new way of information processing and collaboration
for construction projects with data embedded within a model
BIM Level 2 mandated for HMG projects by 2016:
BIM is for the lifetime of the building, not the
construction project.
7. BIM, Security and the Building Lifecycle – UK Security Expo 2017
What types of information are generated?
• Diagrams: floor plans, layouts, locations, detailed photos
(internal and external),
• Documents: proposals, technical options, finance details,
contracts, management plans.
• Models: laser scan data, point clouds, 3D models.
• Meta data: construction elements – details of build specifications
and composition.
• Specifications: schedules of products and capabilities.
8. BIM, Security and the Building Lifecycle – UK Security Expo 2017
What are the risks?
The information on a building project can be
highly sensitive.
It can be critical to the delivery of the project and
long term support of the built asset.
3D models allow a virtual ‘walk through’ of the building
that otherwise wouldn’t be available.
Information could be used by potential attackers to
disrupt the project, plan physical attacks, support cyber
attacks, threaten personnel, disrupt services.
Potential threats
Terrorists, hackers (professionals, amateurs,
political), criminal groups, state sponsored groups,
insiders.
9. BIM, Security and the Building Lifecycle – UK Security Expo 2017
What could possibly go wrong?
What could happen?
• Inappropriate access to sensitive information
(commercial, legal, personal, IP, security);
• Information is corrupted or incomplete;
• Information is not available when required.
And what are the consequences?
Project delays, cost increases, service disruption could
include: legal, contractual, financial, reputational.
10. BIM, Security and the Building Lifecycle – UK Security Expo 2017
Is information security necessary for BIM?
Depends on your viewpoint:
• Client - Cares more about avoiding information exposure;
• Builder - Focus is on time avoiding cost and time overruns;
• Building operator - Concentrates on service delivery to customers;
If you don’t think any of this applies to you – then why worry!
If it does apply, then why isn’t it built in already?
11. BIM, Security and the Building Lifecycle – UK Security Expo 2017
Information risk and the building lifecycle
Stage 0 – Strategic definition
Stage 1 – Preparation and brief
Stage 2 – Concept and design
Stage 3 – Developed design
Stage 4 – Technical design
Stage 5 – Construction
Stage 6 – Handover and close out
Stage 7 – In use
Increased
Information
Sharing
12. BIM, Security and the Building Lifecycle – UK Security Expo 2017
In-use information security risks
BIM data is used to support maintenance activities. This leads to:
• Increased information dissemination;
• Increased access to 3D models and meta data;
• Increased data retention.
Building management system issues:
• Remote access support;
• Increased technical vulnerabilities – Internet of Things.
13. BIM, Security and the Building Lifecycle – UK Security Expo 2017
BIM information is in many different places
Customer
Information
Systems
CDE
Prime
Contractor
Information
Systems
Staff Devices
Internet
Subcontractor
Information Systems
Staff Devices
Subcontractor
Information Systems
Staff Devices
Cloud
Support
Systems
14. BIM, Security and the Building Lifecycle – UK Security Expo 2017
Information security awareness and maturity
There is a general lack of awareness about Information Security in the
construction industry:
The level of awareness of information security tends to decrease
down the supply chain;
Tier 1 contractors are increasingly required contractually to
manage risks both for themselves and down the supply chain.
15. BIM, Security and the Building Lifecycle – UK Security Expo 2017
Information Security built-in
Information Security should be part of the process from the outset.
Contracts should specify information security requirements:
• Non-functional security requirements;
• Employer information requirements;
• Security aspects letter.
16. BIM, Security and the Building Lifecycle – UK Security Expo 2017
Know what information is important and what the
risks to it are
• Identify and value sensitive information assets:
- Know what it is and where it is;
- Determine customer protection priorities;
• Identify and assess risks:
Determine if you have something to protect;
• Consider:
- Who needs access to and why;
- Understand if it needs to be accurate and complete;
- Know what the availability requirements are.
• Have a governance structure:
Supplier + customer working together.
17. BIM, Security and the Building Lifecycle – UK Security Expo 2017
Control information sharing
• Information assets that are valued and labelled support controlled
sharing:
Common naming conventions and security gradings.
• Balance sharing information with managing access:
- Have access controls within the CDE;
- Manage all forms of data information sharing.
• Roll down information security to supply chain companies;
- Basic information security measures;
- Monitor and manage information dissemination.
18. BIM, Security and the Building Lifecycle – UK Security Expo 2017
Lessons learned
Balance information protection and accessibility.
Manage supply chain information security.
Information security extends beyond the project for
the life of the building.
Need intelligent suppliers and customers.
Use tools that protect information.
Guidance on Information Security for BIM:
Centre for the Protection of the National Infrastructure: http://cpni.gov.uk/
Institution of Engineering and Technology: http://theiet.org/
19. BIM, Security and the Building Lifecycle – UK Security Expo 2017
Summary
BIM is about sharing information in a controlled and secure way.
Intelligent customer and Intelligent Supplier.
Security needs to cover the entire lifecycle of the built asset.
This presentation was delivered to the UK Security Expo Conference on 30 Nov 2017
20. GDPR and security
Phil Brown
Lead Consultant, Ascentor
info@ascentor.co.uk
Impacts of the GDPR
21. Why working with Ascentor will set you apart
General Data Protection Regulation – Coming Soon!
21
GDPR will be enforced across the EU on 25th May 2018. In the UK, it will replace
the Data Protection Act 1998. In essence it impacts any business that does
business with EU members, regardless of where the processing takes place.
Businesses will really need to know & understand:
1. what personal data they hold
2. where the data is being stored
3. the legal condition for processing the data
4. how they will respond to individuals exercising their rights
5. that the Regulation is not prescriptive in that it sets outs out the expectations but
does not define how businesses should act – a risk based approach
22. Why working with Ascentor will set you apart
GDPR – the underlying 6 principles
22
The GDPR requires that personal data shall be:
1. processed fairly, lawfully and transparently
2. collected for specified, explicit and legitimate purposes
3. adequate, relevant and limited to what is necessary
4. accurate and, where necessary, kept up to date
5. kept for no longer than is necessary
6. processed in a manner that ensures appropriate security
PEOPLE
PROCESSES
TECHNOLOGY
There is no ‘one size fits all’ solution but one approach is to keep the ‘data subject’
foremost in your mind rather than fixating on the most convenient solution.
23. Why working with Ascentor will set you apart
Lawfulness of processing
23
Processing will only be lawful if one of the following conditions is met:
the data subject gives consent for one or more specific purposes
it’s necessary to meet contractual obligations entered into by the data subject
it’s necessary to comply with legal obligations of the controller
it’s necessary to protect the vital interests of the data subject
it’s necessary for tasks in the public interest or exercise of authority vested in the
controller
it’s for the purposes of legitimate interests pursued by the controller (there is a balancing
test)
24. Why working with Ascentor will set you apart
General conditions for consent
24
The following conditions apply for consent to be valid:
controllers must be able to demonstrate that consent was given i.e. the need to keep
records
written consent must be clear, intelligible and easily accessible, otherwise it’s not binding
ticking a box or choosing appropriate technical settings are valid methods
more controls apply to obtaining a child’s consent and for processing special categories
of personal data
Consent to processing data is not necessary for the performance of a contract, so
should not be sought
25. Why working with Ascentor will set you apart
The rights of data subjects
25
The controller shall provide any information relating to the data subject in a
concise, transparent, intelligible and easily accessible form using clear and plain
language, in particular for any information addressed specifically to a child
The controller must facilitate the rights of data subjects, the most popular one is
likely to be:
‘data subject access request’ (DSAR)
– time period reduced from 40 days to 1 calendar month
– fees abolished (currently controllers can charge £10)
There are exceptions for excessive or vexatious requests – although the onus is on the
data controller to prove this is the case
26. Why working with Ascentor will set you apart
What we may expect with GDPR
26
In future, everyone can expect the business collecting personal data to remind or
state:
the period of time that the data will be stored
the right to rectification, erasure, restriction, objection
the right to data portability
the right to withdraw consent at any time
the right to lodge a complaint with a supervisory authority
the existence of automated decision-making, including profiling, as well as the
anticipated consequences for the data subject
the outcome of the data subject’s failure to provide data
Privacy notices will need to be well thought out!!
27. Why working with Ascentor will set you apart
Use of the cloud for processing
27
Use of the cloud for storage or processing data is very common, but specific
conditions are in place for the moving, storing and processing of personal data.
For these reasons, a business should consider:
Where data will be stored or could be stored; if it’s outside the EU and certain listed
countries then legal processes must be observed
The capability of the data processor after considering, inter alia, the following:
– Terms and conditions being presented
– Proof of information security procedures
– Security of data in transit and at rest
– Staff access control restrictions
– Resilience to service failures/ attacks
– Reliance on sub-processors to deliver services
– Ability to delete data or have it deleted upon request by the data controller
29. 29
• GDPR - reviewing all processes, policies & systems across all regional / central
functions
– Making changes where necessary
– Compliant by May 2018
• Information security certifications
– All hosting environments ISO27001 certified
– In addition, Aconex’s internal engineering, operations, support also ISO27001 certified
– Extending Cyber Essentials Plus (Q1 ’18)
• Investing multiple $millions in ‘Gold Standard’ cyber security protected platform
– Commenced FedRAMP certification project in the USA
– Single Sign On (SSO) & 2 Factor Authentication (2FA) already released
– Incremental updates globally – hosting, hardware, operating system, databases, applications,
– Last week moved UK hosting to a new platform higher security headroom
Aconex Response
30. Q&A with our panelists
Steve Cooper
General Manager UK & Ireland,
Aconex
Steve Maddison
Principal Consultant,
Ascentor
Phil Brown
Lead Consultant,
Ascentor
31. Why working with Ascentor will set you apart
Featured Project:
Dubai International Airport | US $4.5B Value
Trusted by the world’s largest projects
Learn more at aconex.com/Demo
Lear
Our thanks to Steve Cooper, Steve Maddison, and Phil Brown
and to you for attending
Editor's Notes
Good morning – I am Steve Maddison and I am going to talk to you about Information Security and Building Lifecycle:
Consultant with Ascentor – IRM– clients in the construction industry
- IS aspects of procuring services for major construction and refurbishment projects for a public body.
Presentation considers the information security aspects of a construction or refurbishment project.
I am going to focus in particular on Building Information Modelling (BIM) as it is a commonly used approach for construction projects. Whether BIM is used or not the principles of information security are relevant in the same way.
BIM and Information Security:
What is BIM?
What information is generated during a construction project?
What are the risks to information using BIM?
Is Information Security necessary with BIM?
The Building Lifecycle
Stages of a building or infrastructure project and the information generated at each stage
Where is the information
Information Security Awareness in the supply chain
In Use risks
Managing information security risks:
The measures to manage information security risks?
Lessons Learned
Summary
Questions
BIM is used for a wide variety of construction and infrastructure projects and I am going to refer to the use case of the construction of a generic building rather then use the jargon term ‘built asset’ – but that is what is meant.
Process of designing a building or structure collaboratively using a single coherent system of computer models.
Each discipline or organisation creates its own model using laser scanned information and detailed photographs to build the combined model in a common data environment or CDE.
Models are amalgamated to provide a combined view of the entire project with 3D geometrical and non-graphical data.
BIM puts information sharing at the centre of the design, construction and delivery process. Also means information management becomes essential.
BIM Level 2: mandated for all government projects.
It means: Collaborative 3D BIM models - with all project and asset information, documentation and data being electronic.
Not only about how a building is put together but also how it is managed subsequently because there will be extensive re-use and development of BIM information. So BIM runs for the lifetime of the building and so does the information security.
What types of information are generated during a construction project?
Diagrams basic level will show locations, building layout with entrances, exits and main features.
Supported by high definition photos which will show the detail of features internal and external.
More detailed diagrams will add the layouts for utilities (power and water) as well as access point, control locations, plant room locations, HVAC details
Could include evacuation routes, fire assembly areas,
More detail for IT systems, cabling runs, server room and data storage areas.
Security details; cabling and control points for alarms systems, locations for CCTV. cameras, security control rooms, data centres.
Even for something innocuous like a supermarket this could be sensitive information – knowing where the guards are located and where the alarms are.
There will be a large volume of documents will provide technical details to support diagrams but will also include commercially sensitive with details of bids, costings and contracts.
Models: become a visual summary of all the high level information and allow a 3D view of the project and the ability to see what changes might look like. The model includes the metadata which provides the details for each component.
Schedules will give detailed specifications of equipment (CCTV capabilities, - is a camera IR or not and area of coverage.
Information is needed by the various teams to complete their part of the task and that requires sharing it amongst the teams to provide effective collaboration in a timely manner.
Information in the CDE can be sensitive in its own right and but is essential to the smooth delivery of a construction project and the smooth operation of the building for its lifetime. Could be exploited for negative purposes at any time during this lifetime and could be used to either plan or conduct physical or cyber attacks of various types.
3D models in particular give a visual impression of a place that the viewer may not have been to and enables the viewer to walk though a virtual environment and understand key locations and features.
Information from construction projects is vulnerable to the various people who want to exploit it. The list of possible threats is shown on the slide.
Threats vary for each project but at least one of them, if not most of them, will be applicable to some extent to every project. Should also add environmental threats (F/F/Q)
This is not about ‘reds under the beds’ seeking to get at classified government information, there is definitely an aspect of that for some projects.
Also critical national infrastructure assets (mostly of which are commercially operated) and wider commercial interests – especially for construction projects. Competition for projects can be very fierce and some organisations will seek ways to get an edge over competitors.
We have identified types of sensitive information, and that should not be made publicly available. Apart from any thing else there will be contractual and legal requirements not to divulge commercial information .
A lot of the information is critical not only to the smooth delivery of the project, but also when the building is being used. If that information was inaccurate or incomplete it would cause disruption. Similarly If it was lost, stolen or deleted that would also cause disruption.
The relative importance of these risks varies but if for example the data on the CDE was not available - hacking attack causes denial of service, fire in the data centre, ransomware attack; will have consequences such as cost/time over runs, service disruption and importantly reputational damage.
The sky is not falling in – it is about recognising that information is key to delivering construction projects and operating building services. Construction projects create a lot of information and BIM concentrates that information in fewer places – accidents happen and there are bad people out there.
The things that could go wrong will exist for as long the building exists – but they do change over time.
Context is key: not all information on every building project is sensitive all of the time to everyone. But some of it is sensitive to some people some of the time
Client might care about information sensitivity. Will certainly care about delays, increased costs and about vulnerabilities that could be exploited in the building life cycle to disrupt service delivery.
Builder will care about: costs, delays and reputational damage
Building operator will care about: the maintenance of building services to customers and the smooth operation of building management systems.
If you think that none of this applies to your construction projects, if you don’t have any valuable information and the threats aren’t relevant – then don’t worry.
I suspect however that your projects do want to be delivered on time and to budget and that there is probably sensitive information involved.
Information security is not inherently part of construction projects because not enough customers have required it. Also not enough suppliers see it as an essential part of the service and it is perceived as an unnecessary overhead. If it is not in the contract and could cost extra to provide why should it be provided?
I have used the definitions from the RIBA to describe the stages of a construction project to describe how the volume, detail and complexity of information grows over the various stages.
In stages 0 and 1 there is a limited amount of relatively high level information in the development of the project.
In Stages 2 and 3 a significant volume of detailed and sensitive information needs to be shared with a much larger number of people as part of the design development process.
Any tendering process means that information is sent out to multiple organisations and only 1 company wins the contract.
The need to share increases as more people are involved n Stage 4 and 5. More information shared to a lower level of the supply chain. Does the bricklaying company need full access to the 3D model with all metadata to do their job?
Stage 6 denotes the end of the project for the supplier (normally) but is a continuation of information security risk for the client.
Stage 7 see another growth in information dissemination as t is shared with a fresh group of maintenance and accommodation management teams.
In use is the longest stage as it lasts for the operational life of the building.
Information will be shared widely with organisations providing building service management, maintenance activities and customer services. Information will be updated to reflect changes and the volume and detail of information will continue to grow.
Risks during the period will develop:
- Information compromised earlier in the construction phases may now support attacks (cyber / physical / personnel) during this period.
The purpose of buildings may change – it might originally be of low significance but more important occupant could make it more of a target.
Vulnerabilities will change as technology changes – advent of smart buildings.
Building management systems are critical and the way they have been installed and configured may now represent vulnerabilities:
Remote access support: examples already of BMS being compromised by cyber attacks on supply chain companies to compromise IT system credentials leading to compromise of building user IT systems.
Remote take over of CCTV cameras.
Internet of things – smart building systems and technologies can be compromised unless security has been designed in.
So how do we manage those risks?
Information comes in hard copy, soft copy and ‘pink (held in people’s heads) and risks to information can exist wherever it is stored, processed or transported.
Diagram shows a likely model for information dissemination.
Explain route
The number of participants will change during the building lifecycle, with the number of subcontractors increasing for Construction, decreasing for Handover but then increasing again during In-use as maintenance and service companies provide support and BIM information is used for other purposes.
Note that cloud systems (O365 etc) are included as most modern companies will outsource IT functions and these cloud services come with their own risks.
Staff devices may be laptops, tablets, smartphones – often BYOD.
Data volumes expand, detail increases, more organisations need access to some or a lot of the data
There is a general lack of awareness about information security in the construction industry - this might be a contentious statement but is based upon my own albeit limited experience.
Tier 1 Contractors: -some are aware and have some measures in place. Few are able to coherently summarise their IS capabilities for a project.
Smaller companies often less aware and less able to afford security aspects: CE, CE Plus, IASME, ISO27001.
Tier 1 contractors have to manage all risks in the supply chain and this will increasingly include information security risks.
So, if we have information that is critical to project delivery and which underpins the security of services, building maintenance and customer activities then it makes sense to do something to safeguard that information at the outset, when it is cheaper and more convenient to build it in.
You can’t predict every change to use of a building or every future technological change or reduce the threat, but you can take basic sensible measures at the outset to either reduce the likelihood of a vulnerability being exploited.
The message therefore is for BIM projects build in information security at the start of a project. The first way of doing this to have information security in the contracts between customer and supplier.
ITTs should have NFSR
Contracts should have EIRS.
Security Aspects Letter: customer to supplier identifying sensitive information.
Customers should specify security requirements in the contract and choose a tier 1 that has got some evidence of good practice.
Consider use of data flow diagrams to show what information is where.
The threats to information stores increase as the volume and detail of information grows.
Conduct a risk assessment – many ways of doing this and shouldn’t be complicated.
Identify what information is important and why.
Identify who needs access to what data.
How important is information accuracy?
How important is information availability?
Have a governance structure – understand know who owns the risks to information and who is responsible managing which aspects.
Appoint SQEP personnel to manage security aspects
Information security as an agenda item for project management
Structure for decision making and escalation of security issues to managers
Client and supplier work together
Sounds too much like motherhood and apple pie, but it all about the basics in the first instance.
If information assets are identified, valued and labelled this will support controlled sharing
Have a common information security grading system for information in all forms. Make sue that it is applied to information objects in the CDE.
Balance need to share balance with need to know;
Choose a CDE that implements security such as access controls, data encryption and strong (multi factor) authentication.
Access controls within the CDE
Manage all forms of data information sharing – e-mail, media, telephone,
Ensure that information security requirements are levied on supply chain companies;
Basic information security measures; CE / CE Plus, ISO27001, SAE16/18, ISAE 3402
Need a mechanism for contractually rolling down security requirements
Need monitoring function for supply chain companies.
Some of the benefits of BIM are the use of a common environment for managing information that can be shared more efficiently and to improve collaboration. Security must support those aims, not hamper them, so the key message is to balance information sharing with information security. Understand what information you care about, identify the risks to it and manage them in a common sense way.
The information security aspects for BIM projects extend for the lifetime of whatever has been built. The ‘in-use’ phase is the longest and consideration must be given to information security for the whole of that period.
Need intelligent suppliers = can be a market differentiator
Need intelligent customers – know and value information assets.
Tools such as CDE should be able to help protect information through access controls, encryption and strong authentication so pick those that have security features.
Guidance is available from a number of sources:
CPNI: http://cpni.gov.uk/ CPNI – PAS1192-5 is the standard from the Centre for the Protection of National Infrastructure (CPNI) that provides guidance on BIM security. Specifically it provides requirements for how to manage BIM.
Institution of Engineering and technology; Code of Practice for Cyber Security in the Built Environment
3 points to take away:
- Share information in a controlled manner in a secure environment
Intelligent customer specifies security requirements in contracts, Intelligent supplier anticipates the security requirements and supports a less knowledgeable customer
Information security is for the lifetime of the building and not just for the delivery phase.
Any Questions?
GDPR will be enforced across the EU on 25th May 2018 without the need for further member state intervention. In the UK, it will replace the Data Protection Act 1998. Its impact is not confined to the EU, but to any business that does business with EU members, regardless of where the processing takes place. Some key points:
The Regulation is not prescriptive
There is no ‘one size fits all’ solution
Implementation is set against principles
Businesses will really need to know & understand:
what personal data they hold
where the data is being stored
the legal condition for processing the data
how they will respond to individual exercising their rights
It’s on its way and it’s about to impact an awful lot of people and businesses around the world
The regulation redresses the balance of control of personal data between the consumer and business
Key to the application of the principles is ACCOUNTABILITY
To be GDPR ready, people, processes and technology need to be considered in equal measure
GDPR is not a certification scheme
There is no ‘one size fits all’ solution but one approach is to keep the ‘data subject’ foremost in your mind rather than fixating on the most convenient solution for the business
If you would like to provide your email addresses or a general contact email address, that could also be on this slide.