Threats to security with BIM

The latest edition to the BSI series of BIM documentation, PAS1192-5, specification for security-minded building information modelling, digital built environments and smart asset management is being made available to industry, ready for implementation.

A companion document to the rest of the BSI BIM docs (PAS1192-2, PAS1192-3 and BS1192-4…etc.) the new PAS will be asking employers and the whole of their supply chain to understand the potential threats to security that BIM may introduce and address any inherent vulnerability issues associated with BIM and the loss of sensitive information relating to their built asset portfolio.

In addition, built asset owners / operators will also need to develop a conscious acknowledgement of information security, particularly with the increasing use of computer based, digital technologies and integrated systems in order to protect themselves from potential issues arising from malicious attacks or accidental loss or disclosures of sensitive information.

Employers will need to fully understand what information is sensitive to their business, where the vulnerabilities are and define how best to manage in the context of BIM.

The concept of risk free secure BIM (100% secure, all of the time) is unrealistic to achieve and does not present a viable solution for any business

One thing worthy of note and something to get your head around early on is that this PAS is not titled ‘Secure BIM’. The concept of risk free secure BIM (100% secure, all of the time) is unrealistic to achieve and does not present a viable solution for any business. In reality your data is not and never will be completely secure. Whether malicious or accidental, there will always be opportunity for data loss, so emphasis must be placed on understanding the risks which BIM could introduce to your business, establishing the level of risk appetite you wish to undertake and managing those risks accordingly.

Something else which has been observed, is a misconception that the new PAS is aimed specifically at BIM for security groups (only to be used on very special, highly sensitive built assets) and not applicable to the majority of the AEC Industry for application on general construction projects. However, it must be pointed out that this is not the case.

It is important to understand that the new PAS is, in fact, a specification for the application of a security-minded approach to BIM, a process of identifying potential internal and external threats from malicious acts (hostile reconnaissance, commercial espionage, hacktivism…etc.) and non-malicious acts which could result in accidental loss or disclosure of sensitive information which could be introduced through the use of BIM and implementing appropriate and proportionate controls to reduce the opportunity for those potential threats to be realised.

As with any new specification the success of this PAS will be determined by its communication and interpretation by industry. Emphasis needs to be placed on getting employers to fully understand the threats associated with BIM in conjunction with their business needs ensuring that consideration to threat reduction has been given the appropriate level of attention.

At a recent industry forum, an overview of the new PAS1192-5 was presented; interestingly, for effect, the front cover had been doctored and was now represented with an image of Jaws (the film with the big white shark!). The image of the swimmer, bobbing along in the sea happily with a smile on their face, unaware of the impending doom about to be realised was indicative of our industry, expressing hidden dangers associated with BIM and poor information management practice. Whilst humorous, it raised a concern that the new PAS had the potential to be misinterpreted, exploiting people’s fears, undermining all of the previous good work and efforts to move the industry towards a more collaborative approach of exchanging information.

Concerns from the supply chain have been raised, expressing views that the processes detailed within the PAS are too onerous, adding further complexity and expense

The rise of BIM within industry has been centred on the electronic exchange of information, promoting a willingness to share data amongst team members. In order for BIM to be successful, it is dependent on all parties being willing to collaborate and share. If not communicated well, the new PAS may install a level of fear and confusion, resulting in mistrust with unnecessary creation of barriers due to the fear of the unknown, restricting collaboration to a point where tasks become unmanageable and the potential for value realisation is lost.

We shouldn’t be afraid to get into the water, however we must understand the risks associated with swimming where there be sharks.

There has been some negativity surrounding the recent release of the PAS. Concerns from the supply chain have been raised, expressing views that the processes detailed within the PAS are too onerous, adding further complexity and expense.

These concerns must be addressed, as this may result in the philosophy of the PAS being undermined, causing the opportunity to introduce a security-minded approach to be discarded. To avoid this scenario we need employers to promote the importance of a security-minded approach within the supply chain, challenging them to be more invested in taking care of the information they produce / manage on behalf of others, understanding the value of the data and the potential consequences of data loss.

The key to achieving a successful security-minded culture is through education and awareness, addressing the change in behaviours required to ensure people are thinking about the importance of managing information with a security-minded viewpoint in a positive way, applying an appropriate and proportionate level of information management which does not stifle collaborative working.

It will become absolutely critical for employers to encourage a positive outlook to the application of BIM, helping parties to understand the potential threats, striking the right balance between ‘Need-to-know’ and ‘Need-to-share’ in order to exploit the maximum business value from BIM, whilst protecting themselves with an appropriate and proportionate security-minded approach.

Mark Eggleton is a consultant at BIM Academy