Cyber security: No virtual silver bullet

The article in Building on 16 October (“Who’s in control?”) raised the disturbing prospect of a hack into a building’s building management system (BMS) enabling the hacker to effectively control the building remotely, locking the inhabitants inside. Increasingly, this is not the stuff of fiction. It is one of a number of very real cyber threats which we now all face.

A “cyber threat” means a threat which is related to the internet or information technology. The Centre for the Protection of National Infrastructure, which provides security advice for the UK, advises that a cyber threat can come from other states, terrorists or criminals. It can include hacking, theft or distributed denial of service attacks - where a website is overloaded and effectively forcibly shut down - or spearphishing or social engineering attacks, where the target is an individual’s email account.

In June 2015, the government published its annual report on information security breaches.This showed that 90% of organisations with over 250 employees who responded to the survey had experienced a security breach in the last year, up from 81% in 2014. The average cost of such breaches was between £1.46m and £3.14m. In September 2015, financial services firm Allianz published its Guide to Cyber Risk, which showed there had been 5,029 reported data breach incidents in the US since 2005, with globally roughly 117,339 detected cyber attacks each day during 2014, up 48% from the year before. The yearly cost of cyber crime to the UK economy was estimated in 2013 to be $4.3bn (£2.8bn).

The spread of the Internet of Things provides many advantages in terms of cost savings and efficiencies but also poses a significant risk

In the construction industry, there has been an attitude to date that cyber threats are a low risk. Construction is, after all, about bricks and mortar rather than computers. This is far from the case. The industry is becoming ever more reliant on technology. The vast majority of construction projects already produce and manage their data electronically, whether that be through the design process, design approval, the production of drawings and specifications or general project management. The industry is also being encouraged to use building information modelling (BIM), which relies on electronic data management. Publications such as the Digital Built Britain report and the BIM 2050 group report Built Environment 2050: A report on our digital future, clearly shows just how reliant the industry will become on the use of digital information.

The spread of the Internet of Things, promoting the web-based interconnection of systems that were previously isolated from each other, provides many advantages in terms of cost savings and efficiencies but also poses a significant risk. Without sufficient security, the data held on, for example, a BMS is vulnerable to attack and manipulation by third parties.

Some particular risks for the construction industry are:

• Hackers may seek access to the construction drawings of high profile buildings in order to exploit weaknesses in security
• Leak of designs and therefore loss of intellectual property
• Physical destruction of data, for example drawings or evidence of approvals where a work flow is managed electronically
• Access by hackers for financial gain, such as access to financial systems
• Access to the remote access and control systems for national infrastructure such as “smart” motorways or power plants, which often allow remote access for monitoring and maintenance.

Often the contractor or subcontractor is not the actual target but a way to access the real goal, which may be financial systems or infrastructure. Hackers look for a soft underbelly – the unsecured laptop owned by a subcontractor will be easier to attack than a main contractor’s secure system.

A good example of this tactic is the Target case, referred to in the Building article on 16 October, where hackers stole BMS authentication and access protocols from one of Target’s HVAC contractors, enabling them to access Target’s customer database, rather than trying to breach Target’s systems directly. This resulted in card details of around 40 million customers and personal data of a further 70 million being stolen.

PAS 1192-5, one of the Publicly Available Specifications underpinning BIM, goes beyond BIM itself to encompass a security-minded approach to digital built environments and smart asset management.

The construction sector needs to focus on this security-minded approach to its data, to adopt procedures and protocols that protect digital information. As the figures quoted above show, the consequences of a data breach are far reaching, encompassing not only the loss of the information itself, but significant business interruption costs and loss of confidence in the organisation affected.

As many commentators have noted, there is no silver bullet solution for cyber security. These security-minded measures will have to become a fact of life, real and virtual, for everyone.

Simon Lewis is partner, construction and engineering team at Bond Dickinson. This piece was co-authored with Helen Pearce, a solicitor at Bond Dickinson