Cyber security: Security protocols

As you will know, the BIM protocol outlines the contractual obligations of the parties engaged in a project using BIM up to level 2. The protocol is, of course, only one of a range of documents of which you should be aware when preparing for a BIM-enabled project.  

Underpinning the BIM project documents are a series of British Standards and Publically Available Specifications (PASs) which detail the BIM process. PAS1192-2 deals with the capital expenditure stage of the project and PAS1192-3 with the operational stage while BS1192-4:2014 covers the employer’s information exchange requirements using COBie (construction operation building information exchange). 

Completing this suite of underlying information is PAS1192-5 which was issued in May this year (http://bit.ly/1LyCrXt). This PAS, however, is slightly different. The clue is in the title. It provides a “Specification for security-minded building information modelling, digital built environments and smart asset management”. This PAS goes beyond BIM and looks forward towards developments in the digital built environment that have been foreshadowed in the Digital Built Britain report. Furthermore, the PAS looks at asset management and cyber-security issues beyond just the ambit of BIM itself. As such, it should be read by anyone involved in the construction and maintenance of the built asset environment. As explained in the introduction, implementing the measures outlined in the PAS will assist not only in reducing the risk of loss or disclosure of sensitive information, which could impact on safety and security, but also the loss, theft or disclosure of commercial information and intellectual property.

There is a lot of information to be digested in PAS1192-5 but it is important and worth reviewing even if you come to the conclusion that no further action needs to be undertaken

Central to the PAS are sections 4 and  5. Section 4 sets out the security context and section 5 deals with understanding the overall security threat and recommends the use of what is known as a “security triage process” to ascertain whether or not a security-minded approach should be applied to a built asset and associated asset information. Depending upon the outcome of the triage, you can either adopt a “baseline security approach”, which is basically the reasonable security processes you already have in place, or if the result of the exercise indicates that a more heightened level of security needs to be undertaken, you need to move on to sections 6 to 12. Even if the result of the triage indicates you only need baseline security measures you may consider it prudent to adopt some of the heightened security measures described in the PAS anyway. 

Sections 6 to 12 deal with the heightened security-minded regime which should be put in place if required. This includes the formulation of a built asset security strategy, linked to a built asset security management plan and consideration of the built asset security information requirements which should be fed into the asset information requirements also being prepared as part of the ongoing asset information model. All of these steps should be facilitated by the appointment of a built asset security manager (BASM). On smaller projects this role is likely to be performed by a consultant such as the architect or engineer but on a larger or more complex scheme it may be a full time post. The BASM does not perform a design role within a project: their responsibility is focused upon the formulation and execution of the required security-minded approach. 

Clearly, the security triage is something that needs to be carried out at the earliest possible opportunity: if at all possible, when the organisational plans and objectives for the project are being formulated. Ideally the built asset security strategy and the management plan should then proceed at the same time as the linked strategic asset management plans and other organisational policies and plans well before the project documents themselves are put in place. Obviously, if you are acquiring an already-existing asset the security triage needs to be performed as swiftly as possible. 

Whenever the triage is undertaken the employer or asset owner should record the outcome for each built asset to which it is applied, even if there is no identified need for more than baseline security measures. It would be useful to have the record of this process available for future owners of the asset. 

There is a lot of information to be digested in PAS1192-5 but it is important and worth reviewing even if you come to the conclusion that no further action needs to be undertaken. We encounter stories of hacks and security breaches on a daily basis, to such a degree that they are now almost commonplace. The more we advance towards the digital built Britain envisaged in recent reports, the more likely it is that this security-minded approach will become an absolute necessity.

Simon Lewis is a partner in the construction and engineering team at Bond Dickinson