Data security: infrastructure lessons from Facebook

The spectacle of a besuited, awkward and somewhat “otherworldly” Facebook founder Mark Zuckerberg apologising to US politician for potentially inadvertently sharing the personal data for 87 million people around the world has certainly made for compulsive viewing.

The bizarre juxtaposition of a twenty-something new-tech billionaire being questioned by a group of sixty-something old-world politicians on the ethics and legality of data harvesting, coupled with some revealing insights into the sheer scale and power of what has been created by this platform, created many an “OMG” moment.

Yet beyond the (social) media sideshow, the whole Facebook/Cambridge Analytica affair has also ensured that data security has risen closer to top of mind for every single person and business using the internet. And since that’s pretty much all of us, it’s probably a good thing.

Not least across the infrastructure sector where, as we accelerate towards a new world of efficient, digitally enabled design, construction and operation and maintenance, the issue of data security has to date, tended to have been parked in the “to do” basket. The excitement and positive opportunity created by these tools is without question a significant distraction from the potential negative downsides.

But I think we all now realise that it can be ignored no longer. As the Facebook scandal is demonstrating, access to data gives power. In the right hands that is incredibly useful; in the wrong hands it is potentially disastrous world of unintended consequences. Given the scale of public infrastructure now managed and maintained using digital tools, the implications for public safety and national security are immense.

It’s a tough brief as, just as we are seeing with Facebook, the ability to share information and collaborate is a very attractive and desirable thing. In fact, the advantages that Building Information Modelling and its associated digital tools and sensors can make available in terms of bringing efficiencies to the traditional, adversarial construction sector is only just being realised.

Whether during the design process, throughout construction or in the management and operation of infrastructure assets, digital modelling, real time sensors and data analytics now make vast amounts of data available to assist professionals in their routing and emergency decision making. This technology has truly disrupted and the result is better decisions, fewer mistakes, more efficient supply chains. The impact of the ability to predict future maintenance requirements using machine learning tools is only just becoming apparent in terms of reduced costs and minimising impact on the public.

But while infrastructure professionals are making positive use of this new world, there are many others who stand ready to exploit and misuse this new digital age. Whereas in the old world, the ability to get hold of the “blue prints” of a new power station, factory or hotel might provide criminals or foreign states with and advantage, poorly protected digital assets quite literally now gives them the keys to control and disrupt.

The newly published second edition of the Construction Industry Council’s BIM protocol recognises this challenge and places greater emphasis on project digital security – “a key factor to take into account on any project when BIM is used,” it points out, highlighting again the detailed guidance available in PAS 1192:5:2015 on the issue.

Specifically the CIC protocol makes a number of changes to standard contracts making special reference to the use of a Built Asset Security Manager role as described in PAS 1192–5:2015; the inclusion of Security Requirements set out as project specific policies; detailing of Sensitive Information which will not be shared; and Employer remedies if security obligations are breached – including, ultimately, to terminate the contract.

We all have to learn from the Facebook affair. And if nothing else, in this complex and evolving environment, the CIC protocol provides a framework to ensure that the right questions around data security are being asked across the project team – and by the right people with the right experiences.

That means first ensuring that the systems managing and controlling our critical national infrastructure are rooted in the technical experience, not designed by ideological twenty something geeks and left at the mercy of the unscrupulous.

But equally we must ensure that those in charge of our new digitally enhanced infrastructure are not hindered by the thinking, decisions or questions of a sixty-year old politician’s old world outlook.