The first of a new series of columns on cyber security looks at the data risk issues around building information modelling. Taylor Wessing’s cyber security team explain
What is BIM?
Building information modelling (BIM) is a platform to allow the digital mapping of the layout and functional characteristics of a building using 3D computer technology. It is a tool which informs the design and construction phase of a building project and also the occupation and management phase once built.
Why does BIM represent a cyber security risk?
BIM relies on inputs from numerous designers and contractors, either working on their own models which are then consolidated (level 2) or all working on the same model which is accessed and adapted by the various parties (level 3).
It allows for fully automated connectivity between the numerous parties involved in a construction project and relies on web stored information to facilitate this access, with a central repository for the storage and sharing of the requisite data. Having a single central repository carries a number of risks as it can increase the risk of accidental sharing of commercially sensitive information and intellectual property. Also, by allowing access to numerous parties the integrity and availability of the information could also be at risk and, in addition, BIM might also increase the risk of data manipulation and sabotage.
The information held on BIM might be of interest for reconnaissance of the building for criminal purposes
Any web-based platform is susceptible to being infiltrated and manipulated or destroyed by a third party, but the increased risk from BIM level 3 is that everyone is working on a single integrated model and therefore require similar levels of read/write access. This means that not only is there a risk from external agents, but also the numerous internal agents who may have malicious intent or abuse their privileges for their own gain.
In terms of external threats, the information held on BIM might be of interest for reconnaissance of the building for criminal purposes or may simply become a target to online criminals looking for commercial gain by exploiting intellectual property or holding the information to ransom. Competitors may also seek to gain access to steal intellectual property or steal or leak commercially sensitive or confidential information. They may also want to sabotage the project, to delay or prevent the building progressing.
As the model is intended to last the whole of the asset’s lifecycle, it will need to contain more detailed information in relation to the location and properties of sensitive assets or systems within the building. This might include the security of a built asset, including physical access or security system configuration such as keyless door entry or CCTV.
While less sensitive than security systems, having access to detailed information about building management systems, which can be used to control heating and lighting, could still provide the ability to significantly disrupt the use of the building.
What can be done?
It is important to include appropriate provisions in contracts and the BIM protocol to require all parties to take the necessary steps to mitigate the risk of cyber crime.
Depending on the level of sensitivity it might be necessary to implement restricted access to the model to limit the ability of certain parties accessing specific parts of the model which are not necessary for their role.
Although this will not completely eliminate the risk of unauthorized access, it might limit the scope of access by certain entry methods. Alternatively access rights or sharing rights should be appropriately limited to specified parties; so for example, those subcontractors without formal subcontracts or who have not signed up to the BIM protocol may not be given access and the inputting of their design elements will be the responsibility of the main contractor.
In terms of access control, multi-factor authentication, whereby access is only granted following two or more authentication steps is increasingly common and should be encouraged as it reduces the risk of unauthorized third party access.
Ensuring proper password protocols are implemented is also important to ensure that users are required to use strong passwords and to change them at regular intervals.
Depending on the parties involved, it may also be possible and advisable to further restrict access using location based technology or internet protocol (IP) access control.
Finally, as it is not possible to completely guard against the risk of cyber crime, it will be important to foster a culture of security awareness throughout the project team.
Jill Hamilton and Edward Spencer are senior associates at Taylor Wessing. For more information on the firm’s cyber security team go to united-kingdom.taylorwessing.com/en/cybersecurity