BIM and cyber security: Defending the chain

As BIM Level 3 is embraced by the construction industry and open collaboration of data becomes the norm, now is the time to take cyber security seriously. James Kenny reports. Illustration by John Holcroft.

The UK government’s 2015 Information Security Breaches Survey, conducted by PwC, found that 90% of large companies had experienced a cyber security breach in the past year, up from 81% in the 2014 survey of IT professionals. Moreover, a large proportion, 69%, had been attacked by an unauthorised outsider – up from 55% a year previously.

The average cost of an attack – calculated in terms of business disruption, lost sales, recovery of assets and fines and compensation – lay in the £1.46m to £3.14m bracket, up from £600,000 to £1.15m a year ago.

Amid this rising and increasingly costly tide, PwC said the threat of cyber offences was now a “board-level issue”, but warned that not enough companies were taking it seriously enough. For the construction industry, these figures are particularly pertinent, as the ongoing adoption of BIM, with its increased use of digital collaboration during design, construction and operation of a building, creates additional cyber security risks – risks that advisers and insurers are warning the industry isn’t taking seriously enough.

Hugh Boyes, cyber security lead at the Institution of Engineering and Technology (IET), says all businesses in the construction sector need to start seeing data and information as a physical commodity that needs to be protected. “Companies need to start thinking of information as a major asset. Within the construction industry I would say they haven’t quite got there yet.

“The industry needs to be much more aware of its data – what it is, and more importantly what the value of it is. There is tremendous value, not only to the owner of the data, but also to the customer.” He adds: “With BIM and more information going through the cloud, companies have to think: Where is this data stored? Who has access to it?”

PwC’s UK cyber security practice leader Neil Hampson agrees that the structure of the sector in the UK means that it’s particularly vulnerable to cyber threat: “The construction sector is likely to be far less developed than the UK economy as a whole because most construction companies are small to medium sized operations.”

It is this fragmentation into multiple SMEs that presents one of the industry’s biggest vulnerabilities. Although Tier 1 companies operating on large-scale projects or infrastructure such as HS2 or Crossrail are likely to have stepped up protection levels to deal with cyber security threats, their supply chains will include SME subcontractors with far less cyber awareness.

In major projects, that network will be complex, from architects to plant and equipment suppliers, law firms, designers. And as the supply chain becomes more extended, the vulnerabilities increase, which means that anyone connected to a site’s systems is to some extent a potential point of entry for one of many different types of cyber attack.

Coupled with this is the fact that construction sites today are characterised by significant emphasis on efficiency, value for money and the need to achieve targets as efficiently as possible, meaning that digital technology is becoming an indispensable feature.

Nick Gibbons, partner and cyber specialist at insurance and risk law firm BLM, says: “The construction industry represents a lucrative target for cyber criminals, mainly due to the vast network of associated supply chains. The biggest cyber threats affecting the construction industry include hacking to obtain personal employee data or sensitive commercial information, as well as Distributed Denial of Service (DDoS) attacks which cause widespread business disruption, which can have a knock-on effect through a supply chain.”

Gibbons warns that intellectual property-related areas, such as technical drawings, designs or projects for large commercial and infrastructure developments, are all seen as prizes and attractive to cyber criminals, as is commercially sensitive data – contract details, bid data, supplier data and pricing.

Peter Armstrong, head of cyber thought leadership at Willis FINEX Global, agrees that supply chains multiply the points of vulnerability for projects or corporates. In his role he advises construction clients on how to control cyber risks or alternatively to ensure that insurance cover factors in the additional exposure risk.

Referencing past cyber attacks in the defence sector, he says: “If I’m coming after a large concern, I’m actually going to come in two or three levels down the chain where one of the key areas of attraction would be the levels of cyber defence of the supply chain.” 

As data sharing and close collaboration increasingly become the industry’s norm, he believes that cyber risks may eventually increasingly force supply chain companies into a closer relationships with the “prime” or Tier 1 contractor. “It happens in the defence supply chain. If a small company can’t afford to protect itself, the infrastructure can be provided, either in the IT environment or physically bringing it under the same roof. It would be ridiculous not to recognise that some firms may not be able to afford cyber security measures – and the primes will have to reflect that maybe it’s just part of the cost of doing business.”

But while the industry does present some unique characteristics, it also shares one key vulnerability with other sectors: people. “It starts with individuals. In the physical world, we start with a threshold in our minds of what we would and wouldn’t do – for instance, you wouldn’t leave your wallet unattended in a coffee shop. But in the data world, we do it all the time,” says Armstrong.

People and their actions as the biggest weak point is something Robert Bond, head of data protection and cyber security at law firm Charles Russell Speechlys, agrees with. “There’s not enough training being done at all levels in the industry. Even basic things like: don’t pick up free memory sticks, be more mindful of laptops. The more construction companies go into BIM and shared resources, the greater the risk will be.”

Malicious BMS hacking

Another area that can be vulnerable to cyber attack is the Building Management System (BMS). These are used to integrate and simplify control of heating, air conditioning, lighting, CCTV, lifts, access, as well as energy monitoring, but this area is prime for malicious hacking. It’s a particular concern when highly sensitive buildings are brought into the mix, such as hospitals, banks, courts and prisons – all increasingly reliant on their BMS.

Andrew Kelly, principal consultant on cyber security with multinational defence technology company QinetiQ, says that the problem is that many of the functions the BMS controls, such as heating, lighting and security, have evolved from technologies that were not designed to be connected, and are often designed, installed and managed by people who have not been trained to understand the security implications. Systems can be connected to insecure networks or left accessible via wi-fi, and default passwords can be left unchanged.

In a recent white paper, Building Management Systems: The cyber security blind spot, Kelly recommends that installation of these systems must involve an understanding of how they are connected to the online world and how to restrict this. He gives examples of attacks over the last few years, and believes that a lot of the faults originate with individuals’ security errors.

 “BMS are open to attack in many places, but it often comes down to culture and the people working within these areas. Most normal people are not IT experts; they just see some of these systems as plug and play. Basic errors such as default passwords can even be used, which all add up to make the systems even easier to attack,” he says.

A new standard

With technology and sharing work through the cloud set to become an everyday part of the industry, the standards of cyber security that construction companies should be working to are laid down in PAS 1192-5, which lays down the technical security considerations for public sector clients and project stakeholders.

The IET’s Boyes says: “It was developed last year and it is only now construction projects are looking at applying it, I’d expect to see it more adopted over the next 6-12 months. The key message is that people should be looking at it regardless of what your project is. It’s not about straight security – it’s about being security-minded in general.”

But clients will become increasingly demanding on cyber security compliance, says Simon Rawlinson, head of strategic research and insight at consultancy Arcadis. “How you get everybody on your project team to behave in a way that makes it secure goes well beyond BIM – I think it might even be the next health and safety piece of work.

“Health and safety is now a statutory duty – you go to jail if you don’t do it right – so contracting organisations and design organisations do it right. We’re not at that place in terms of security yet, but the threats and the dangers potentially of this information held electronically are enormous.”

Boyes also believes that cyber security is rapidly becoming as vital as health and safety strategies. “My personal view is that cyber security today is where health and safety was 20 years ago. I believe it will become standard within the industry. We’ll look back with shock, even in a few years, about the standards that are currently used. Clients won’t find it acceptable for lapses in cyber security.”

He adds: “If you visit a construction site, there’s so many things you have to do to abide by Health & Safety before you get past the reception. This could become the same for cyber security.”

Kelly from QinetiQ agrees that compliance with government or industry-backed guidelines will soon become a prerequisite: “A defined level of security is something all businesses will eventually have to maintain. It’s only a matter of time before there is a death or serious injury due to a cyber attack.”

Government support

To mitigate the risks, the government has encouraged schemes like Cyber Essentials, backed by insurers, the CBI and the Federation of Small Business. It sets out basic risk-control measures for companies to adopt, with businesses registering for “badges” at two different levels. On certain sensitive contracts, government has required all bidders to be registered with the scheme. Take-up is increasing: according to the Information Security Breaches survey, 49% of respondents either hold accreditation or are on their way to it.

Currently UK companies can report cyber crime to the Information Commissioner’s Office, but this largely voluntary – although public sector bodies, regulated financial services companies and telecoms operators are required to report certain incidents and breaches. In construction, cyber crime incidents often go unreported: there is no specific body in place to monitor cyber security in the construction industry, or advise on it. 

That’s a missing link, says Bond. “It has reached that level where there is a need for a proper regulatory board or framework of cyber security in the construction sector. In the banking sector, you know of cyber incidents as they have to notify. But in other sectors, construction or other consumer areas, companies are more concerned about their reputation and how they can commercially handle and bury any incidents.

He adds: “I’d like the industry to be more aware of this inherent weakness. I’d like us to get to the stage where we’re not ashamed that we’ve had incidents – what we should be ashamed of is that we never planned for it.”

Boyes agrees that such a body would be “a good idea, but there is nothing mandatory yet”. In the interim, he flags up CERT-UK, made up of 14 bodies working together to help create awareness and support to companies working on “critical national infrastructure” to handle cyber security incidents and promote cyber security awareness across industry, academia, and the public sector: “It’s done on a sector by sector basis and is actually quite useful.”

Looking ahead to the rest of 2016, however, greater regulatory control appears to be on the horizon. The EU General Data Protection Regulations have just been approved at EU level, subject to a final vote in the European Parliament, and are likely to come into force in the UK in 2018. Under these rules, businesses will be required to report data breaches to the Information Commissioner and may be fined up to €20m or 4% of turnover.

On top of that, last year the European Parliament, the Council and the Commission agreed on the first EU-wide legislation on cyber security. This is significant to construction companies and their clients because it will require them to report any cyber incident impacting on an “operator of essential services”.

This directive is due to come into force by 2019. Construction companies working on large infrastructure projects will therefore need to ensure they have appropriate measures in place to manage security risks and ensure they know in which circumstances they could be held liable for a cyber attack.

In the run-up to the April mandate for Level 2 BIM, PAS 1192-5 has been adopted for public sector projects, but it’s likely that anyone looking for a long-term or future career as a construction manager will have to develop skills and awareness in cyber security if they are to succeed in the business in the years ahead.

As Boyes says: “It’s quite clear that cyber security is an issue that will only become more mainstream in the construction industry and can’t be ignored. Eventually it’ll become imperative for workers, businesses and everyone involved to maintain minimum standards.”

The growing number of everyday coders, hackers and a generally more tech-literate younger generation means cyber security will become part of everyday life on a construction site. And when it’s as integral to the industry’s operations as health and safety regulations, the industry will need to scale up its response to safeguard its future success.

Under attack around the world

Construction-related hacks from Ukraine to New Jersey

• In December 2015, a first-of-its-kind cyber attack on a power grid took place in Ukraine. The incident caused a dangerous blackout for hundreds of thousands of people and prompted Kiev to review its cyber defences. The attack involved a team of hackers who targeted six power companies at the same time, according to US officials. Destructive malware wrecked computers and wiped out sensitive control systems for parts of the power grid, making it harder for technicians to restore power.

• According to a report from the German Federal Office for Information Security (BSI), in 2014, a steel mill in Germany suffered serious physical damage when hackers mounted a successful campaign against the system operators. The hackers used both targeted emails and social engineering techniques to gain access to the mill’s control systems. In particular, a “spear phishing” campaign was aimed at individuals in the company, to trick them into opening messages that enabled the hackers to harvest login names and passwords. BSI did not name the company operating the plant nor when the attack took place. In addition, it said it did not know who was behind the attack nor what motivated it.

• In May 2013, an Australian Broadcasting Corporation news programme reported that an unnamed source claimed Chinese hackers had accessed the computers of a “prime contractor” and stolen floor plans, cable layouts, server locations and security system designs for the Australian Security Intelligence Organisation’s new Canberra HQ, which was under construction at the time.

• In November 2013 40 million customers of US retailer Target had their payment card details exposed when authentication information was stolen from an HVAC subcontractor. Criminals infiltrated the firm’s system, installed malware on its point-of-sale network and stole payment and credit card date.

• The US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) monitor newsletter reported that the BMS of a New Jersey manufacturing company had been hacked in 2012. Intruders exploited a weak credential storage vulnerability to access its energy management system, controlled by Tridium’s Niagara software.

• To demonstrate how easily security could be compromised, in 2013 Jesus Molina, a US cyber security consultant, took control of the lighting, shading and HVAC systems in a luxury hotel in Shenzhen, China, via the iPad in his room.

• In 2014, a US heavy industrial construction company sued its bank after losing $327,000 in a cyber attack after it was subject to a “corporate account takeover” in a sophisticated sting. TEC Industrial claimed TriSummit Bank failed to conduct sufficient due diligence checks to ensure that the line of credit extended to cover its weekly payroll was protected.