When BIM stands for Building Infiltration Models

Building management systems and cloud-based BIM are making the industry increasingly reliant on the internet – and vulnerable to cyber threats. Andrew Brister reports.

Is your company secure against cyber attack? EBay thought it was, until the personal information of 145 million customers was hacked using employee logins. Meanwhile, an attack on US retailer Target compromised the credit card details of 40 million customers. And it’s not just a risk for consumer-facing businesses. In May, the US government brought criminal charges against five Chinese army officers it said were responsible for spying on a group of US corporates, including – alarmingly – nuclear reactor specialist Westinghouse Electric.

Cyber crime for monetary gain is a growth industry. More than 80% of large organisations with over 250 staff experienced a security breach in the past year, according to a 2014 UK government survey. The average cost of the worst attack was put at between £600,000 and £1.5m: the cost of customer data theft, theft by employees, and extortion using “distributed denial of service” attacks. In other findings, 24% had detected attempts by outsiders to penetrate their networks and 16% had been the victim of intellectual property theft in the past year.

Then there are other categories of cyber threat not covered in the government survey: cyber pranksters that view hacking as a form of entertainment, or cyber terrorists that aim to cause physical damage of some kind.

Construction, of course, is not immune. As the industry increasingly relies on the internet to go about its business – using internet-connected building control systems and, of course, cloud-based BIM – the risks start to escalate. “The construction sector is not a massive target yet, but don’t think that you won’t be,” says Hugh Boyes, cyber security lead at the Institution of Engineering and Technology (IET). “Banks and online stores have been on the receiving end of this for a number of years but, thus far, building systems have got off fairly lightly. That’s largely because they haven’t been connected to the internet; the industry is now changing that.”

Boyes is putting the final touches to the IET’s Code of Practice for Cyber Security in the Built Environment, which is due out in early November. The document builds on last year’s technical briefing on the subject, Resilience and Cyber Security of Technology in the Built Environment, which clearly got people talking. “Following publication of the briefing, I got asked to a meeting with the head of a well-known UK construction engineering consultancy, who was stunned when I explained how serious the problem could be,” Boyes reveals. “It’s not scaremongering; it’s just making people aware of the issues.”

Out of control

Boyes highlights the energy monitoring of buildings, where a facilities company may have remote web access to a client’s building management system, as an area vulnerable to malicious hacking. “This will be via a box connected to the internet. The more of this that goes on, the more the hackers and tinkerers will look at it and realise that they can do things.”
The attacks on US retail chain Target are said to have originated in the firm’s building control systems, and in Australia two security researchers managed to hack into the internet-connected BMS in Google’s Sydney office, although Google said they only gained access to the heating and air-conditioning controls. Google’s system was based on Tridium, a software platform widely used in the industry.

A digital security consultant with knowledge of the sector also warns of building management systems’ vulnerability to hackers with criminal or terrorist intent. “GCHQ and the Met Police have data on servers in secure buildings. But they have humble controllers running the air-conditioning systems – could they be hacked? Modern prisons will be increasingly controlled by electronic locking, with swipe card identification. You could hack a jail remotely and lock the prison warders in the canteen.”

The antidote to cyber attacks is of course cyber security, a broad subject that addresses a wide range of factors. These include the technology itself, technical solutions such as firewalls, encryption, security “patches” and antivirus software, and then staff, process and governance issues. The new code is therefore designed to guide the industry through these issues, putting information into a construction industry context by giving case studies.

As Boyes explains: “The IET Code of Practice lays out a framework for the built environment sector to follow and takes a risk-based approach. You need to think about what kind of organisation you are, what you do, look at your vulnerabilities, your threats, take a very close look at your building’s infrastructure and systems and have a think about what could go wrong and its impact on you.”

Sensitive matters

So what will the impact of BIM be? It could be argued that the vulnerability to being hacked is already there, and doesn’t change with BIM: in other words, most of the data generated in Level 2 projects would have existed in digital form anyway, and the “model” is just the sum of pre-existing parts. Nevertheless, as BIM takes hold and Level 3 becomes a reality, the sheer volume of sensitive data being shared collaboratively surely compounds the risk of cyber attacks.

The report on the digital future of the built environment from the Construction Industry Council’s BIM2050 group drew attention to cyber security in the first point of its executive summary. David Philp FCIOB, chair of BIM2050, head of BIM at Mace Group and head of BIM implementation at the Cabinet Office, tells CM: “Digitally connected infrastructure and business systems are vulnerable to electronic terrorism and sabotage. Just because your information is secure now, does not mean it will be secure in the near future. Most organisations, other than the very big ones, don’t know they’ve got a problem, and very few probably understand it.

“As we move from Level 2 collaborative BIM towards Level 3 and fully integrated assets – and not just individual buildings, but whole portfolios and smart cities – then the big thing that we have to sort out is the whole issue of cyber security,” he argues.

In its recommendations, the BIM2050 report calls for organisations to “review their data residency, integrity strategies and agreements to proactively defend our digital and physical assets from cyber attacks”. But the report also admits that current security measures to “throttle” access to data “creates inefficiencies and inhibits collaborative working”.

Philp argues that one way through the conundrum is to encourage the academic community to research data encryption and security access techniques in the context of BIM and the built environment, especially on operational data sets. “OpenSSL cryptography and cryptography in general needs to be developed further to secure internet-enabled infrastructure,” he says.

Hugh Boyes also authored the IET’s BIM: Addressing the Cyber Security Issues document, published earlier this year, which highlights the ease with which BIM data can be compromised. “As you become more reliant on the digital exchanges of data, you also become more vulnerable to that data being disrupted or misused,” he says. “It might be accidental; it might just be a phishing attack on a bit of malware that comes in on an email that looks like it’s from someone involved in the project. That might be enough to take you down.”

Boyes believes that if you apply good practice, you can reduce the risk dramatically. “It’s not about spending huge amounts of money; it’s more about putting in place the right measures: up-to-date patching of systems, up-to-date anti-malware and not mixing social and business use on your machine. There is a much greater risk of picking up something undesirable when using your PC for non-work purposes.” Boyes points to government guidance such as Cyber Essentials for the smallest firms and 10 Steps to Cyber Security for larger employers (see below).

Lack of awareness

Jozef Dobos, a computer scientist at University College London, advises: “You have to use SSL encryption keys and certificates when transferring data from a server to a client. Data hops from server to server until it gets to the client. It can easily be intercepted if it is not encrypted.” Dobos has become familiar with the construction industry through developing 3D Repo, an app that enables the user to view, share and annotate 3D building models. He is worried by the lack of awareness of data security issues among the construction fraternity.

This view is borne out by the findings of a survey by University of Bolton undergraduate Kris Gunshon examining the potential security risks of BIM. Dr Fred Sherratt MCIOB, now senior lecturer in construction management at Anglia Ruskin University, oversaw Gunshon’s work. “The basic answer to a lot of our questions was: ‘I don’t know’. We are so narrow in our thinking in construction, so insular and isolated, and we need to be more aware of what could potentially happen.”

Sherratt, Boyes and Dobos all paint a worrying picture of what could happen. “BIM can lead to access to, or theft of, data for all the wrong reasons,” says Boyes. “Gaining access to a BIM model is an absolute gift. It’s easy to imagine criminals overriding the security system in a building containing something of value, for example.”

Terrorism is another grisly possibility. Boyes says: “There are a lot of people in the construction chain that could be holding large parts of the building model, if not the whole model. Our concern is that could become easy to get hold of if someone lost their device, say, and it wasn’t protected.”

“I do worry that we are creating a whole virtual world of something that is there in the physical,” says Sherratt. “When I was involved in the construction of police stations in Manchester, our drawings were tightly controlled. Now they’d be held in a 3D model. There’s a great potential here for either mischief from teenage boys in their bedrooms or more serious things. I think that before we just carry on down the BIM route regardless, we need to stop and think about what vulnerabilities we are opening up.”

That’s not to say that security issues are not on the radar of the policy makers. CM understands that work is under way on a draft of an additional document or annex or to the BIM standard PAS 1192, which will address the cyber security aspects of BIM.

Career opportunities

The increasing awareness of cyber security is pushing the worlds of construction and IT consultancy ever closer. “One of the positive things that will come out of this is for careers in the built environment,” says Philp. “Issues like this are starting to open up more and more new roles for young people coming into the industry, and cyber security will become a key job role in the world of construction in the future.” Indeed, major building engineering consultancies such as Arup, Grontmij and Cundall all employ IT specialists with cyber security expertise to work alongside their building designers.

So perhaps it’s not all doom and gloom. BIM may be leading the industry into the path of an ever-wider range of cyber threats, but will also usher in the development of career options straddling construction project management and digital security. For the construction manager of tomorrow, cyber security will be one more item to add to the pre-contract risk assessment and BIM implementation plan, but also one more area where the industry can develop its expertise.

Building your defences – Four tools to boost cyber security

1. Cyber Essentials   

This is a government-backed scheme to help organisations protect themselves against common cyber attacks and offers a set of basic technical controls. It was launched in June 2014 and offers companies one of two new Cyber Essentials badges. It is backed by the Federation of Small Businesses, the CBI and a number of insurers. From 1 October 2014, government has required all suppliers bidding for certain sensitive and personal information-handling contracts to be certified under Cyber Essentials.

2. 10 Steps to Cyber Security

A publication produced jointly by the Government Communications Headquarters, the Department for Business, Innovation & Skills and Centre for the Protection of National Infrastructure. It discusses cyber security as one of the biggest challenges for business and the UK economy. It also offers guidance for businesses on how to make the UK’s networks more resilient and protect key information assets against cyber threats.

3. Resilience and Cyber Security of Technology in the Built Environment 

This technical briefing from the Institution of Engineering and Technology examines the different sources of threats across the building lifecycle, from initial concept through to decommissioning. The briefing describes the 20 critical controls (developed by US information security consultant SANS Institute) that address threats to intellectual property and commercial data, and to the design and operation of building systems. The IET’s more detailed 128-page Code of Practice on the topic is due in November.

4. Building Information Modelling (BIM): Addressing the Cyber Security Issues 

The IET looks at the risks that are inherent in the adoption of the BIM model, in particular the need to address cyber security in the implementation of collaborative processes and systems.