Cyber in Building Information Modelling
Amethyst’s Mark Chown believes all BIM environments need cyber safeguards
Building Information Modelling (BIM) and the increased digitisation of information relating to construction projects is now delivering increased efficiency and cost savings throughout building projects, from design to the on-going management of a facility.
The clear benefits of a holistic data set that is accessible; remains accurate; and upon which the safe and secure operation of the facility is increasingly dependent, introduces a growing need for cyber issues in BIM to be considered. The compromise of BIM systems or data, either maliciously or accidentally, could facilitate an attack by criminals, hackers, terrorists or put the safety of people at risk.
The relevance of cyber in BIM will naturally depend on the nature of the building project. For instance, a nuclear power facility will have a very different risk profile to a shopping centre and I suggest that all BIM environments need cyber safeguards. The use of BIM across Government, and therefore sensitive projects, will proliferate, as in 2011 the UK Government set a target that by 2016 fully collaborative Building Information Modelling (BIM) would be used for all Government projects.
If the full benefits of BIM are to be realised, which includes making accurate information readily available to those that need it, then the maintenance of security and at least two of three pillars of information security (Integrity and Availability) will be relevant for all BIM instances. Confidentiality risks in the BIM environment may not always be a default aspect to be managed; however, where BIM information is considered sensitive, the protection of information will be a challenge in a project environment where there are typically multiple entities involved in the building lifecycle, using a multitude of systems to access, store and communicate BIM data.
To ensure that BIM continues to realise the benefits it can undoubtedly deliver, the cyber response must be equally as effective and engrained in BIM practice. Some evidence of progress can be seen with limited reference in British Standard 1192-4:2014 to security considerations when using the construction information schema (COBie). As with all security approaches, the response should be holistic and include technical and non-technical measures, although the following measures may be seen as a priority in BIM:
Asset Classification - from the outset and throughout the life of a project, the sensitivity of BIM information and processes should be assessed and cyber effort prioritised based on the assessment.
Awareness – due to the multitude of agencies involved in a building project it is essential that where cyber is important, all of those involved understand what data and processes are sensitive and how they should be protected.
Access Controls – BIM information systems should be architected to allow sufficient accuracy in applying access controls to ensure that the ability to view and amend data can be controlled and regularly reviewed.
Resilience and Back-Ups – Ensuring the availability of BIM resources will become increasingly critical. Solutions should be implemented to ensure that service availability can be maintained to the level required in the event of a malicious, accidental or natural incident.
 BS 1192-4:2014 Collaborative production of information Part 4: Fulfilling employer’s information exchange requirements using COBie.