Building Information Management (BIM) and the Cyber Security implications
What is BIM?
Why does BIM represent a cyber security risk?
Building information modelling (BIM) is a process which enables the digital mapping of the layout and functional characteristics of a building using 3D computer technology. Supported by various tools and technologies, it creates and manages information on a construction project across the project lifecycle.
BIM relies on inputs from numerous designers and contractors, either working on their own models which are then consolidated or all working on the same model which is accessed and adapted by the various parties.
It allows for fully automated connectivity between the numerous parties involved in a construction project and relies on web stored information to facilitate this access, with a central repository for the storage and sharing of the requisite data. Having a single central repository carries several risks as it can increase the risk of accidental sharing of commercially sensitive information and intellectual property. Also, by allowing access to numerous parties, the integrity and availability of the information could also be at risk. BIM might also increase the risk of data manipulation and sabotage.
Any web-based platform is susceptible to being infiltrated and manipulated or destroyed by a third party, but the increased risk from BIM is that everyone is working on a single integrated model and therefore require similar levels of read/write access. This means not only is there a risk from external agents, but also the numerous internal agents who may have malicious intent to abuse their privileges for their own gain.
In terms of external threats, the information held on BIM might be of interest for reconnaissance of the building for criminal purposes or may simply become a target to online criminals looking for commercial gain by exploiting intellectual property or holding information to ransom. Competitors may also seek to gain access to steal intellectual property or leak commercially sensitive or confidential information. They may also want to sabotage the project, by delay or preventing the building progression.
As the BIM is intended to last the whole of the asset’s lifecycle, it will need to contain more detailed information concerning the location and properties of sensitive assets or systems within the building. This might include the security of a built asset, including the physical access or the security systems configuration such as keyless door entry or CCTV.
Less sensitive security systems could have access to detailed information about the building management system, which can be used to control heating and lighting, and provide the ability to disrupt the use of the building significantly.
Top tips to securing your BIM
• It is important to include appropriate provisions in contracts and the BIM protocol to require all parties to take the necessary steps to mitigate the risk of cybercrime
• Depending on the level of sensitivity, implement restricted access to the model to limit the ability of certain parties accessing specific parts of the model which are not necessary for their role. This will not eliminate the risk of unauthorised access, but might limit the scope of access by specific entry methods. Alternatively, access rights or sharing rights should be appropriately restrained to specified parties
• Multi-factor authentication, whereby access is only granted following two or more authentication steps, should be encouraged to reduce the risk of unauthorised third-party access
• Ensure proper password protocols are implemented. Users should be are required to use strong passwords and to change them at regular intervals
• Depending on the parties involved, it may also be possible to restrict access further using location-based technology or internet protocol (IP) access control.
Additional security controls to identify any unexpected or suspicious activity include:
- User training education and awareness - staff should understand their role in keeping your organisation secure and report any unusual activity
- Security incident management - put plans in place to deal with an attack as an effective response will reduce the impact on your business.
Remember: Doing nothing is no longer an option. Protect your organisation and your reputation by establishing and maintaining cyber defences.
Find out how Amethyst can help your company (whatever its size) and staff by contacting us today: firstname.lastname@example.org