Build March Issue

Build Magazine 60 yber-crime is a growth industry; the crime statistics published by the Office for National Statistics for 2015 recorded 2.5 million cyber-crime offences . The vast majority of this crime wave is directed at attempts to defraud financial institutions or obtain information on their customers rather than focussed on the construction industry, however the cyber-attack on the US retail chain, Target, in December 2013 is said to have originated in the firms building control system and compromised an estimated 40 million credit and debit card accounts. The U.S. Department of Commerce recognised in 2011 that control systems used in buildings and industrial processes were adopting IT solutions to promote connectivity and in order to enable the systems to be remotely accessed, which in turn increased the vulnerability of those systems to cyber-attack . Industries which the state department identified as particularly prone to using centralised control to acquire data and control systems of dispersed assets included the utilities, oil and natural gas industry, the chemical and pharmaceutical industry, automotive and aerospace manufacturing and the food industry. The UK Centre for the Protection of National Infrastructure similarly identified a number of building types and infrastructure which could be threatened by hostile, malicious, fraudulent or criminal activities . In particular they recommended that owners of such facilities should, as a minimum, consider whether the following could be used to significantly compromise the integrity of the building, infrastructure or impair its ability to function: 1. The control systems in the building; 2. The permanent plant and machinery; 3. Structural design details; 4. Security and other control rooms; 5. Areas that house regulated substances (e.g. nuclear isotopes and bio-hazards) or information 6. The technical specification of security products and features The owner of such buildings/infrastructure should understand and routinely apply appropriate and proportionate security measures so as to deter or disrupt the threat of hostile, malicious, fraudulent or criminal activities. The Construction Industry Council’s BIM2050 team also identified the threat of cyber-attack in its report noting that “digital connected infrastructure and business systems are vulnerable to electronic terrorism and sabotage. Just because your information is secure now, it does not mean that it will be secure in the near future”. In their recommendations the BIM2050 team suggest “Organisations need to review their data residency, integrity strategies and agreements to proactively defend our digital and physical assets from cyber-attacks.” At BIM Level 2, where consultants produce models stored on their own servers with limited inter-operability or connectivity between their model and the models prepared and held by the other consultants, with one Project Information Model (“PIM”) held by the Employer, organisations need to consider the physical or geographical location of data and information, and develop strategies to maintain and assure the accuracy and consistency of that data over its entire life-cycle. However as the industry moves towards BIM Level 3 with integrated electronic information, fully automated connectivity and a web stored PIM, the idea of data residency becomes outdated. Information stored in the cloud is stored in different data bases often through chains of sub-contractors and in numerous geographical locations the tension between greater collaboration and connectivity that BIM encourages and cyber security which ideally would limit access to the BIM data and/or its connectivity with third parties becomes increasingly difficult to reconcile. Both the U.S. Department of Commerce and the UK Centre for Protection of National Infrastructure recommend any employer should be aware of the range of potential security issues which are applicable to its business, the infrastructure it uses and the buildings it occupies. If there is any uncertainty, the recommendation is that the employer should seek advice from appropriate security advisors. In the UK this would be a member of the Register of Security Engineers and Specialists. This advice should typically cover personnel, the Cybersecurity andBIM: What Issues areBeingOverlooked? By Matthew Needham-Laing, Partner at Stevens & Bolton LLP C