According to the McKinsey Group, the US construction industry lags behind just about every other industry sector (apart from agriculture and hunting) in realizing its digital potential. However, any digital transformation will not only require adoption of new technologies, but also a robust approach to cyber-security as data becomes more pervasive in the built asset delivery process.
Within the living memory of many people still working in the AEC sector, we mostly exchanged information by paper–a useful medium for sharing written and graphical information. So long as we were careful about who we gave it to, it was generally fairly secure – if a little slow and costly.
We could insist on signatures when documents or drawings were delivered; we took care where we filed paperwork; and we were usually careful to lock our filing cabinets, offices and buildings so that information or intellectual property rarely got lost, stolen, or destroyed.
We will need to protect information created during delivery of a new built asset, and protect the data created by the people and systems in and around that asset.
As technology has advanced, we’re increasingly sharing information electronically through emails, Word documents, and PDFs. It’s become much easier, quicker, and cheaper to share information. Sometimes it’s a little too easy: emails can get sent to the wrong person, or we send the wrong attachment, or we CC the wrong people, for example. Along with easy mistakes, we have to now be vigilant about security: guarding against software viruses, “phishing”, hacking, and theft or loss of devices, while also continuing to track, store, and protect our communications and IP.
But there’s a solution.
Of course, online collaboration or information management systems can help mitigate some of these problems. Having a single, secure repository of the latest project information that can only be accessed by authorized users with valid credentials will reduce some causes of “email overload.” They can promote good levels of information transparency, trust and collaboration, while also providing version control and a vital audit trail of who did what and when. And, in many cases, SaaS (Software-as-a-Service) specialists provide a more secure, reliable, resilient, and robust hosting regime than most construction firms’ in-house IT teams.
However, the next stages in the digital transformation of the AEC sector are set to make information management more challenging from a security point of view.
From BIM to BASM
BIM (Building information modeling) is gradually becoming more and more common in several of the developed construction markets around the world. For many businesses, BIM use remains quite basic, expediting the production of design deliverables that are still shared as 2D deliverables: drawings, window or door schedules, for example.
But as they begin to share and to combine or ‘federate’ data-rich 3D, 4D (time), and 5D (cost) models, project teams will need to heighten their cyber-security regimes.
What security measures will we need in the future? We can guess.
A shared 3D model may expose intellectual property to competitors. A fly-through visualization of a new building could share sensitive information about the building’s design–key structural components, locations of key building services, placement of CCTV or other security equipment, for example.
Shared 4D models might expose periods when assets could be susceptible to sabotage or sites could be vulnerable to thieves, while a 5D model could reveal commercially sensitive pricing information to competitors.
Not surprisingly, such risks are being taken very seriously, particularly for sensitive or potentially sensitive built assets. In the UK, for example, alongside the various BIM standards, guides and protocols relating to design, construction, and future asset management, a “Specification for security-minded building information modeling, digital built environment and smart asset management” (PAS1192-5), has been published by the British Standards Institute and the Centre for Protection of National Infrastructure. This is intended to help teams identify and guard against risks including:
- Hostile reconnaissance
- Malicious acts
- Loss or disclosure of intellectual property
- Loss or disclosure of commercially sensitive information
- Release of personally identifiable information
And the already abbreviation-heavy glossary of BIM terms now includes BASM–built asset security management–as an emerging discipline. A BAS manager will help project teams and asset owners develop a built asset security strategy (BASS) and management plan (BASMP).
People can be our greatest asset, but also our weakest link.
Such measures will become more important in an increasingly connected world. We will need to protect information created during delivery of a new built asset, and–just as importantly, and depending on the asset’s sensitivity–protect some or all of the data created by the people and systems in and around that asset, and in any connected assets or infrastructure.
At the people level, precautions might include limiting information access to certain people (again, this is something that sophisticated collaboration platforms do well: restricting access to certain files, models, or data to people with defined responsibilities), or using forms of authentication such as logins or keys.
Raising awareness and training will also be important, as old working practices may need to be amended and data vulnerabilities addressed. Often the weak link will not be the software or hardware, but the people that use them (users noting passwords and PINs on Post-It notes next to their computers, for example), and, as risks can never be completely eliminated, organizations will need to plan from the outset how they will respond to security breaches affecting their built asset information.