Steve Cooper at Aconex outlines the case for greater awareness of cybersecurity in construction
DATA-FIRST THINKING
If we're going to talk about data protection, let's start with data itself. Construction is undertaking significant progress towards the digitisation of its processes. Building information modelling (BIM) is one of the main drivers in the industry today: the process is data-driven and can include huge amounts of information in multidimensional models. BIM is being embraced in many infrastructure projects, too, putting the process under the spotlight in many public projects that are crucial to government and the general public.
Data management is very much a part of the way the industry now works. Common Data Environments (CDEs) are a single source of information used to collect, manage and share documentation, the graphical model and non-graphical data for the whole project team. They include all the project information about a built asset created in a BIM environment. This single source of information lets companies work in a collaborative environment across project teams, helping to avoid mistakes and improving productivity.
But data protection is a concern that the construction industry still needs to address urgently. Recent reports reveal the sector to be falling behind other parts of the economy with regard to cybersecurity. The UK government's Cyber Security Breaches Survey 2017 suggests senior manager involvement in cybersecurity issues is lacking among construction firms. While 67% of senior managers in construction view cybersecurity as a high priority, this doesn't compare well to senior managers in finance or insurance (90%) and professional, scientific or technical firms (86%). Furthermore, 41% of senior managers in construction never update management on potential concerns.
The potential for data security incidents to cause damage is great. When information from several project partners across the supply chain comes together, it becomes increasingly sensitive and must be safeguarded. There is a risk of crucial data falling into the wrong hands. This could be information about the inner workings of a system, perhaps the layout of a building and its materials. The changing nature of cybercrime threatens construction firms and consultants directly: a ransomware attack that prevents access to critical data or applications could be seriously disruptive to a construction team. Indeed, with the rise in digitisation comes an increase in sensitive asset data.
STANDARDISING SECURITY
Many construction firms and consultants do recognise the issues involved and are seeking to build better data protection measure within their operations. Complying with current and unfolding security standards poses both a challenge and an opportunity to modernise and update a construction firm's cybersecurity.
ISO27001 certification is the highest international standard for information security management, helping to define how information is handled and protected, including archiving, transfer, storage and processing. Beyond ISO27001, however, the digitisation trend in construction is demanding even more from a construction firm or consultant, with governments and international public policy calling for better cybersecurity.
Governments are requiring suppliers of construction and building services to meet much more stringent cybersecurity standards. Take, for instance, the Federal Risk and Authorization Management Program (FedRAMP) in the US and the Information Security Registered Assessors Program (IRAP) in Australia. These standards are applicable to asset owners, general contractors, engineering, procurement and construction (EPC) firms, and project managers working in the design and construction of government infrastructure projects.
Steps are being taken in the UK, too, such as the 14 Cloud Security Principles. Furthermore, the UK government is working with industry to help provide advice and guidance in data protection. PAS1192-5 is a set of recommendations for government and its suppliers which provide protection for critical information being shared within project and asset supply chains.
One major pressure to tighten up on cybersecurity is the new Data Protection Bill, which will take the European Union's General Data Protection Regulation (GDPR) into UK law. When GDPR comes into force in May 2018, all organisations operating within Europe will be required to amend their existing privacy notices and terms. Data breaches have to be reported to regulators within 72 hours, or businesses could face fines of up to £17m or 4 per cent of global annual turnover. With the construction industry becoming more digitised, GDPR calls to attention the growing risk and potential impact surrounding the data that companies hold.
PUTTING IT INTO PRACTICE
Save for the aftermath of high-profile and devastating incidents like WannaCry, cybersecurity might not always feel like a priority. Systems in use throughout the construction industry may appear to be secure at first glance. From secure servers to distributing password protected documents to authorised recipients, it's often easy to think that nothing can go wrong. But there are varying degrees of protection, and cyber adversaries are becoming more intelligent - they will find and exploit a loophole in any system.
Part of implementing cybersecurity is about building a better cybersecurity culture. Organisations are sometimes not careful about how they are protecting their information and the role it plays in a bigger picture. At the least, employees of any firm can be encouraged to take awareness and best practice courses in all aspects of security. Meanwhile, asset owners and their supply chains should be conscious of the level of detail they include in models themselves. Project teams have to be more selective about the information in their models, ensuring that virtual assets are less vulnerable to security breaches and unauthorised data access.
Beyond education, companies that hold sensitive information can put in place controls and measures to provide confidence to customers and users on project teams. They can introduce highly secure systems of transmission, requiring every transaction to have multiple levels of security: this could include secure socket layer encryption, encryption at rest and two-factor authentication, which works using unique, randomly generated codes.
For companies with a BYOD (Bring Your Own Device) policy, communication between these devices and servers should still be encrypted to the same degree, and device owners should only see what they are authorised to see.
Cloud technology has a central role to play in bolstering cyber defences. Some cloud-based platforms and providers facilitate compliance with higher cybersecurity standards and thus enable secure collaboration: they manage access to the sensitive data shared between owners, contractors, design teams and subcontractors. Private spaces in a multi-tenant cloud architecture means that every individual company on a project has its own area, akin to having its own server, and clients can be reassured that their information is protected from unauthorised access.
With cybersecurity challenges evolving at an alarming rate, asset owners and their project teams also benefit from cloud vendors' continuous review of best practices and investment. Cloud-based solutions can encourage change in compliance, governance and data protection, giving confidence both to authorities and to customers.
Data is at the heart of construction today. With an abundance of information, the UK industry has done well to set a standard globally for how BIM practices can work successfully. Construction firms now have a responsibility to secure their own data, and build confidence with customers and extended supply chains. Firms holding any kind of sensitive information must recognise both the power and the responsibility that comes with that information. While the cyber-threat landscape changes rapidly, data protection must never falter.
www.aconex.co.uk