5th November 2015.
Being security-minded is not about inhibiting collaboration, but instead adopting an appropriate, proportionate, need-to-know approach to the sharing and publication of data and information in order to deter and/or disrupt hostile, malicious, fraudulent and criminal behaviours and activities. In so doing in the fields of architecture, construction and engineering, the industry is better able to deliver the trustworthiness, safety and security of digital built assets.
Adoption of Building Information Modelling (BIM) and increasing use of digital technologies in the design, construction and operation of buildings and infrastructure are transforming the way that architecture, construction and engineering industries work. Organisations within these industries are embracing the concept of collaborative working, not only through greater openness and transparency, but also through the sharing and use of detailed models and large amounts of digital information. These changes affect projects developing new assets or solutions, and those modifying or disposing of existing ones. They will also affect the long-term management of built assets where lifecycle management will evolve through the increasing capture and analysis of real-time use and condition data.
The business case for BIM is that these advances offer significant and exciting potential opportunities to asset owners and their supply chains to seek innovative solutions to deliver future fiscal, functional, sustainability and growth objectives. However, as a consequence of the increasing use of, and dependence on, information and communications technologies, vulnerability issues can arise. There is a need to be aware of these issues and to take appropriate and proportionate control measures to deliver the trustworthiness, safety and security of digital built assets.
The need for security-minded digital engineering was identified by the Centre for the Protection of National Infrastructure (CPNI – http://www.cpni.gov.uk). Working in collaboration with the BIM Task Group, it commissioned a specification for use by asset owners and which is applicable to any built asset or portfolio of assets where asset information is created, stored, processed and viewed in digital form. This document has now been published by the British Standards Institution (BSI) as PAS 1192-5:2015 (available for download from http://shop.bsigroup.com/pas1192-5). It is a companion document to PAS 1192-2, PAS 1192-3 and BS 1192-4.
The aim of PAS 1192-5 is to enable sharing of information in a security-minded fashion, without inhibiting the collaboration upon which both projects utilising digital technologies and asset management systems are centred. This is of particular importance where the misuse, loss, unintentional disclosure or theft of information could impact on the safety and security of:
- personnel and other occupants or users of the built asset or its services;
- the built asset itself;
- asset information; and/or
- the benefits the built assets exist to deliver.
It can also be applied to protect against the loss, theft or disclosure of valuable commercial information and intellectual property.
The need for a security-minded approach
Security operates at a number of levels, ranging from national security issues such as the prevention of terrorism, to tackling organised crime, handling privacy issues, and preserving the value, longevity and on-going use of built assets.
It is also important to understand that data aggregation can significantly increase the risks. This may arise from either accumulation (i.e. the volume of data that can be compromised) or association (i.e. the relationships between data sets that increase the sensitivity of any compromise), or from both. The key security concern arising from data aggregation is the potential to provide an external party with greater understanding of the built asset and the relationship of individual assets within it, to each other. For example, knowing the location of all security sensors and CCTV cameras protecting a built asset would enable a hostile party to assess overall coverage, whilst providing information on the performance and specification of the sensors and cameras would enable a detailed assessment of any system weaknesses.
Adopting a security-minded approach
PAS 1192-5 may be applied to:
- any built asset or portfolio of assets that, either as a whole or in part, is sensitive; and
- any asset data or information which could be used to significantly compromise the integrity of the asset or its ability to function.
A built asset may constitute a building, multiple buildings, a campus or built infrastructure. It may also comprise a portfolio or network of assets, and can include associated land or water, for example, the catchment area for a water company or the navigation channels for a dock. The process detailed in PAS 1192-5 is flexible and can be used on a wide range of built assets. It is applicable both to projects involving new assets and to those involving changes to existing assets.
Whilst not all assets will be sensitive or have sensitive aspects, it may be advantageous for a wider set of organisations to consider whether there could be business benefits to be derived from adopting a security-minded approach.
The processes set out in PAS 1192-5, shown in Figure 1, enable the adoption of a security-minded approach, which will assist an asset owner, and its supply chain, to reduce the risk of the misuse, loss, unintentional disclosure or theft of information.
Figure 1 – Summary of the PAS 1192-5 process © Crown copyright 2015
An integrated and strategic approach
To be truly effective, security should be embedded into organisations at both the strategic and operational levels of the business. The breakdown of security tasks by project stages in the NBS BIM Toolkit is designed to enable this. However, it is important to recognise that whilst the overall security of an asset is the responsibility of the asset owner, the entire supply chain has a role to play and needs to adopt a security-minded approach.
This integrated approach to security is illustrated in Figure 2. It shows how security needs should be integrated with other organisational policies, strategies and plans, and vitally, with the longer-term asset management requirements of the built asset or assets. Figure 2 also demonstrates how security requirements should influence the formation and delivery of a project that utilises BIM.
When constructing a new asset it is not advisable to postpone the adoption of a security-minded approach, as the later in the asset’s lifecycle the initial assessment is undertaken, the greater the risk that sensitive information may have already been distributed too widely or found its way onto the Internet. Once this has happened it is virtually impossible to delete, destroy, remove or secure all copies of that which has been released, and this will need to be taken into account when undertaking the risk assessment process. It is also cheaper to introduce security measures at the outset as retrofitting solutions is more costly.
Figure 2 – Integration of the security-minded approach. This figure appeared in PAS 1192-5 and is reproduced with kind permission of BSI
Assessing extent of security-minded approach required
Once the decision has been taken to create a new built asset, or to review an existing one, there is a need to understand the security sensitivity of the built asset and asset-related information. PAS 1192-5 advocates a security triage process to assess whether the built asset is sensitive as a whole, or in part, and also to consider any sensitivity regarding neighbouring assets. Based on the outcome from the triage process it may be necessary to implement the security processes provided as part of the NBS BIM Toolkit.
However, where the triage process does not indicate a need for implementation of more than baseline security measures (i.e. those personnel, physical and cyber security measures relating to personal and commercial information which are contractually required), the asset owner may consider that business benefits will be derived from applying a security-minded approach to the management of the built asset and asset information. In any case it is prudent that asset owners take appropriate and proportionate steps to minimise risks associated with fraud and other criminal activity.
Managing security risks
A first step in developing a security-minded approach is the identification and analysis of the risks affecting the built asset, and taking decisions on how these will be managed. The risk management process, which is shown in Figure 3, can be divided into three key stages: risk assessment; risk mitigation; and review.
Figure 3 - The built asset risk management strategy. This figure appeared in PAS 1192-5 and is reproduced with kind permission of BSI
The risk assessment must consider the potential threats and vulnerabilities in combination with an assessment of the nature of the harm which could be caused. The likelihood that a threat is able to exploit the vulnerabilities to cause harm, along with the severity of the potential outcome should this occur, determines the risk of that particular type of incident.
In the built environment, key security issues relate to: hostile reconnaissance of the asset or its users; malicious acts (such as damage caused by malware, hackers or disaffected personnel); and loss or disclosure of intellectual property, commercially sensitive information and personally identifiable information. These issues are examples of threats, which should be considered as part of the risk assessment process. The relative importance of each will depend on the nature of the asset and the environmental, social, economic or political issues related to it.
Vulnerabilities can arise around the aspects of people and business process, as well as physical and technical aspects of security, either individually or in combination. It is therefore important that such vulnerabilities are fully understood and action taken to remove or minimise them, or where neither is possible, to manage the resultant risks.
The harm that may be caused to an organisation or an asset from a vulnerability combined with a relevant threat could be physical, financial, economic or reputational. From a cyber-security perspective, there is a risk that a breach could result in data or information being compromised, disclosed, copied, transmitted, accessed, stolen or used by unauthorized individuals. Further, an incident is likely to lead to the diversion of resources to handle investigation, resolution and media activities, as well as disruption of, and delay to, day-to-day operational activities. It also has the potential to impact on an organisation’s future opportunities.
An organisation can either decide to accept each of the identified risks on an individual basis, or, as is more likely to be the case for the majority of risks, will need to go through the process of identifying possible mitigation measures. In deciding whether a potential measure is proportionate to the risk it is intended to manage, it will be necessary to assess:
- the cost of the measure and its implementation;
- the achievable risk reduction;
- the potential cost saving;
- the measure’s impact on the asset usability, efficiency and appearance;
- the potential for the measure to create further vulnerabilities; and
- whether the measure delivers any other business benefits, for example, reduction in overall business risk and ensuring the value of assets and information.
Through conducting this exercise it is possible to assemble a portfolio of mitigation measures which are pragmatic, appropriate, cost effective and commensurate with the organisation’s risk appetite.
To maintain its relevance and validity, the risk management process cannot be static. A programme of monitoring which assesses the effectiveness of the risk mitigation measures in place as the project moves through its lifecycle is therefore required. The monitoring process should identify and evaluate any new risks that impact on assets and/or asset information, and revisit those which have changed for political, economic, social, technological, legal or environmental reasons.
Built Asset Security Strategy and Management Plans
Once the risk management process has been undertaken, and the need for a security-minded approach for the built asset assessed, the analysis and decisions should be recorded in a Built Asset Security Strategy (BASS). This will be a high level document similar to the asset owner’s other strategic policies and plans. It is the basis from which all other security management and information requirements should flow.
Following on from the development of the BASS, the asset owner should create a Built Asset Security Management Plan (BASMP). This sits underneath the BASS and serves to ensure that the risks or combinations of risks identified are addressed in a consistent and holistic manner. To do so it will need to contain a number of key elements and, importantly, must bridge four areas - people, business process, physical and technological security.
As is demonstrated in the example shown in Figure 4, which shows the interaction of security aspects to provide access control to a building, only through the implementation and operation of appropriate measures addressing all four aspects can physical access to an entire site, or a particular area of it, be assured.
Figure 4 - Example of interaction of security aspects to provide access control to a building. This figure appeared in PAS 1192-5 and is reproduced with kind permission of BSI.
People need to be aware of, and understand, the security policies in place. Alongside this, the security processes and measures, be they physical or technological, need to be effective and efficient. Without any one of these elements the effectiveness of the overall security regime will be reduced and there is real risk that the measures in place will be ignored or circumvented.
The BASMP will contain a suite of policies derived from the BASS, setting out the security-related business rules for the management of risk. Each policy will need to be supported by processes that allow it to be implemented consistently throughout the supply chain, and procedures comprising the detailed works instructions for their operational delivery.
In addition, the BASMP will need to include:
- the project logistical security requirements such as the protection around the design offices, depots and construction site;
- the process and procedures for the provision of information to third parties;
- requirements for data and information storage;
- monitoring, auditing and review arrangements;
- a plan for handling security breaches and incidents; and
- an outline of the contractual measures to ensure the adoption of the security-minded approach throughout the supply chain.
Where a project is planned, the BASS and BASMP should, along with the organisation’s other policies, strategies and plans, contribute to the development of the project’s strategic business case and strategic brief. It is essential that if they have not already been completed, they are produced during the Strategic Definition stage of a project so as to properly inform its development.
The Built Asset Security Information Requirements (BASIR) is intended to capture and collate relevant requirements set out in the BASMP. It will inform the development of the Asset Information Requirements (AIR) and the Employer’s Information Requirements (EIR). Its purpose is to ensure that the secure capture, handling, dissemination, storage, access and use of information in relation to sensitive assets and systems, are delivered. This document will also be used to convey these requirements to the supply chain where the security variant of the BIM Protocol is used, thus enabling them to be contractually enforced.
The BASIR should also, by informing the development of the AIR, be used to determine the set-up of asset management databases which need to be ready on completion of a project, and influence the on-going management of databases, to ensure that the security of information is maintained throughout the asset’s operational life.
Continuing good security throughout the lifetime of the asset can only be assured if appropriate and proportionate monitoring and auditing procedures are introduced and, vitally, maintained. This should allow any inconsistencies or issues of non-compliance to be identified and where necessary, amendments to be made to policies, processes and procedures. It will also be essential to monitor and assess changing risks and, where these impact on the built asset in question, ensure that the appropriate actions are cascaded down through the BASS to the BASMP and BASIR.
Should a security breach or incident (including near-misses) occur, it will be important that once a resolution has been reached, a formal evaluation of its handling is undertaken to understand the cause, assess the effectiveness of the response, and determine whether any existing measures need to be altered or new measures introduced. Again, any changes will need to be reflected through the suite of built asset security documentation.
PAS 1192-5 covers the processes required for the full spectrum of security need, from the most to the least sensitive assets, where no more than baseline security measures which relate to personal and commercial information, are legally and contractually required. To support the use of the PAS, CPNI has published a set of security-related Plain Language Questions (PLQs) which have been aligned with the security tasks, available on this website, that can be used in conjunction with the BIM Toolkit.
Figure 5 – Security tasks and corresponding Plain Language Questions within the BIM Toolkit.
Additional supporting guidance is also being developed including templates and more specific sector and topic guidance, which will be released by CPNI over the course of the next few months.
Effective security is good for all organisations – and embedding it can give competitive advantages to commercial enterprises, both in the construction market and beyond. By employing the processes set out in PAS 1192-5, commercial enterprises can protect key assets and maintain the trust of customers and stakeholders. By reducing the risk of reputational damage, and the diversion of resource that would result from a security breach, they are also better able to maintain the trust of customers and stakeholders. This is particularly important for enterprises competing in the international construction market where good security can deliver real competitive advantage.