Cybersecurity assessment of BIM/CDE design environment using cyber assessment framework
Abstract
Digitalisation of the construction industry is exposing it to cybersecurity risks. All phases of construction can be affected. Particularly vulnerable are information-intensive phases such as building design and building operation. Construction is among the last industries that are discovering its cybersecurity risks and can rely on frameworks developed for other contexts. In this paper, we evaluate the cybersecurity risks of the design phase of construction using the Cyber Assessment Framework from the National Cybersecurity Centre (NCSC) of the UK. The goal of this study is twofold. First, to examine cybersecurity risks themselves, and second, to evaluate the applicability of the NCSC framework for construction to see if and how construction is specific. The analysis shows that the cybersecurity risks follow the information impact curve that has been motivating the introduction of Building Information Modelling (BIM). The framework is applicable but is weak in addressing the specifics of the construction industrial ecosystem, which involves a multitude of dynamically connected actors, their overlapping authorities, and conflicting motives. It is suggested that a specialized constructionrelated framework should be developed.
Keyword : construction, designing, cybersecurity, building information modelling, common data environment, integrated project delivery
How to Cite
Turk, Žiga, Sonkor, M. S., & Klinc, R. (2022). Cybersecurity assessment of BIM/CDE design environment using cyber assessment framework. Journal of Civil Engineering and Management, 28(5), 349–364. https://doi.org/10.3846/jcem.2022.16682
This work is licensed under a Creative Commons Attribution 4.0 International License.
References
Abdirad, H., & Pishdad-Bozorgi, P. (2014). Developing a framework of metrics to assess collaboration in integrated project delivery. In Proceedings of the 50th Annual International Conference of the Associated Schools of Construction. Virginia Polytechnic Institute and State University, VA, US.
AIA National. (2007). Integrated project delivery: A guide. The American Institute of Architects. https://www.aia.org/resources/64146-integrated-project-delivery-a-guide
Ames, B. C., Foster, F. R., Glynn, C., Lynn, M., Nakama, D., Penrose, T., & Rai, S. (2016). Assessing cybersecurity risk: Roles of the three lines of defense. Institute of Internal Auditors (IIA). https://www.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/cybersecurity/gtag-assessing-cybersecurity-risk.pdf
Azhar, S. (2011). Building information modeling (BIM): Trends, benefits, risks, and challenges for the AEC industry. Leadership and Management in Engineering, 11(3), 241–252. https://doi.org/10.1061/(ASCE)LM.1943-5630.0000127
Barrett, M. P. (2018). Framework for improving critical infrastructure cybersecurity. National Institute of Standards and Technology (NIST), Gaithersburg, MD, USA.
Bishop, M. (2004). Introduction to computer security. Addison-Wesley Professional.
Boyes, H. (2013). Resilience and cyber security of technology in the built environment. The Institution of Engineering and Technology.
Boyes, H. (2014). Building information modelling (BIM): Addressing the cyber security issues. Engineering & Technology Reference. https://doi.org/10.1049/etr.2014.9001
Boyes, H. (2015). Security, privacy, and the built environment. IT Professional, 17(3), 25–31. https://doi.org/10.1109/MITP.2015.49
British Standards Institution. (2013). Specification for information management for the capital/delivery phase of construction projects using building information modelling (incorporating corrigendum No. 1) (PAS 1192-2:2013).
British Standards Institution. (2015). Specification for security-minded building information modelling, digital built environments and smart asset management (PAS 1192-5:2015).
buildingSMART. (n.d.). Industry foundation classes (IFC). BuildingSMART Technical. https://technical.buildingsmart.org/standards/ifc/
Construction Users Roundtable. (2004). Collaboration, integrated information and the project lifecycle in building design, construction and operation. https://kcuc.org/wp-content/uploads/2013/11/Collaboration-Integrated-Information-and-the-Project-Lifecycle.pdf
Cybersecurity and Infrastructure Security Agency. (2009, May 6). What is cybersecurity? https://us-cert.cisa.gov/ncas/tips/ST04-001
Davis, A. (2015). Building cyber-resilience into supply chains. Technology Innovation Management Review, 5(4), 19–27. https://doi.org/10.22215/timreview/887
Eastman, C. M., Eastman, C., Teicholz, P., Sacks, R., & Liston, K. (2008). BIM handbook: A guide to building information modeling for owners, managers, designers, engineers and contractors. John Wiley & Sons. https://doi.org/10.1002/9780470261309
Eastman, R., Versace, M., & Webber, A. (2015). Big data and predictive analytics: On the cybersecurity frontline. International Data Corporation (IDC). https://v2.itweb.co.za/whitepaper/Whitepaper_SAS_Cyber_Security.pdf
European Union Agency for Cybersecurity. (2015). Definition of cybersecurity – Gaps and overlaps in standardisation (Report/Study TP-01-15-934-EN-N). https://www.enisa.europa.eu/publications/definition-of-cybersecurity
Falk, C. (2004). Gray hat hacking: Morally black and white. In 2004 Cyber Security Group (CSG) Training Conference.
FireEye. (2021). M-trends 2021. https://content.fireeye.com/m-trends/rpt-m-trends-2021
Freund, J., & Jones, J. (2014). Measuring and managing information risk: A FAIR approach (1st ed.). Butterworth-Heinemann.
Glavach, D., LaSalle-DeSantis, J., & Zimmerman, S. (2017). Applying and assessing cybersecurity controls for direct digital manufacturing (DDM) systems. In L. Thames & D. Schaefer (Eds.), Cybersecurity for Industry 4.0: Analysis for Design and Manufacturing (pp. 173–194). Springer International Publishing. https://doi.org/10.1007/978-3-319-50660-9_7
Hubbard, D. W., & Seiersen, R. (2016). How to measure anything in cybersecurity risk (1st ed.). John Wiley & Sons. https://doi.org/10.1002/9781119162315
Humayed, A., Lin, J., Li, F., & Luo, B. (2017). Cyber-physical systems security – A survey. IEEE Internet of Things Journal, 4(6), 1802–1831. https://doi.org/10.1109/JIOT.2017.2703172
Ilozor, B. D., & Kelly, D. J. (2012). Building information modeling and integrated project delivery in the commercial construction industry: A conceptual study. Journal of Engineering, Project, and Production Management, 2(1), 23–36. https://doi.org/10.32738/JEPPM.201201.0004
International Organization for Standardization. (2018). Information technology-Security techniques–Information security risk management (ISO Standard No. ISO/IEC 27005).
International Organization for Standardization. (2013). Information security management (ISO Standard No. ISO/IEC 27001:2013).
Kabay, M. E. (2015). History of computer crime. In S. Bosworth, M. E. Kabay, & E. Whyne (Eds.), Computer security handbook (pp. 2.1–2.41). John Wiley & Sons, Inc. https://doi.org/10.1002/9781118851678.ch2
Klinc, R., & Turk, Ž. (2019). Construction 4.0 – Digital transformation of one of the oldest industries. Economic and Business Review, 21(3), 393–410. https://doi.org/10.15458/ebr.92
Ma, Z., Zhang, D., & Li, J. (2018). A dedicated collaboration platform for Integrated Project Delivery. Automation in Construction, 86, 199–209. https://doi.org/10.1016/j.autcon.2017.10.024
Mahamadu, A.-M., Mahdjoubi, L., & Booth, C. (2013). Challenges to BIM-cloud integration: Implication of security issues on secure collaboration. In 2013 IEEE 5th International Conference on Cloud Computing Technology and Science (Vol. 2, pp. 209–214). https://doi.org/10.1109/CloudCom.2013.127
Mantha, B. R. K., & de Soto, B. G. (2019). Cyber security challenges and vulnerability assessment in the construction industry. In Proceedings of the Creative Construction Conference 2019 (pp. 29–37). https://doi.org/10.3311/CCC2019-005
MITRE. (2021). CVE. https://cve.mitre.org/
Mutis, I., & Paramashivam, A. (2019). Cybersecurity management framework for a cloud-based BIM model. In I. Mutis & T. Hartmann (Eds.), Advances in informatics and computing in civil and construction engineering (pp. 325–333). Springer International Publishing. https://doi.org/10.1007/978-3-030-00220-6_39
Nawari, N. O., & Ravindran, S. (2019). Blockchain technology and BIM process: Review and potential applications. Journal of Information Technology in Construction (ITcon), 24(12), 209–238.
National Cybersecurity Centre. (n.d.). What is cyber security? https://www.ncsc.gov.uk/section/about-ncsc/what-is-cyber-security
National Cybersecurity Centre. (2016). Common cyber attacks: Reducing the impact.
National Cybersecurity Centre. (2019). Cyber assessment framework v3.0. https://www.ncsc.gov.uk/files/NCSC_CAF_v3.0%20.pdf
National Institute of Standards and Technology. (2018). Framework for improving critical infrastructure cybersecurity v1.1. Gaithersburg, MD. https://doi.org/10.6028/NIST.CSWP.04162018
Nweke, L. O., & Wolthusen, S. (2020). Legal issues related to cyber threat information sharing among private entities for critical infrastructure protection. In 12th International Conference on Cyber Conflict (CyCon) (pp. 63–78). https://doi.org/10.23919/CyCon49761.2020.9131721
Parker, D. B. (1998). Fighting computer crime: A new framework for protecting information. Wiley.
Parker, D. B. (2015). Toward a new framework for information security? In Computer Security Handbook (pp. 3.1–3.23). John Wiley & Sons, Ltd. https://doi.org/10.1002/9781118851678.ch3
Parn, E. A., & Edwards, D. (2019). Cyber threats confronting the digital built environment: Common data environment vulnerabilities and block chain deterrence. Engineering, Construction and Architectural Management, 26(2), 245–266. https://doi.org/10.1108/ECAM-03-2018-0101
Peltier, T. R. (2005). Information security risk analysis. Auerbach Publications. https://doi.org/10.1201/9781420031195
Publications Office of the European Union. (2018). Guidelines on assessing DSP and OES compliance with the NISD security requirements: Information security audit and self – assessment/ management frameworks. http://op.europa.eu/en/publication-detail/-/publication/78f2a620-f909-11e8-9982-01aa75ed71a1/language-en
Rogers, M. K. (2005). The development of a meaningful Hacker Taxonomy: A two dimensional approach. In NIJ National Conference 2005.
Smith, G. E., Watson, K. J., Baker, W. H., & Pokorski II, J. A. (2007). A critical balance: Collaboration and security in the IT-enabled supply chain. International Journal of Production Research, 45(11), 2595–2613. https://doi.org/10.1080/00207540601020544
Stewart, J. M., Chapple, M., & Gibson, D. (2015). CISSP: Certified information systems security professional study guide (7th ed.). Sybex, a Wiley brand.
Thames, L., & Schaefer, D. (2017). Industry 4.0: An overview of key benefits, technologies, and challenges. In L. Thames & D. Schaefer (Eds.), Cybersecurity for industry 4.0: Analysis for design and manufacturing (pp. 1–33). Springer International Publishing. https://doi.org/10.1007/978-3-319-50660-9_1
Thaseen, S., Cherukuri, A. K., Ahmad, A., Cherukuri, A. K., & Ahmad, A. (2019). Improving security and privacy in cyber-physical systems. In Y. Maleh, M. Shojafar, A. Darwish, & A. Haqiq (Eds.), Cybersecurity and privacy in cyber physical systems (pp. 3–43). CRC Press. https://doi.org/10.1201/9780429263897-2
Turk, Ž. (2020). Interoperability in construction – Mission impossible?. Developments in the Built Environment, 100018. https://doi.org/10.1016/j.dibe.2020.100018
AIA National. (2007). Integrated project delivery: A guide. The American Institute of Architects. https://www.aia.org/resources/64146-integrated-project-delivery-a-guide
Ames, B. C., Foster, F. R., Glynn, C., Lynn, M., Nakama, D., Penrose, T., & Rai, S. (2016). Assessing cybersecurity risk: Roles of the three lines of defense. Institute of Internal Auditors (IIA). https://www.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/cybersecurity/gtag-assessing-cybersecurity-risk.pdf
Azhar, S. (2011). Building information modeling (BIM): Trends, benefits, risks, and challenges for the AEC industry. Leadership and Management in Engineering, 11(3), 241–252. https://doi.org/10.1061/(ASCE)LM.1943-5630.0000127
Barrett, M. P. (2018). Framework for improving critical infrastructure cybersecurity. National Institute of Standards and Technology (NIST), Gaithersburg, MD, USA.
Bishop, M. (2004). Introduction to computer security. Addison-Wesley Professional.
Boyes, H. (2013). Resilience and cyber security of technology in the built environment. The Institution of Engineering and Technology.
Boyes, H. (2014). Building information modelling (BIM): Addressing the cyber security issues. Engineering & Technology Reference. https://doi.org/10.1049/etr.2014.9001
Boyes, H. (2015). Security, privacy, and the built environment. IT Professional, 17(3), 25–31. https://doi.org/10.1109/MITP.2015.49
British Standards Institution. (2013). Specification for information management for the capital/delivery phase of construction projects using building information modelling (incorporating corrigendum No. 1) (PAS 1192-2:2013).
British Standards Institution. (2015). Specification for security-minded building information modelling, digital built environments and smart asset management (PAS 1192-5:2015).
buildingSMART. (n.d.). Industry foundation classes (IFC). BuildingSMART Technical. https://technical.buildingsmart.org/standards/ifc/
Construction Users Roundtable. (2004). Collaboration, integrated information and the project lifecycle in building design, construction and operation. https://kcuc.org/wp-content/uploads/2013/11/Collaboration-Integrated-Information-and-the-Project-Lifecycle.pdf
Cybersecurity and Infrastructure Security Agency. (2009, May 6). What is cybersecurity? https://us-cert.cisa.gov/ncas/tips/ST04-001
Davis, A. (2015). Building cyber-resilience into supply chains. Technology Innovation Management Review, 5(4), 19–27. https://doi.org/10.22215/timreview/887
Eastman, C. M., Eastman, C., Teicholz, P., Sacks, R., & Liston, K. (2008). BIM handbook: A guide to building information modeling for owners, managers, designers, engineers and contractors. John Wiley & Sons. https://doi.org/10.1002/9780470261309
Eastman, R., Versace, M., & Webber, A. (2015). Big data and predictive analytics: On the cybersecurity frontline. International Data Corporation (IDC). https://v2.itweb.co.za/whitepaper/Whitepaper_SAS_Cyber_Security.pdf
European Union Agency for Cybersecurity. (2015). Definition of cybersecurity – Gaps and overlaps in standardisation (Report/Study TP-01-15-934-EN-N). https://www.enisa.europa.eu/publications/definition-of-cybersecurity
Falk, C. (2004). Gray hat hacking: Morally black and white. In 2004 Cyber Security Group (CSG) Training Conference.
FireEye. (2021). M-trends 2021. https://content.fireeye.com/m-trends/rpt-m-trends-2021
Freund, J., & Jones, J. (2014). Measuring and managing information risk: A FAIR approach (1st ed.). Butterworth-Heinemann.
Glavach, D., LaSalle-DeSantis, J., & Zimmerman, S. (2017). Applying and assessing cybersecurity controls for direct digital manufacturing (DDM) systems. In L. Thames & D. Schaefer (Eds.), Cybersecurity for Industry 4.0: Analysis for Design and Manufacturing (pp. 173–194). Springer International Publishing. https://doi.org/10.1007/978-3-319-50660-9_7
Hubbard, D. W., & Seiersen, R. (2016). How to measure anything in cybersecurity risk (1st ed.). John Wiley & Sons. https://doi.org/10.1002/9781119162315
Humayed, A., Lin, J., Li, F., & Luo, B. (2017). Cyber-physical systems security – A survey. IEEE Internet of Things Journal, 4(6), 1802–1831. https://doi.org/10.1109/JIOT.2017.2703172
Ilozor, B. D., & Kelly, D. J. (2012). Building information modeling and integrated project delivery in the commercial construction industry: A conceptual study. Journal of Engineering, Project, and Production Management, 2(1), 23–36. https://doi.org/10.32738/JEPPM.201201.0004
International Organization for Standardization. (2018). Information technology-Security techniques–Information security risk management (ISO Standard No. ISO/IEC 27005).
International Organization for Standardization. (2013). Information security management (ISO Standard No. ISO/IEC 27001:2013).
Kabay, M. E. (2015). History of computer crime. In S. Bosworth, M. E. Kabay, & E. Whyne (Eds.), Computer security handbook (pp. 2.1–2.41). John Wiley & Sons, Inc. https://doi.org/10.1002/9781118851678.ch2
Klinc, R., & Turk, Ž. (2019). Construction 4.0 – Digital transformation of one of the oldest industries. Economic and Business Review, 21(3), 393–410. https://doi.org/10.15458/ebr.92
Ma, Z., Zhang, D., & Li, J. (2018). A dedicated collaboration platform for Integrated Project Delivery. Automation in Construction, 86, 199–209. https://doi.org/10.1016/j.autcon.2017.10.024
Mahamadu, A.-M., Mahdjoubi, L., & Booth, C. (2013). Challenges to BIM-cloud integration: Implication of security issues on secure collaboration. In 2013 IEEE 5th International Conference on Cloud Computing Technology and Science (Vol. 2, pp. 209–214). https://doi.org/10.1109/CloudCom.2013.127
Mantha, B. R. K., & de Soto, B. G. (2019). Cyber security challenges and vulnerability assessment in the construction industry. In Proceedings of the Creative Construction Conference 2019 (pp. 29–37). https://doi.org/10.3311/CCC2019-005
MITRE. (2021). CVE. https://cve.mitre.org/
Mutis, I., & Paramashivam, A. (2019). Cybersecurity management framework for a cloud-based BIM model. In I. Mutis & T. Hartmann (Eds.), Advances in informatics and computing in civil and construction engineering (pp. 325–333). Springer International Publishing. https://doi.org/10.1007/978-3-030-00220-6_39
Nawari, N. O., & Ravindran, S. (2019). Blockchain technology and BIM process: Review and potential applications. Journal of Information Technology in Construction (ITcon), 24(12), 209–238.
National Cybersecurity Centre. (n.d.). What is cyber security? https://www.ncsc.gov.uk/section/about-ncsc/what-is-cyber-security
National Cybersecurity Centre. (2016). Common cyber attacks: Reducing the impact.
National Cybersecurity Centre. (2019). Cyber assessment framework v3.0. https://www.ncsc.gov.uk/files/NCSC_CAF_v3.0%20.pdf
National Institute of Standards and Technology. (2018). Framework for improving critical infrastructure cybersecurity v1.1. Gaithersburg, MD. https://doi.org/10.6028/NIST.CSWP.04162018
Nweke, L. O., & Wolthusen, S. (2020). Legal issues related to cyber threat information sharing among private entities for critical infrastructure protection. In 12th International Conference on Cyber Conflict (CyCon) (pp. 63–78). https://doi.org/10.23919/CyCon49761.2020.9131721
Parker, D. B. (1998). Fighting computer crime: A new framework for protecting information. Wiley.
Parker, D. B. (2015). Toward a new framework for information security? In Computer Security Handbook (pp. 3.1–3.23). John Wiley & Sons, Ltd. https://doi.org/10.1002/9781118851678.ch3
Parn, E. A., & Edwards, D. (2019). Cyber threats confronting the digital built environment: Common data environment vulnerabilities and block chain deterrence. Engineering, Construction and Architectural Management, 26(2), 245–266. https://doi.org/10.1108/ECAM-03-2018-0101
Peltier, T. R. (2005). Information security risk analysis. Auerbach Publications. https://doi.org/10.1201/9781420031195
Publications Office of the European Union. (2018). Guidelines on assessing DSP and OES compliance with the NISD security requirements: Information security audit and self – assessment/ management frameworks. http://op.europa.eu/en/publication-detail/-/publication/78f2a620-f909-11e8-9982-01aa75ed71a1/language-en
Rogers, M. K. (2005). The development of a meaningful Hacker Taxonomy: A two dimensional approach. In NIJ National Conference 2005.
Smith, G. E., Watson, K. J., Baker, W. H., & Pokorski II, J. A. (2007). A critical balance: Collaboration and security in the IT-enabled supply chain. International Journal of Production Research, 45(11), 2595–2613. https://doi.org/10.1080/00207540601020544
Stewart, J. M., Chapple, M., & Gibson, D. (2015). CISSP: Certified information systems security professional study guide (7th ed.). Sybex, a Wiley brand.
Thames, L., & Schaefer, D. (2017). Industry 4.0: An overview of key benefits, technologies, and challenges. In L. Thames & D. Schaefer (Eds.), Cybersecurity for industry 4.0: Analysis for design and manufacturing (pp. 1–33). Springer International Publishing. https://doi.org/10.1007/978-3-319-50660-9_1
Thaseen, S., Cherukuri, A. K., Ahmad, A., Cherukuri, A. K., & Ahmad, A. (2019). Improving security and privacy in cyber-physical systems. In Y. Maleh, M. Shojafar, A. Darwish, & A. Haqiq (Eds.), Cybersecurity and privacy in cyber physical systems (pp. 3–43). CRC Press. https://doi.org/10.1201/9780429263897-2
Turk, Ž. (2020). Interoperability in construction – Mission impossible?. Developments in the Built Environment, 100018. https://doi.org/10.1016/j.dibe.2020.100018