Cybersecurity assessment of BIM/CDE design environment using cyber assessment framework

    Žiga Turk Affiliation
    ; Muammer Semih Sonkor   Affiliation
    ; Robert Klinc   Affiliation


Digitalisation of the construction industry is exposing it to cybersecurity risks. All phases of construction can be affected. Particularly vulnerable are information-intensive phases such as building design and building operation. Construction is among the last industries that are discovering its cybersecurity risks and can rely on frameworks developed for other contexts. In this paper, we evaluate the cybersecurity risks of the design phase of construction using the Cyber Assessment Framework from the National Cybersecurity Centre (NCSC) of the UK. The goal of this study is twofold. First, to examine cybersecurity risks themselves, and second, to evaluate the applicability of the NCSC framework for construction to see if and how construction is specific. The analysis shows that the cybersecurity risks follow the information impact curve that has been motivating the introduction of Building Information Modelling (BIM). The framework is applicable but is weak in addressing the specifics of the construction industrial ecosystem, which involves a multitude of dynamically connected actors, their overlapping authorities, and conflicting motives. It is suggested that a specialized constructionrelated framework should be developed.

Keyword : construction, designing, cybersecurity, building information modelling, common data environment, integrated project delivery

How to Cite
Turk, Žiga, Sonkor, M. S., & Klinc, R. (2022). Cybersecurity assessment of BIM/CDE design environment using cyber assessment framework. Journal of Civil Engineering and Management, 28(5), 349–364.
Published in Issue
May 3, 2022
Abstract Views
PDF Downloads
Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.


Abdirad, H., & Pishdad-Bozorgi, P. (2014). Developing a framework of metrics to assess collaboration in integrated project delivery. In Proceedings of the 50th Annual International Conference of the Associated Schools of Construction. Virginia Polytechnic Institute and State University, VA, US.

AIA National. (2007). Integrated project delivery: A guide. The American Institute of Architects.

Ames, B. C., Foster, F. R., Glynn, C., Lynn, M., Nakama, D., Penrose, T., & Rai, S. (2016). Assessing cybersecurity risk: Roles of the three lines of defense. Institute of Internal Auditors (IIA).

Azhar, S. (2011). Building information modeling (BIM): Trends, benefits, risks, and challenges for the AEC industry. Leadership and Management in Engineering, 11(3), 241–252.

Barrett, M. P. (2018). Framework for improving critical infrastructure cybersecurity. National Institute of Standards and Technology (NIST), Gaithersburg, MD, USA.

Bishop, M. (2004). Introduction to computer security. Addison-Wesley Professional.

Boyes, H. (2013). Resilience and cyber security of technology in the built environment. The Institution of Engineering and Technology.

Boyes, H. (2014). Building information modelling (BIM): Addressing the cyber security issues. Engineering & Technology Reference.

Boyes, H. (2015). Security, privacy, and the built environment. IT Professional, 17(3), 25–31.

British Standards Institution. (2013). Specification for information management for the capital/delivery phase of construction projects using building information modelling (incorporating corrigendum No. 1) (PAS 1192-2:2013).

British Standards Institution. (2015). Specification for security-minded building information modelling, digital built environments and smart asset management (PAS 1192-5:2015).

buildingSMART. (n.d.). Industry foundation classes (IFC). BuildingSMART Technical.

Construction Users Roundtable. (2004). Collaboration, integrated information and the project lifecycle in building design, construction and operation.

Cybersecurity and Infrastructure Security Agency. (2009, May 6). What is cybersecurity?

Davis, A. (2015). Building cyber-resilience into supply chains. Technology Innovation Management Review, 5(4), 19–27.

Eastman, C. M., Eastman, C., Teicholz, P., Sacks, R., & Liston, K. (2008). BIM handbook: A guide to building information modeling for owners, managers, designers, engineers and contractors. John Wiley & Sons.

Eastman, R., Versace, M., & Webber, A. (2015). Big data and predictive analytics: On the cybersecurity frontline. International Data Corporation (IDC).

European Union Agency for Cybersecurity. (2015). Definition of cybersecurity – Gaps and overlaps in standardisation (Report/Study TP-01-15-934-EN-N).

Falk, C. (2004). Gray hat hacking: Morally black and white. In 2004 Cyber Security Group (CSG) Training Conference.

FireEye. (2021). M-trends 2021.

Freund, J., & Jones, J. (2014). Measuring and managing information risk: A FAIR approach (1st ed.). Butterworth-Heinemann.

Glavach, D., LaSalle-DeSantis, J., & Zimmerman, S. (2017). Applying and assessing cybersecurity controls for direct digital manufacturing (DDM) systems. In L. Thames & D. Schaefer (Eds.), Cybersecurity for Industry 4.0: Analysis for Design and Manufacturing (pp. 173–194). Springer International Publishing.

Hubbard, D. W., & Seiersen, R. (2016). How to measure anything in cybersecurity risk (1st ed.). John Wiley & Sons.

Humayed, A., Lin, J., Li, F., & Luo, B. (2017). Cyber-physical systems security – A survey. IEEE Internet of Things Journal, 4(6), 1802–1831.

Ilozor, B. D., & Kelly, D. J. (2012). Building information modeling and integrated project delivery in the commercial construction industry: A conceptual study. Journal of Engineering, Project, and Production Management, 2(1), 23–36.

International Organization for Standardization. (2018). Information technology-Security techniques–Information security risk management (ISO Standard No. ISO/IEC 27005).

International Organization for Standardization. (2013). Information security management (ISO Standard No. ISO/IEC 27001:2013).

Kabay, M. E. (2015). History of computer crime. In S. Bosworth, M. E. Kabay, & E. Whyne (Eds.), Computer security handbook (pp. 2.1–2.41). John Wiley & Sons, Inc.

Klinc, R., & Turk, Ž. (2019). Construction 4.0 – Digital transformation of one of the oldest industries. Economic and Business Review, 21(3), 393–410.

Ma, Z., Zhang, D., & Li, J. (2018). A dedicated collaboration platform for Integrated Project Delivery. Automation in Construction, 86, 199–209.

Mahamadu, A.-M., Mahdjoubi, L., & Booth, C. (2013). Challenges to BIM-cloud integration: Implication of security issues on secure collaboration. In 2013 IEEE 5th International Conference on Cloud Computing Technology and Science (Vol. 2, pp. 209–214).

Mantha, B. R. K., & de Soto, B. G. (2019). Cyber security challenges and vulnerability assessment in the construction industry. In Proceedings of the Creative Construction Conference 2019 (pp. 29–37).

MITRE. (2021). CVE.

Mutis, I., & Paramashivam, A. (2019). Cybersecurity management framework for a cloud-based BIM model. In I. Mutis & T. Hartmann (Eds.), Advances in informatics and computing in civil and construction engineering (pp. 325–333). Springer International Publishing.

Nawari, N. O., & Ravindran, S. (2019). Blockchain technology and BIM process: Review and potential applications. Journal of Information Technology in Construction (ITcon), 24(12), 209–238.

National Cybersecurity Centre. (n.d.). What is cyber security?

National Cybersecurity Centre. (2016). Common cyber attacks: Reducing the impact.

National Cybersecurity Centre. (2019). Cyber assessment framework v3.0.

National Institute of Standards and Technology. (2018). Framework for improving critical infrastructure cybersecurity v1.1. Gaithersburg, MD.

Nweke, L. O., & Wolthusen, S. (2020). Legal issues related to cyber threat information sharing among private entities for critical infrastructure protection. In 12th International Conference on Cyber Conflict (CyCon) (pp. 63–78).

Parker, D. B. (1998). Fighting computer crime: A new framework for protecting information. Wiley.

Parker, D. B. (2015). Toward a new framework for information security? In Computer Security Handbook (pp. 3.1–3.23). John Wiley & Sons, Ltd.

Parn, E. A., & Edwards, D. (2019). Cyber threats confronting the digital built environment: Common data environment vulnerabilities and block chain deterrence. Engineering, Construction and Architectural Management, 26(2), 245–266.

Peltier, T. R. (2005). Information security risk analysis. Auerbach Publications.

Publications Office of the European Union. (2018). Guidelines on assessing DSP and OES compliance with the NISD security requirements: Information security audit and self – assessment/ management frameworks.

Rogers, M. K. (2005). The development of a meaningful Hacker Taxonomy: A two dimensional approach. In NIJ National Conference 2005.

Smith, G. E., Watson, K. J., Baker, W. H., & Pokorski II, J. A. (2007). A critical balance: Collaboration and security in the IT-enabled supply chain. International Journal of Production Research, 45(11), 2595–2613.

Stewart, J. M., Chapple, M., & Gibson, D. (2015). CISSP: Certified information systems security professional study guide (7th ed.). Sybex, a Wiley brand.

Thames, L., & Schaefer, D. (2017). Industry 4.0: An overview of key benefits, technologies, and challenges. In L. Thames & D. Schaefer (Eds.), Cybersecurity for industry 4.0: Analysis for design and manufacturing (pp. 1–33). Springer International Publishing.

Thaseen, S., Cherukuri, A. K., Ahmad, A., Cherukuri, A. K., & Ahmad, A. (2019). Improving security and privacy in cyber-physical systems. In Y. Maleh, M. Shojafar, A. Darwish, & A. Haqiq (Eds.), Cybersecurity and privacy in cyber physical systems (pp. 3–43). CRC Press.

Turk, Ž. (2020). Interoperability in construction – Mission impossible?. Developments in the Built Environment, 100018.