Download - Security best ways to protect your intellectual capital

BIM, Security and the Building Lifecycle – UK Security Expo 2017

Featured Project:

Dubai International Airport | US $4.5B Value

Trusted by the world’s largest projects

Security: Best ways to protect your intellectual capital

With

Agenda

Introduction

BIM, Security & the Building Lifecycle

Impacts of the GDPR

Aconex Response

Q&A

Steve Cooper, Aconex

Steve Maddison, Ascentor

Phil Brown, Ascentor

Steve Cooper, Aconex

All

Introduction

Steve CooperGeneral Manager UK & Ireland,

Aconex

Is information security relevant to construction and refurbishment projects?

Information Security and the Building Lifecycle

Steve MaddisonPrincipal Consultant, Ascentor

[email protected]


Section1: BIM and Information Security:

What are the information security risks to implementing BIM?

Section 2: The Building Lifecycle:

How do risks to information using BIM change during the

building lifecycle?

Section 3: Managing BIM Information Security Risks:

What basic measures can help manage information security

risks?

Summary

Presentation outline


What is Building Information Modelling (BIM)?

BIM is not a single piece of software or model:

It is a new way of information processing and collaboration

for construction projects with data embedded within a model

BIM Level 2 mandated for HMG projects by 2016:

BIM is for the lifetime of the building, not the

construction project.


What types of information are generated?

• Diagrams: floor plans, layouts, locations, detailed photos

(internal and external),

• Documents: proposals, technical options, finance details,

contracts, management plans.

• Models: laser scan data, point clouds, 3D models.

• Meta data: construction elements – details of build specifications

and composition.

• Specifications: schedules of products and capabilities.


What are the risks?

The information on a building project can be highly sensitive.

It can be critical to the delivery of the project and long term support of the built asset.

3D models allow a virtual ‘walk through’ of the building that otherwise wouldn’t be available.

Information could be used by potential attackers to disrupt the project, plan physical attacks, support cyber attacks, threaten personnel, disrupt services.

Potential threats

Terrorists, hackers (professionals, amateurs, political), criminal groups, state sponsored groups, insiders.


What could possibly go wrong?

What could happen?

• Inappropriate access to sensitive information

(commercial, legal, personal, IP, security);

• Information is corrupted or incomplete;

• Information is not available when required.

And what are the consequences?

Project delays, cost increases, service disruption could

include: legal, contractual, financial, reputational.


Is information security necessary for BIM?

Depends on your viewpoint:

• Client - Cares more about avoiding information exposure;

• Builder - Focus is on time avoiding cost and time overruns;

• Building operator - Concentrates on service delivery to customers;

If you don’t think any of this applies to you – then why worry!

If it does apply, then why isn’t it built in already?


Information risk and the building lifecycle

Stage 0 – Strategic definition

Stage 1 – Preparation and brief

Stage 2 – Concept and design

Stage 3 – Developed design

Stage 4 – Technical design

Stage 5 – Construction

Stage 6 – Handover and close out

Stage 7 – In use

Increased

Information

Sharing


In-use information security risks

BIM data is used to support maintenance activities. This leads to:

• Increased information dissemination;

• Increased access to 3D models and meta data;

• Increased data retention.

Building management system issues:

• Remote access support;

• Increased technical vulnerabilities – Internet of Things.


BIM information is in many different places

Customer

Information

Systems

CDE

Prime

Contractor

Information

Systems

Staff Devices

Internet

Subcontractor

Information Systems

Staff Devices

Subcontractor

Information Systems

Staff Devices

Cloud

Support

Systems


Information security awareness and maturity

There is a general lack of awareness about Information Security in the

construction industry:

The level of awareness of information security tends to decrease

down the supply chain;

Tier 1 contractors are increasingly required contractually to

manage risks both for themselves and down the supply chain.


Information Security built-in

Information Security should be part of the process from the outset.

Contracts should specify information security requirements:

• Non-functional security requirements;

• Employer information requirements;

• Security aspects letter.


Know what information is important and what the risks to it are

• Identify and value sensitive information assets:

- Know what it is and where it is;

- Determine customer protection priorities;

• Identify and assess risks:

Determine if you have something to protect;

• Consider:

- Who needs access to and why;

- Understand if it needs to be accurate and complete;

- Know what the availability requirements are.

• Have a governance structure:

Supplier + customer working together.


Control information sharing

• Information assets that are valued and labelled support controlled

sharing:

Common naming conventions and security gradings.

• Balance sharing information with managing access:

- Have access controls within the CDE;

- Manage all forms of data information sharing.

• Roll down information security to supply chain companies;

- Basic information security measures;

- Monitor and manage information dissemination.


Lessons learned

Balance information protection and accessibility.

Manage supply chain information security.

Information security extends beyond the project for

the life of the building.

Need intelligent suppliers and customers.

Use tools that protect information.

Guidance on Information Security for BIM:

Centre for the Protection of the National Infrastructure: http://cpni.gov.uk/

Institution of Engineering and Technology: http://theiet.org/


Summary

BIM is about sharing information in a controlled and secure way.

Intelligent customer and Intelligent Supplier.

Security needs to cover the entire lifecycle of the built asset.

This presentation was delivered to the UK Security Expo Conference on 30 Nov 2017

GDPR and security

Phil BrownLead Consultant, Ascentor

[email protected] of the GDPR

Why working with Ascentor will set you apart

General Data Protection Regulation – Coming Soon!

21

GDPR will be enforced across the EU on 25th May 2018. In the UK, it will replace

the Data Protection Act 1998. In essence it impacts any business that does

business with EU members, regardless of where the processing takes place.

Businesses will really need to know & understand:

1. what personal data they hold

2. where the data is being stored

3. the legal condition for processing the data

4. how they will respond to individuals exercising their rights

5. that the Regulation is not prescriptive in that it sets outs out the expectations but

does not define how businesses should act – a risk based approach


GDPR – the underlying 6 principles

22

The GDPR requires that personal data shall be:

1. processed fairly, lawfully and transparently

2. collected for specified, explicit and legitimate purposes

3. adequate, relevant and limited to what is necessary

4. accurate and, where necessary, kept up to date

5. kept for no longer than is necessary

6. processed in a manner that ensures appropriate security

PEOPLE

PROCESSES

TECHNOLOGY

There is no ‘one size fits all’ solution but one approach is to keep the ‘data subject’

foremost in your mind rather than fixating on the most convenient solution.


Lawfulness of processing

23

Processing will only be lawful if one of the following conditions is met:

the data subject gives consent for one or more specific purposes

it’s necessary to meet contractual obligations entered into by the data subject

it’s necessary to comply with legal obligations of the controller

it’s necessary to protect the vital interests of the data subject

it’s necessary for tasks in the public interest or exercise of authority vested in the

controller

it’s for the purposes of legitimate interests pursued by the controller (there is a balancing

test)


General conditions for consent

24

The following conditions apply for consent to be valid:

controllers must be able to demonstrate that consent was given i.e. the need to keep

records

written consent must be clear, intelligible and easily accessible, otherwise it’s not binding

ticking a box or choosing appropriate technical settings are valid methods

more controls apply to obtaining a child’s consent and for processing special categories

of personal data

Consent to processing data is not necessary for the performance of a contract, so

should not be sought


The rights of data subjects

25

The controller shall provide any information relating to the data subject in a

concise, transparent, intelligible and easily accessible form using clear and plain

language, in particular for any information addressed specifically to a child

The controller must facilitate the rights of data subjects, the most popular one is

likely to be:

‘data subject access request’ (DSAR)

– time period reduced from 40 days to 1 calendar month

– fees abolished (currently controllers can charge £10)

There are exceptions for excessive or vexatious requests – although the onus is on the

data controller to prove this is the case


What we may expect with GDPR

26

In future, everyone can expect the business collecting personal data to remind or

state:

the period of time that the data will be stored

the right to rectification, erasure, restriction, objection

the right to data portability

the right to withdraw consent at any time

the right to lodge a complaint with a supervisory authority

the existence of automated decision-making, including profiling, as well as the

anticipated consequences for the data subject

the outcome of the data subject’s failure to provide data

Privacy notices will need to be well thought out!!


Use of the cloud for processing

27

Use of the cloud for storage or processing data is very common, but specific

conditions are in place for the moving, storing and processing of personal data.

For these reasons, a business should consider:

Where data will be stored or could be stored; if it’s outside the EU and certain listed

countries then legal processes must be observed

The capability of the data processor after considering, inter alia, the following:

– Terms and conditions being presented

– Proof of information security procedures

– Security of data in transit and at rest

– Staff access control restrictions

– Resilience to service failures/ attacks

– Reliance on sub-processors to deliver services

– Ability to delete data or have it deleted upon request by the data controller

Aconex Response


Aconex

29

• GDPR - reviewing all processes, policies & systems across all regional / central functions

– Making changes where necessary

– Compliant by May 2018

• Information security certifications– All hosting environments ISO27001 certified

– In addition, Aconex’s internal engineering, operations, support also ISO27001 certified

– Extending Cyber Essentials Plus (Q1 ’18)

• Investing multiple $millions in ‘Gold Standard’ cyber security protected platform– Commenced FedRAMP certification project in the USA

– Single Sign On (SSO) & 2 Factor Authentication (2FA) already released

– Incremental updates globally – hosting, hardware, operating system, databases, applications,

– Last week moved UK hosting to a new platform higher security headroom

Aconex Response

Q&A with our panelists


Aconex

Steve MaddisonPrincipal Consultant,

Ascentor

Phil BrownLead Consultant,

Ascentor


Featured Project:

Dubai International Airport | US $4.5B Value

Trusted by the world’s largest projects

Learn more at aconex.com/Demo Lear

Our thanks to Steve Cooper, Steve Maddison, and Phil Brownand to you for attending

Download - Security best ways to protect your intellectual capital

Top Related