View
171
Download
3
Category
Preview:
Citation preview
BIM, Security and the Building Lifecycle – UK Security Expo 2017
Featured Project:
Dubai International Airport | US $4.5B Value
Trusted by the world’s largest projects
Security: Best ways to protect your intellectual capital
With
Agenda
Introduction
BIM, Security & the Building Lifecycle
Impacts of the GDPR
Aconex Response
Q&A
Steve Cooper, Aconex
Steve Maddison, Ascentor
Phil Brown, Ascentor
Steve Cooper, Aconex
All
Introduction
Steve CooperGeneral Manager UK & Ireland,
Aconex
Is information security relevant to construction and refurbishment projects?
Information Security and the Building Lifecycle
Steve MaddisonPrincipal Consultant, Ascentor
Steve.maddison@ascentor.co.uk
BIM, Security and the Building Lifecycle – UK Security Expo 2017
Section1: BIM and Information Security:
What are the information security risks to implementing BIM?
Section 2: The Building Lifecycle:
How do risks to information using BIM change during the
building lifecycle?
Section 3: Managing BIM Information Security Risks:
What basic measures can help manage information security
risks?
Summary
Presentation outline
BIM, Security and the Building Lifecycle – UK Security Expo 2017
What is Building Information Modelling (BIM)?
BIM is not a single piece of software or model:
It is a new way of information processing and collaboration
for construction projects with data embedded within a model
BIM Level 2 mandated for HMG projects by 2016:
BIM is for the lifetime of the building, not the
construction project.
BIM, Security and the Building Lifecycle – UK Security Expo 2017
What types of information are generated?
• Diagrams: floor plans, layouts, locations, detailed photos
(internal and external),
• Documents: proposals, technical options, finance details,
contracts, management plans.
• Models: laser scan data, point clouds, 3D models.
• Meta data: construction elements – details of build specifications
and composition.
• Specifications: schedules of products and capabilities.
BIM, Security and the Building Lifecycle – UK Security Expo 2017
What are the risks?
The information on a building project can be highly sensitive.
It can be critical to the delivery of the project and long term support of the built asset.
3D models allow a virtual ‘walk through’ of the building that otherwise wouldn’t be available.
Information could be used by potential attackers to disrupt the project, plan physical attacks, support cyber attacks, threaten personnel, disrupt services.
Potential threats
Terrorists, hackers (professionals, amateurs, political), criminal groups, state sponsored groups, insiders.
BIM, Security and the Building Lifecycle – UK Security Expo 2017
What could possibly go wrong?
What could happen?
• Inappropriate access to sensitive information
(commercial, legal, personal, IP, security);
• Information is corrupted or incomplete;
• Information is not available when required.
And what are the consequences?
Project delays, cost increases, service disruption could
include: legal, contractual, financial, reputational.
BIM, Security and the Building Lifecycle – UK Security Expo 2017
Is information security necessary for BIM?
Depends on your viewpoint:
• Client - Cares more about avoiding information exposure;
• Builder - Focus is on time avoiding cost and time overruns;
• Building operator - Concentrates on service delivery to customers;
If you don’t think any of this applies to you – then why worry!
If it does apply, then why isn’t it built in already?
BIM, Security and the Building Lifecycle – UK Security Expo 2017
Information risk and the building lifecycle
Stage 0 – Strategic definition
Stage 1 – Preparation and brief
Stage 2 – Concept and design
Stage 3 – Developed design
Stage 4 – Technical design
Stage 5 – Construction
Stage 6 – Handover and close out
Stage 7 – In use
Increased
Information
Sharing
BIM, Security and the Building Lifecycle – UK Security Expo 2017
In-use information security risks
BIM data is used to support maintenance activities. This leads to:
• Increased information dissemination;
• Increased access to 3D models and meta data;
• Increased data retention.
Building management system issues:
• Remote access support;
• Increased technical vulnerabilities – Internet of Things.
BIM, Security and the Building Lifecycle – UK Security Expo 2017
BIM information is in many different places
Customer
Information
Systems
CDE
Prime
Contractor
Information
Systems
Staff Devices
Internet
Subcontractor
Information Systems
Staff Devices
Subcontractor
Information Systems
Staff Devices
Cloud
Support
Systems
BIM, Security and the Building Lifecycle – UK Security Expo 2017
Information security awareness and maturity
There is a general lack of awareness about Information Security in the
construction industry:
The level of awareness of information security tends to decrease
down the supply chain;
Tier 1 contractors are increasingly required contractually to
manage risks both for themselves and down the supply chain.
BIM, Security and the Building Lifecycle – UK Security Expo 2017
Information Security built-in
Information Security should be part of the process from the outset.
Contracts should specify information security requirements:
• Non-functional security requirements;
• Employer information requirements;
• Security aspects letter.
BIM, Security and the Building Lifecycle – UK Security Expo 2017
Know what information is important and what the risks to it are
• Identify and value sensitive information assets:
- Know what it is and where it is;
- Determine customer protection priorities;
• Identify and assess risks:
Determine if you have something to protect;
• Consider:
- Who needs access to and why;
- Understand if it needs to be accurate and complete;
- Know what the availability requirements are.
• Have a governance structure:
Supplier + customer working together.
BIM, Security and the Building Lifecycle – UK Security Expo 2017
Control information sharing
• Information assets that are valued and labelled support controlled
sharing:
Common naming conventions and security gradings.
• Balance sharing information with managing access:
- Have access controls within the CDE;
- Manage all forms of data information sharing.
• Roll down information security to supply chain companies;
- Basic information security measures;
- Monitor and manage information dissemination.
BIM, Security and the Building Lifecycle – UK Security Expo 2017
Lessons learned
Balance information protection and accessibility.
Manage supply chain information security.
Information security extends beyond the project for
the life of the building.
Need intelligent suppliers and customers.
Use tools that protect information.
Guidance on Information Security for BIM:
Centre for the Protection of the National Infrastructure: http://cpni.gov.uk/
Institution of Engineering and Technology: http://theiet.org/
BIM, Security and the Building Lifecycle – UK Security Expo 2017
Summary
BIM is about sharing information in a controlled and secure way.
Intelligent customer and Intelligent Supplier.
Security needs to cover the entire lifecycle of the built asset.
This presentation was delivered to the UK Security Expo Conference on 30 Nov 2017
GDPR and security
Phil BrownLead Consultant, Ascentor
info@ascentor.co.ukImpacts of the GDPR
Why working with Ascentor will set you apart
General Data Protection Regulation – Coming Soon!
21
GDPR will be enforced across the EU on 25th May 2018. In the UK, it will replace
the Data Protection Act 1998. In essence it impacts any business that does
business with EU members, regardless of where the processing takes place.
Businesses will really need to know & understand:
1. what personal data they hold
2. where the data is being stored
3. the legal condition for processing the data
4. how they will respond to individuals exercising their rights
5. that the Regulation is not prescriptive in that it sets outs out the expectations but
does not define how businesses should act – a risk based approach
Why working with Ascentor will set you apart
GDPR – the underlying 6 principles
22
The GDPR requires that personal data shall be:
1. processed fairly, lawfully and transparently
2. collected for specified, explicit and legitimate purposes
3. adequate, relevant and limited to what is necessary
4. accurate and, where necessary, kept up to date
5. kept for no longer than is necessary
6. processed in a manner that ensures appropriate security
PEOPLE
PROCESSES
TECHNOLOGY
There is no ‘one size fits all’ solution but one approach is to keep the ‘data subject’
foremost in your mind rather than fixating on the most convenient solution.
Why working with Ascentor will set you apart
Lawfulness of processing
23
Processing will only be lawful if one of the following conditions is met:
the data subject gives consent for one or more specific purposes
it’s necessary to meet contractual obligations entered into by the data subject
it’s necessary to comply with legal obligations of the controller
it’s necessary to protect the vital interests of the data subject
it’s necessary for tasks in the public interest or exercise of authority vested in the
controller
it’s for the purposes of legitimate interests pursued by the controller (there is a balancing
test)
Why working with Ascentor will set you apart
General conditions for consent
24
The following conditions apply for consent to be valid:
controllers must be able to demonstrate that consent was given i.e. the need to keep
records
written consent must be clear, intelligible and easily accessible, otherwise it’s not binding
ticking a box or choosing appropriate technical settings are valid methods
more controls apply to obtaining a child’s consent and for processing special categories
of personal data
Consent to processing data is not necessary for the performance of a contract, so
should not be sought
Why working with Ascentor will set you apart
The rights of data subjects
25
The controller shall provide any information relating to the data subject in a
concise, transparent, intelligible and easily accessible form using clear and plain
language, in particular for any information addressed specifically to a child
The controller must facilitate the rights of data subjects, the most popular one is
likely to be:
‘data subject access request’ (DSAR)
– time period reduced from 40 days to 1 calendar month
– fees abolished (currently controllers can charge £10)
There are exceptions for excessive or vexatious requests – although the onus is on the
data controller to prove this is the case
Why working with Ascentor will set you apart
What we may expect with GDPR
26
In future, everyone can expect the business collecting personal data to remind or
state:
the period of time that the data will be stored
the right to rectification, erasure, restriction, objection
the right to data portability
the right to withdraw consent at any time
the right to lodge a complaint with a supervisory authority
the existence of automated decision-making, including profiling, as well as the
anticipated consequences for the data subject
the outcome of the data subject’s failure to provide data
Privacy notices will need to be well thought out!!
Why working with Ascentor will set you apart
Use of the cloud for processing
27
Use of the cloud for storage or processing data is very common, but specific
conditions are in place for the moving, storing and processing of personal data.
For these reasons, a business should consider:
Where data will be stored or could be stored; if it’s outside the EU and certain listed
countries then legal processes must be observed
The capability of the data processor after considering, inter alia, the following:
– Terms and conditions being presented
– Proof of information security procedures
– Security of data in transit and at rest
– Staff access control restrictions
– Resilience to service failures/ attacks
– Reliance on sub-processors to deliver services
– Ability to delete data or have it deleted upon request by the data controller
Aconex Response
Steve CooperGeneral Manager UK & Ireland,
Aconex
29
• GDPR - reviewing all processes, policies & systems across all regional / central functions
– Making changes where necessary
– Compliant by May 2018
• Information security certifications– All hosting environments ISO27001 certified
– In addition, Aconex’s internal engineering, operations, support also ISO27001 certified
– Extending Cyber Essentials Plus (Q1 ’18)
• Investing multiple $millions in ‘Gold Standard’ cyber security protected platform– Commenced FedRAMP certification project in the USA
– Single Sign On (SSO) & 2 Factor Authentication (2FA) already released
– Incremental updates globally – hosting, hardware, operating system, databases, applications,
– Last week moved UK hosting to a new platform higher security headroom
Aconex Response
Q&A with our panelists
Steve CooperGeneral Manager UK & Ireland,
Aconex
Steve MaddisonPrincipal Consultant,
Ascentor
Phil BrownLead Consultant,
Ascentor
Why working with Ascentor will set you apart
Featured Project:
Dubai International Airport | US $4.5B Value
Trusted by the world’s largest projects
Learn more at aconex.com/Demo Lear
Our thanks to Steve Cooper, Steve Maddison, and Phil Brownand to you for attending
Recommended