Share:


Cybersecurity assessment of BIM/CDE design environment using cyber assessment framework

    Žiga Turk Affiliation
    ; Muammer Semih Sonkor   Affiliation
    ; Robert Klinc   Affiliation

Abstract

Digitalisation of the construction industry is exposing it to cybersecurity risks. All phases of construction can be affected. Particularly vulnerable are information-intensive phases such as building design and building operation. Construction is among the last industries that are discovering its cybersecurity risks and can rely on frameworks developed for other contexts. In this paper, we evaluate the cybersecurity risks of the design phase of construction using the Cyber Assessment Framework from the National Cybersecurity Centre (NCSC) of the UK. The goal of this study is twofold. First, to examine cybersecurity risks themselves, and second, to evaluate the applicability of the NCSC framework for construction to see if and how construction is specific. The analysis shows that the cybersecurity risks follow the information impact curve that has been motivating the introduction of Building Information Modelling (BIM). The framework is applicable but is weak in addressing the specifics of the construction industrial ecosystem, which involves a multitude of dynamically connected actors, their overlapping authorities, and conflicting motives. It is suggested that a specialized constructionrelated framework should be developed.

Keyword : construction, designing, cybersecurity, building information modelling, common data environment, integrated project delivery

How to Cite
Turk, Žiga, Sonkor, M. S., & Klinc, R. (2022). Cybersecurity assessment of BIM/CDE design environment using cyber assessment framework. Journal of Civil Engineering and Management, 28(5), 349–364. https://doi.org/10.3846/jcem.2022.16682
Published in Issue
May 3, 2022
Abstract Views
2094
PDF Downloads
1406
Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

References

Abdirad, H., & Pishdad-Bozorgi, P. (2014). Developing a framework of metrics to assess collaboration in integrated project delivery. In Proceedings of the 50th Annual International Conference of the Associated Schools of Construction. Virginia Polytechnic Institute and State University, VA, US.

AIA National. (2007). Integrated project delivery: A guide. The American Institute of Architects. https://www.aia.org/resources/64146-integrated-project-delivery-a-guide

Ames, B. C., Foster, F. R., Glynn, C., Lynn, M., Nakama, D., Penrose, T., & Rai, S. (2016). Assessing cybersecurity risk: Roles of the three lines of defense. Institute of Internal Auditors (IIA). https://www.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/cybersecurity/gtag-assessing-cybersecurity-risk.pdf

Azhar, S. (2011). Building information modeling (BIM): Trends, benefits, risks, and challenges for the AEC industry. Leadership and Management in Engineering, 11(3), 241–252. https://doi.org/10.1061/(ASCE)LM.1943-5630.0000127

Barrett, M. P. (2018). Framework for improving critical infrastructure cybersecurity. National Institute of Standards and Technology (NIST), Gaithersburg, MD, USA.

Bishop, M. (2004). Introduction to computer security. Addison-Wesley Professional.

Boyes, H. (2013). Resilience and cyber security of technology in the built environment. The Institution of Engineering and Technology.

Boyes, H. (2014). Building information modelling (BIM): Addressing the cyber security issues. Engineering & Technology Reference. https://doi.org/10.1049/etr.2014.9001

Boyes, H. (2015). Security, privacy, and the built environment. IT Professional, 17(3), 25–31. https://doi.org/10.1109/MITP.2015.49

British Standards Institution. (2013). Specification for information management for the capital/delivery phase of construction projects using building information modelling (incorporating corrigendum No. 1) (PAS 1192-2:2013).

British Standards Institution. (2015). Specification for security-minded building information modelling, digital built environments and smart asset management (PAS 1192-5:2015).

buildingSMART. (n.d.). Industry foundation classes (IFC). BuildingSMART Technical. https://technical.buildingsmart.org/standards/ifc/

Construction Users Roundtable. (2004). Collaboration, integrated information and the project lifecycle in building design, construction and operation. https://kcuc.org/wp-content/uploads/2013/11/Collaboration-Integrated-Information-and-the-Project-Lifecycle.pdf

Cybersecurity and Infrastructure Security Agency. (2009, May 6). What is cybersecurity? https://us-cert.cisa.gov/ncas/tips/ST04-001

Davis, A. (2015). Building cyber-resilience into supply chains. Technology Innovation Management Review, 5(4), 19–27. https://doi.org/10.22215/timreview/887

Eastman, C. M., Eastman, C., Teicholz, P., Sacks, R., & Liston, K. (2008). BIM handbook: A guide to building information modeling for owners, managers, designers, engineers and contractors. John Wiley & Sons. https://doi.org/10.1002/9780470261309

Eastman, R., Versace, M., & Webber, A. (2015). Big data and predictive analytics: On the cybersecurity frontline. International Data Corporation (IDC). https://v2.itweb.co.za/whitepaper/Whitepaper_SAS_Cyber_Security.pdf

European Union Agency for Cybersecurity. (2015). Definition of cybersecurity – Gaps and overlaps in standardisation (Report/Study TP-01-15-934-EN-N). https://www.enisa.europa.eu/publications/definition-of-cybersecurity

Falk, C. (2004). Gray hat hacking: Morally black and white. In 2004 Cyber Security Group (CSG) Training Conference.

FireEye. (2021). M-trends 2021. https://content.fireeye.com/m-trends/rpt-m-trends-2021

Freund, J., & Jones, J. (2014). Measuring and managing information risk: A FAIR approach (1st ed.). Butterworth-Heinemann.

Glavach, D., LaSalle-DeSantis, J., & Zimmerman, S. (2017). Applying and assessing cybersecurity controls for direct digital manufacturing (DDM) systems. In L. Thames & D. Schaefer (Eds.), Cybersecurity for Industry 4.0: Analysis for Design and Manufacturing (pp. 173–194). Springer International Publishing. https://doi.org/10.1007/978-3-319-50660-9_7

Hubbard, D. W., & Seiersen, R. (2016). How to measure anything in cybersecurity risk (1st ed.). John Wiley & Sons. https://doi.org/10.1002/9781119162315

Humayed, A., Lin, J., Li, F., & Luo, B. (2017). Cyber-physical systems security – A survey. IEEE Internet of Things Journal, 4(6), 1802–1831. https://doi.org/10.1109/JIOT.2017.2703172

Ilozor, B. D., & Kelly, D. J. (2012). Building information modeling and integrated project delivery in the commercial construction industry: A conceptual study. Journal of Engineering, Project, and Production Management, 2(1), 23–36. https://doi.org/10.32738/JEPPM.201201.0004

International Organization for Standardization. (2018). Information technology-Security techniques–Information security risk management (ISO Standard No. ISO/IEC 27005).

International Organization for Standardization. (2013). Information security management (ISO Standard No. ISO/IEC 27001:2013).

Kabay, M. E. (2015). History of computer crime. In S. Bosworth, M. E. Kabay, & E. Whyne (Eds.), Computer security handbook (pp. 2.1–2.41). John Wiley & Sons, Inc. https://doi.org/10.1002/9781118851678.ch2

Klinc, R., & Turk, Ž. (2019). Construction 4.0 – Digital transformation of one of the oldest industries. Economic and Business Review, 21(3), 393–410. https://doi.org/10.15458/ebr.92

Ma, Z., Zhang, D., & Li, J. (2018). A dedicated collaboration platform for Integrated Project Delivery. Automation in Construction, 86, 199–209. https://doi.org/10.1016/j.autcon.2017.10.024

Mahamadu, A.-M., Mahdjoubi, L., & Booth, C. (2013). Challenges to BIM-cloud integration: Implication of security issues on secure collaboration. In 2013 IEEE 5th International Conference on Cloud Computing Technology and Science (Vol. 2, pp. 209–214). https://doi.org/10.1109/CloudCom.2013.127

Mantha, B. R. K., & de Soto, B. G. (2019). Cyber security challenges and vulnerability assessment in the construction industry. In Proceedings of the Creative Construction Conference 2019 (pp. 29–37). https://doi.org/10.3311/CCC2019-005

MITRE. (2021). CVE. https://cve.mitre.org/

Mutis, I., & Paramashivam, A. (2019). Cybersecurity management framework for a cloud-based BIM model. In I. Mutis & T. Hartmann (Eds.), Advances in informatics and computing in civil and construction engineering (pp. 325–333). Springer International Publishing. https://doi.org/10.1007/978-3-030-00220-6_39

Nawari, N. O., & Ravindran, S. (2019). Blockchain technology and BIM process: Review and potential applications. Journal of Information Technology in Construction (ITcon), 24(12), 209–238.

National Cybersecurity Centre. (n.d.). What is cyber security? https://www.ncsc.gov.uk/section/about-ncsc/what-is-cyber-security

National Cybersecurity Centre. (2016). Common cyber attacks: Reducing the impact.

National Cybersecurity Centre. (2019). Cyber assessment framework v3.0. https://www.ncsc.gov.uk/files/NCSC_CAF_v3.0%20.pdf

National Institute of Standards and Technology. (2018). Framework for improving critical infrastructure cybersecurity v1.1. Gaithersburg, MD. https://doi.org/10.6028/NIST.CSWP.04162018

Nweke, L. O., & Wolthusen, S. (2020). Legal issues related to cyber threat information sharing among private entities for critical infrastructure protection. In 12th International Conference on Cyber Conflict (CyCon) (pp. 63–78). https://doi.org/10.23919/CyCon49761.2020.9131721

Parker, D. B. (1998). Fighting computer crime: A new framework for protecting information. Wiley.

Parker, D. B. (2015). Toward a new framework for information security? In Computer Security Handbook (pp. 3.1–3.23). John Wiley & Sons, Ltd. https://doi.org/10.1002/9781118851678.ch3

Parn, E. A., & Edwards, D. (2019). Cyber threats confronting the digital built environment: Common data environment vulnerabilities and block chain deterrence. Engineering, Construction and Architectural Management, 26(2), 245–266. https://doi.org/10.1108/ECAM-03-2018-0101

Peltier, T. R. (2005). Information security risk analysis. Auerbach Publications. https://doi.org/10.1201/9781420031195

Publications Office of the European Union. (2018). Guidelines on assessing DSP and OES compliance with the NISD security requirements: Information security audit and self – assessment/ management frameworks. http://op.europa.eu/en/publication-detail/-/publication/78f2a620-f909-11e8-9982-01aa75ed71a1/language-en

Rogers, M. K. (2005). The development of a meaningful Hacker Taxonomy: A two dimensional approach. In NIJ National Conference 2005.

Smith, G. E., Watson, K. J., Baker, W. H., & Pokorski II, J. A. (2007). A critical balance: Collaboration and security in the IT-enabled supply chain. International Journal of Production Research, 45(11), 2595–2613. https://doi.org/10.1080/00207540601020544

Stewart, J. M., Chapple, M., & Gibson, D. (2015). CISSP: Certified information systems security professional study guide (7th ed.). Sybex, a Wiley brand.

Thames, L., & Schaefer, D. (2017). Industry 4.0: An overview of key benefits, technologies, and challenges. In L. Thames & D. Schaefer (Eds.), Cybersecurity for industry 4.0: Analysis for design and manufacturing (pp. 1–33). Springer International Publishing. https://doi.org/10.1007/978-3-319-50660-9_1

Thaseen, S., Cherukuri, A. K., Ahmad, A., Cherukuri, A. K., & Ahmad, A. (2019). Improving security and privacy in cyber-physical systems. In Y. Maleh, M. Shojafar, A. Darwish, & A. Haqiq (Eds.), Cybersecurity and privacy in cyber physical systems (pp. 3–43). CRC Press. https://doi.org/10.1201/9780429263897-2

Turk, Ž. (2020). Interoperability in construction – Mission impossible?. Developments in the Built Environment, 100018. https://doi.org/10.1016/j.dibe.2020.100018