Alexandra Luck, a chartered engineer and member of the Register of Security Engineers & Specialists, argues there needs to be a much greater understanding of the security implications of an increasingly connected supply chain and built environment
The use of digital technologies throughout the lifecycle of assets will become an increasingly major contributor to the delivery of fiscal, functional, sustainability and growth objectives.
The implementation of Building Information Modelling is already commonplace in the design and construction of major building and infrastructure projects. In the operational and management phase, sophisticated cyber-physical systems, by using a combination of sensors and actuators, are able to capture real-time data about asset use and condition in order to achieve benefits such as increases in energy efficiency and better asset lifecycle management.
These systems can already be found in transportation, utilities, infrastructure, buildings, manufacturing, healthcare and defence. In the longer term, they will interact as integrated cyber-physical environments, for example in the development of smart communities.
However, for these benefits to be fully realised, a cultural change needs to occur across the industries involved, with far higher value placed on data and information as assets, and appropriate resource put into their collection, processing and ongoing management.
Importantly, this needs to be coupled with an awareness of the vulnerabilities and associated security risks that arise through the increased use of, and dependence on, digital technologies. These risks may relate to the security of the built asset or environment, the services that they deliver, individuals and communities, or to the data or information itself.
With few organisations in the industry previously having to give much consideration to security, this is a particular challenge. Even where an asset owner identifies that there are no sensitivities in relation to a built asset, its occupants or users, or the services delivered from or by the asset, there remains a risk to intellectual property, commercial information and personal data that has not existed to the same extent previously.
Organisations in a supply chain will therefore not only need to be able to consistently implement a client’s security-minded policies and processes where required, but also understand and appreciate the security risks to their own data and information.
Threats include terrorism, hostile actions by nation states, commercial espionage, organised crime, activists, lone actors, hackers and malicious insiders. The threat actors associated with these might seek to make use of vulnerabilities in order to: compromise the value, longevity and ongoing use of the organisation’s assets and/or services; cause harm, damage or distress to, or compromise, an organisation’s personnel or other users of the asset or services; obtain, disrupt or corrupt data, information and/or systems; and/or cause reputational damage.
Good security can therefore offer a competitive advantage to commercial enterprises by protecting their key assets and engendering trust by their stakeholders and customers in the services or products that are provided. For those involved in the design, delivery or management of new or modified assets, it can also provide competitive global positioning in the international market, particularly for high profile and sensitive projects.
However, for security to act as an enabler within the digital engineering process, rather than be perceived, or used, as a blocker of adoption and/or innovation, it is essential to apply proportionate countermeasures to each of the identified potential risks with the measures being pragmatic, appropriate, cost-effective and commensurate with the organisation’s risk appetite.
An organisation will always have to bear a level of risk, but how much capacity it has to do so will depend on the impact that a security breach or incident resulting in an asset’s loss, compromise or failure could have on the organisation and its stakeholders.
This process cannot be static: for security to be maintained over the longer term, it is necessary to both monitor the effectiveness of risk mitigation measures and to identify and assess any risks which have changed for political, economic, social, technological, legal or environmental reasons.
Further, to be effective, a holistic approach is needed, encompassing personnel, physical and technological security and overseen by good governance with clear lines of accountability and responsibility. Staff and members of the supply chain need to be aware of, and understand, the security policies in place and be able to implement them simply and efficiently – if they are too onerous, there is real danger that over time, the measures put in place to manage security risks will be ignored or circumvented.
Currently, the successful implementation of a security-minded approach relies on organisations working with their supply chains in order to configure standard data, information and, where applicable, modelling systems in ways that protect, and limit access to, the detail of and information about, sensitive assets. As the industry moves towards the optimisation and integration of built assets and environments throughout the lifecycle process, it is essential that developments are underpinned by managed and integrated information that is trusted and secure to an appropriate level, if they are to support all sectors and maximise the realisation of benefits to UK plc.
Further information and guidance around the need for, and implementation of, a security-minded approach in projects utilising digital technologies, as well as ongoing asset management, is available in PAS 1192-5:2015, which can be downloaded for free from the British Standards Institute website, and in a suite of supporting documentation available on the Centre for the Protection of National Infrastructure website.
A Luck Associates
Tel: +44 (0)7789 206422.