Digital Transformation - The emergence of the cyber criminal

This blog is not my normal style, it does not intend to be humorous or `tongue in cheek` but I have tried as normal to make you, the reader, think about things in a different way but to also ensure you stay alert.

The following excerpts are from news stories published into the public domain, but before you read on it is important to understand that the companies named in these press releases were victims, and these events could have happened to any organisation, even yours, and still could.

• In May 2020, Interserve was hit with a cyber-attack which had a longer term impact on its systems (ConstructionNews, 2020), and was followed by -Interserve’s equipment services arm, RMD Kwikform, also targeted in November 2020.
• Bouygues Construction published a press release in January 2020 confirming that a ransomware-type virus was detected on their computer network, and as a precautionary measure their information systems were shut down to prevent any propagation (Bouygues, 2020).
• Royal BAM Group were hacked on the 4th May 2020 via an obscure vulnerability within the company’s website, allowing access to the company’s corporate network, resulting in the encryption of files and subsequent ransom demands from the hackers (ConstructionNews, 2020).
• Zaha Hadid Architects was targeted by cyber attackers using ransomware in a bid to extort money from the practice in the early weeks of the first national Covid-19 lockdown.
• More recently Arup’s was in the news after the firm confirmed employees’ personal details were put at risk by an attack on its third-party payroll services provider (Building, 2021).
• In December 2019, Canadian construction company Bird Construction suffered a ransomware attack.
• In March 2020 EMCOR Group, the US-based engineering, and industrial construction services provider, confirmed that the Ryuk ransomware attack took down some of its IT systems (Cyware Social, 2020).

I will reiterate that these organisations are the victims here and that these attacks are the ones that have been reported publicly. How many cyber-attacks go unreported is an immediate question that springs to mind.

I am not a cyber-security specialist, so I am writing this blog from the position of a concerned citizen, but also as an industry consultant who assists organisations with their BIM and Digital Strategies and Transformation. In my role, information and data security is always a consideration and I have been suggesting to the companies I meet and support to consider investing in the UK Government back Cyber Essentials Scheme if they did not already hold or wish to obtain ISO/IEC 27001 Certification, the international standard for the management of information security.

I am so pleased to report that the uptake has grown substantially, client organisations are increasingly focusing on this area during pre-qualification, and with more flexible working arrangements becoming the accepted norm, cyber security due diligence is fast becoming everyone’s responsibility. Which leads me to asking you a very straight forward question.

“If you discovered or suspected that you might be a victim of cyber-crime, what would you do first?”

Now you have that question in mind, let me introduce you to the international standard BS EN ISO 19650-5:2020 and its full title, Organisation and digitisation of information about buildings and civil engineering works, including building information modelling (BIM) - Information management using building information modelling - Part 5: Security-minded approach to information management.

Not another standard I hear you cry, but this standard provides a framework to assist organisations to work together within a project environment. It provides guidance in identifying key vulnerability issues and the nature of the controls required to manage security risks.

It is very important to understand that this standards purpose is not to undermine collaboration or the benefits that BIM and related collaborative work methods and digital technologies can provide. We can continue using systems such as Autodesk’s BIM 360 and share information and data, but we do need to nurture a security-minded approach to keep our projects as resistant to cyber-crime as we possibly can.

I would like to ask you to consider just a single section within BS EN ISO 19650-2:2020, section 8, Developing a security breach/incident management plan.

The key parts of a security/incident management plan are:

• An assessment of the types of security breaches/incidents that can occur and the potential risks that can arise which impact upon the organisation(s), its function, assets, and reputation, to personnel and third parties.
• The process to be followed on discovery of a security breach/incident.
• Business continuity measures and recovery actions affording the same level of security as the systems in use on a day-to-day basis including the collection of evidence for law enforcement purposes where applicable.
• The review process to be carried out following a security breach or incident and the mechanism for updating the management plan.

The above list of course could be expanded, but I would propose that every company regardless of size or role on a project should have a plan in place. I would recommend to client organisations to consider this as a standard project requirement, and for those undertaking information management functions to always ask the question when setting up project requirements. In the simplest terms, would you want to exchange information and data with any organisation that did not have a security/incident management plan in place that was understood by all employees and management alike. Personally, if the worst happened and any member of my project team was targeted by cyber-criminals, I would want to know that there was a plan to minimise the impact. Also, considering that companies’ employees are more likely to be working remotely rather than within a central office location, ensuring everyone is aware of the steps to take if they suspect a cyberattack or inadvertently clicked on that email that in hindsight was suspicious, can only increase cyber resilience for all.

I am very pleased to share the news that a group of leading contractor experts are developing guidance for the industry to use to thwart cyber-attacks while working in a joint venture, the group is known as the Chief Information Security Officer Forum (London News Today, 2021) but if you need guidance today the UK’s National Cyber Security Centre is an excellent resource.

Alternatively, if you would like to discuss your current IT infrastructure systems, your cyber essential requirements or would like to know more about BS EN ISO 19650-5 and the processes, please do not hesitate to get in touch with us.

Author

Daryn Fitz

Daryn has worked within the construction sector for over 35 years, providing extensive experience in the management, application and integration of Digital Information Technologies within Design Consultant, Main Contractor, Developer and Employer Organisations. Today, Daryn is predominantly an advisor to Employer Organisations, provides Information Management services directly, leads the LRQA (previously Lloyds Register) BIM | ISO 19650 Accreditation scheme on behalf of Symetri, is an Associate Lecturer at Middlesex University supporting its MSc BIM Management programme, guest lecturers at other Universities and is currently researching a PhD in Data Quality within the Construction Sector. As an educator Daryn is known for his pragmatic and impartial approach, building on and reinforcing concepts by using real-world application and examples.