Training

CPNI advice: take care when you share

by Mark Rowe

In the (good old?) days, architects drew up buildings on pieces of paper, that the engineers worked off, that you could keep in a locked filing cabinet out of hours. Now we have computer-aided design, and data on memory sticks, and filing systems ‘in the cloud’. Where does this leave the security of sensitive buildings such as embassies or oil and gas terminals – and especially the most sensitive security details of those sites, such as the location and spec of CCTV cameras and motion detectors? Official advice, in a phrase, is ‘take care when you share’, with your supply chain.

The Coalition and now Conservative Governments’ aim to reduce the cost of public sector assets means rapid evolution in the construction sector. In any case, ‘digital built environments’, including building information modelling (BIM), are bringing new ways of working – parts of buildings made off-site, sensors, and even the so-called ‘Smart Cities’ of physical buildings that connect with each other digitally. Hence a need to deliver fiscal, functional, sustainability and growth objectives, which in turn will promote changes in built asset procurement, delivery and operational processes. So say authors of PAS 1192-5:2015, a British Standards specification ‘for security-minded building information modelling, digital built environment and smart asset management’. It’s available on the official CPNI (Centre for the Protection of National Infrastructure) website.

What does the added technology in buildings mean for security, given that information about ‘built assets’ has to be shared, and yet protected? The PAS calls for ‘an appropriate safety and security mindset and culture across many partners, including the need to monitor and audit compliance’. For instance when going out to tender, you ought to make sure that contractors (and their contractors) are covered by confidentiality agreements, so that the unsuccessful bidders return or destroy the data. Security – which, the document stresses, covers ‘people, process, physical and technology’ – ought to be written into contracts. Nor should contractors try to pass all the security responsibility to their suppliers. The spec suggests writing in the right to review security of any part of the supply chain. And you may want to tell your suppliers that making false claims about security amounts to fraud.

On the steering group behind the document besides the likes of CPNI and the Met Police were building and engineering firms Laing O’Rourke, NG Bailey and Ove Arup. The document makes the case for good security offering competitive advantage, by protecting key assets and making for trust between customers and products. “Good security requires holistic risk assessment’, and a balance of the cost of protecting an asset with the impact of its loss. It makes the point that once something is on the internet, you cannot retrieve it; and even innocuous pieces of information, if added to other innocuous pieces, could result in exposure.

Though the spec is about digital data, the security issues range from hostile reconnaissance to hackers or ‘disaffected personnel’ giving away intellectual property. The document stresses the ‘holistic approach’ to security, admitting that non-security people need to buy into security, and take responsibility. Processes, and the ‘cyber-physical systems’ of buildings also have a place. Nor is it only a matter of security, such as physical access control; data has to be resilient, and with integrity (to use an example not in the document; what if a hacker adds a nought to a piece of data, making it dangerous or meaningless?!).

The PAS also speaks of a ‘security triage process’, such as what should trigger an assessment of security, such as a change of contractor, or building occupier, or ‘marked changes in the threat environment’. The document defines a ‘sensitive built asset’ in several ways, including critical national infrastructure (CNI) sites, or ‘crowded places’. Who’s going to do all this work? The PAS suggests a ‘built asset security manager’, who’s to do everything from developing a ‘breach-incident management plan’ to being accountable for security decisions, although non-security people may have some of the work, such as HR doing personnel security and a facilities manager looking after the building. The spec avoids going into specifics; for instance it devotes only a page to developing a ‘built asset security strategy’ (BASS for short). As with risk management generally, none of this work is a one-off; you have to keep reviewing, not least because a building has a lifecycle, and new risks may enter when seeking planning permission (planners might get sensitive details, but not print it on the planning register), or during repairs or installing of new systems. On cloud computing, for instance, it admits risks including lack of standards and whether you know what vendors are doing with your data (’lack of third party assurance’). As for risks in the supply chain, the document suggests redacting sensitive details such as what a room is for, or giving details on paper rather than interactive models.

The document goes into risk mitigation: a breach could be the loss of a physical access card or token, or a surveillance device planted, or someone physically entering a site without permission. The spec sets out how you have to contain the loss, and whether you have to collect forensic evidence, besides reviewing the risk anew.

Like other British Standard work, this PAS overlaps with other documents, such as data protection and the Freedom of Information Act; though details of official buildings may come under the Official Secrets Act.

To view the PAS, visit the CPNI website: http://www.cpni.gov.uk/advice/Cross-cutting-advice/Digital-built-assets-and-environments/

Related News

  • Training

    Cyber contest

    by Mark Rowe

    Some 42 cyber security amateurs prevented a cyber-savvy burglar from breaking into an Internet of Things (IoT)-connected home, in a realistic simulated…

  • Training

    IFSEC 2015 countdown

    by Mark Rowe

    IFSEC International 2015 is only one week away down until it takes residence at ExCeL London from Tuesday to Thursday, June 16…

  • Training

    Infosec manual

    by msecadm4921

    Information security has evolved from a tactical IT concern to a boardroom-level dilemma. This transition has challenged many executives who are now…

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing