1.8. Data Security (PAS 1192:5)
1.8.1 Information Assurance
Information Assurance is concerned with preserving appropriate levels of confidentiality, integrity and availability of information belonging to Atkins, its clients and partners. The potential for security breaches is ever-present and on the increase. It is therefore vital to ensure that information is managed correctly and appropriately. This requires that the:
- Confidentiality of information is ensured by allowing only those authorised to have access
- Integrity is safeguarded by allowing only authorised change
- Availability of information and associated assets is ensured by the management of identified risks
Atkins Information Assurance Standard can be found here;
Atkins Information Assurance Standard
It is essential that all staff understand the importance of these standards. We are all encourage to read and share across our teams.
1.8.2 Cyber Resilience Infrastructure
Atkins has produced a Cyber Resilience Infrastructure Report, this gives valuable guidance for project teams and senior management to consider and to follow. The report can be accessed from the following link.
Cyber Resilience Infrastructure Report
Digital technology is increasingly part of the fabric of everyday life, manifested in smartphones, internetenabled household equipment, even in our cars. Beyond this, technology is also rapidly pervading the industrial infrastructure that keeps our modern society operating. This is resulting in a convergence between Information Technology (IT) and Operational Technology (OT) – linking previously separate worlds across the internet.
This technology is under threat from cyber-attack with potentially disastrous consequences for society. While some organisations are beginning to respond to these threats to industrial and process control systems, industry as a whole is behind the curve. These operational technologies are still considered by malicious attackers to present softer – but high value – targets, particularly at the point of IT network convergence.
The business risks from this threat – financial, reputational and safety-related – are significant and potentially existential. The response demanded is not just a matter of technology but of culture, organisation, process and governance. The scope of the response is not limited to an isolated function but extends to the whole of an organisation and its supply chain.
Against this backdrop, leadership is critical. The people who are responsible for running and leading an organisation, regardless of size, should be focusing on this challenge, driving the full spectrum of measures required to enable their staff to secure business operations.
The Atkins Cyber Resilience Infrastructure report is for those leaders, to help them develop a better understanding of the cyber world and the challenges it presents. It also aims to show them that there are ways to embrace with confidence the great benefits that digital technologies can bring by ensuring that their operations are cyber-resilient.
1.8.3 Our Network Structure
It should be noted that Atkins operate two network systems:
- ACE (Commercial Network) Handling of non classified project data.
- R-ACE (Restricted Network license by the MoD) Classified Projects Only.
Both systems require individuals to sign up to a set of protocols and standards, all staff must be conscious and vigilant with the data we author and its management. In the R-ACE environments further protocols are also in place, this includes security classification coding. Where classified data is being authored, managed, handled and shared, we must follow UK GSCS Government Security Classification Scheme guidance. This also means that classified data must be security marked. By marking data it places strict requirements on individuals and the business how the data can be used, accessed and shared.
1.8.4 BIM impact on security
BIM brings further risk through collaborative working. The UK government provides guidance under the BIM level 2 mandate. This guidance is captured in PAS 1192:5 2015 Specification for security-minded building information modelling, digital built environments and smart asset management.
The PAS guidance addresses the inherent vulnerability issues, in particular to take appropriate and proportionate measures to:
- protect information about the location and properties of sensitive assets or systems not otherwise generally visible directly or through other sources;
- protect certain information pertaining to sensitive assets or systems, the location of which can be readily identifed; and
- recognize and address where the aggregation or association of data, or an increase in the accuracy of the location of assets or systems could compromise the security or operation of a built asset.
This PAS provides a framework to assist asset owners and stakeholders in understanding the key vulnerability issues and the nature of the controls required to deliver the trustworthiness and security of digital built assets within the built environment. Its purpose is not in any way to undermine the collaboration upon which both projects utilizing digital technologies and asset management systems are centred, but to ensure that information is shared in a security-minded fashion. It encourages the adoption of an appropriate, proportionate, need-to-know approach to the sharing and publication of information about built assets that could be exploited by those with hostile or malicious intent.
Fundamental to data sharing, BIM brings the collaborative environment to operate within; this is known as the CDE Common Data Environment – this is a mixture of processes and structure containers to hoist and share data. This is captured in further UK government mandate guidance documents – BS1192:2007+A2:2016 and PAS 1192:2.
1.8.5 What do we need to do?
The BEP needs to respond and capture the security approach; this should reference as a minimum the following guidance:
- The Atkins Cyber Resilience Infrastructure Report
- The Atkins Information Assurance Standard
- The Atkins security protocol for managing data on our ACE / R-ACE environments.
- PAS 1192:5 2015 (BIM level 2 Projects)
On BIM level 2 projects, PAS 1192:5 requires the client to appoint a ‘Built Asset Security Manager’, this person comes with defined roles and responsibilities. It’s feasible that this role may be undertaken by Atkins member of staff suitably qualified for the role. The guidance focusses on the potential security issues:
These include:
- Hostile Reconnaissance
- Malicious Acts
- Loss or disclosure of intellectual property
- Loss of disclosure of commercially sensitive information
- Release of personally identifiable information
- Aggregation of data
The guidance uses the security triage process to identify the need for a security minded approach to the built asset or associated asset information. Once assessed the built asset security manager ensures that a number of key activities and plans are put into place. The activity and his role is summarised as follows, we need to be mindful of what this activity means and what impact or involvement the team may need to consider. This applies at all levels of the project; model authoring, lead designer, design managers all the way through to project management teams and directors. We must understand the relevance.
Key Activities managed by the Built Asset Security Manager – read with PAS 1192:5:
- provide a holistic view of the security issues and threats to be addressed;
- offer guidance and direction on the handling of risks;
- take ownership, manage, and assist in the development of the built asset security strategy (BASS) (see Clause 7);
- be accountable for security decisions that are taken;
- take ownership, manage, and assist in the development of the built asset security management plan (BASMP) (see Clause 8);
- take ownership, manage, and assist in the development of security breach/incident management plan (SB/IMP) (see Clause 9);
- take ownership, manage, and assist in the development of the built asset security information requirements (BASIR) (see Clause 10);
- assist in the development of plain language questions and employer’s information requirements (EIR) in projects;
- assist in the development and reviewing of any tendering and project planning documentation;
- be responsible for promoting a security-minded culture;
- brief advisors, specialists and supply chain on relevant aspects of the BASS, BASMP and BASIR;
- advise on the need for, and undertake, the review and auditing of documentation, policies, processes and procedures relating to the security of the built asset; and
- where appropriate and necessary, seek appropriate professional security advice to provide additional guidance throughout the lifecycle of the project and/or asset.