Protecting surveyors’ systems from hostile cyber attacks

In a broad sector that encompasses capital projects and related construction, architectural and survey services, plus the sale, letting, leasing and management of real estate, the nature and source of cyber threats can vary considerably.

Andrew Knight, international data standards director at RICS, says: “There is potentially sensitive information being held on land rights, in sophisticated BIM models, on lease and rental data. And with the advent of smart buildings using sensors and other Internet of Things (IoT) devices, the data being collected and held is growing on an exponential scale. This presents risks around data security and the ability to gain entry to systems through a vast range of devices now connected to the internet.”

Surveyors who work in the field run the risk of hooking up to unprotected networks and exposure to ‘evil twin’ attacks that copy the name of a venue's wireless connection to steal data from unsuspecting users. There are also ‘packet-sniffing’ attacks that monitor traffic to and from a device.

Buildings’ IT networks were once self-contained, but smart buildings blur boundaries, connecting users inside and out, and multiply the ‘attack surface’ available to hackers. Financially motivated criminal groups can exploit this opportunity to extort money, or change the way the building operates, with implications for access and health and safety.

And such threats remain prescient for construction or infrastructure design and delivery teams using BIM to exchange sensitive project and client data.

“Any BIM project could involve national security risks, in particular critical infrastructure, and must be on guard against advanced threats, “says Chris Waynforth, AVP for Northern Europe at cyber security company Imperva. “Think, for example, of the chaos that would be caused by taking the energy grid or rail system offline for even a day.”

But an extended array of pathways for cyber attacks doesn’t have to leave companies powerless. As the examples below explore, factors such as better awareness of cyber issues among management and employees and adherence to proper standards, protocols and training can help build a robust ‘firewall’ around our developing digital lives.

“Given that Common Data Environments (CDEs) and BIM platforms hold some of the most sensitive data that businesses possess, every organisation has to operate on the basis that it is a target,” says Waynforth.

BIM platforms simplify collaboration but suffer from the same security weaknesses as other cloud-based tools, adds Waynforth, including a lack of control and visibility. For example, a shared link could be forwarded to an unauthorised third party, accessed over an unsecured network, or stolen as part of a cyber attack, putting vital information at risk.

But an extended array of pathways for cyber attacks doesn’t have to leave companies powerless. As the examples below explore, factors such as better awareness of cyber issues among management and employees and adherence to proper standards, protocols and training can help build a robust ‘firewall’ around our developing digital lives.

To safely ringfence data, project managers should, according to Imperva, implement four key steps. Firstly, a clear security strategy, developed using processes like the specification ISO 19650-5, can ensure that information relating to sensitive assets is captured and adequately protected. Preventative measures, such as data auditing and monitoring, should be carried out regularly on any local or common data environment where sensitive information is stored or produced.

“Project managers need a rigorous process in place to check the security credentials of all suppliers, including verification of proper cyber-liability insurance in case the worst happens,” says Waynforth.

Furthermore, in anticipation of a potential cyber breach, a comprehensive security breach/incident management plan can enable companies to quickly and effectively respond if there is a problem.

When BIM relates to sensitive assets and critical infrastructure, extra precautions may be required, particularly in the context of ‘National Digital Twins’ of critical infrastructure and smart cities. Data activity monitoring and access controls can give oversight of all users with access to sensitive data and detect any changes made. “Automating processes using intelligent analytics can ensure that information relating to sensitive assets is safeguarded without overloading human security teams,” says Waynforth.

If the building network is connected to other enterprise networks, an attack can act as a bridge to other business critical systems. In one case, a compromised thermostat in an internet-connected fish tank led to an attack at a casino in the US. Criminal infiltration of building equipment, such as motors, pumps or drives could impact on the health and safety of building occupants.

Hugh Lindsay, global solution architect for Cyber Secure Buildings at Schneider Electric says: “Ransomware attacks can result in unresponsive building systems, lost data and payments of potentially hundreds of thousands of dollars to attackers. Any damage to physical equipment and systems could take a long time to repair or rebuild to recover control.”

According to Lindsay, property managers should carry out risk and vulnerability assessments to identify and prioritise the buildings and assets that would suffer the biggest impacts from an attack. From there, proper procedural and technical protections should be implemented to limit openness and exposure, such as training, patching, system hardening, firewalls, threat detection software, back-ups, and secure remote access solutions.

“For new buildings, consider adopting new best practices based on standards like IEC 62443 and the National Institute of Standards and Technology (NIST) Cybersecurity Framework,” he adds.

One problem with IoT devices is a lack of awareness of the sheer number of gadgets that may feature internet connectivity, ranging from smart meters to smart vending machines, to air conditioning units and interactive kiosks. “At the very least, the manufacturer’s default password should be changed, and antivirus software should be installed,” explains Marie-Noelle Brisson FRICS, co-founder of cyber risk management firm CyberReady.

Facilities managers need to encourage communication between IT, engineering, and business departments, says Brisson, to better understand what has connection to the internet and how it is being used, managed, and protected.

“Everyone who has access to the building’s data must be careful in using it and involved in protecting it,” she says. “Business continuity and disaster recovery plans should be established and regularly updated and tested.”

Brisson advises extending precautions to the tenant level, including cyber clauses in leases, and transferring risk with a “well understood and calibrated insurance policy.”

The distributed ledger is cyber secure by design because data is stored in chronologically and cryptographically-linked blocks, creating a verifiable ‘chain’ of information. If data in any block is modified, everyone in the chain knows immediately, so the prospect of a ‘silent hack’ becomes negligible.

The likelihood of a central point of attack is also minimised because no one person or group controls the network. However, this may not prevent edge attacks, explains Michael Savoie, CEO of business IT integration specialist HyperGrowth Solutions: “A company providing a block on the chain could be hacked/infiltrated, or a hacker could simply add a nefarious block to the chain.”

The formulation of blockchain code poses another potential risk. Making changes to the platform after its deployment requires the consensus of at least 51% of all ‘nodes’ on the network, therefore any bugs tend to stay live far longer than in conventional private code, where an exploit can be fixed in a matter of hours.

Reggie Chan FRICS, a real estate professional working on the application of blockchain technologies, says: “If you didn’t write a smart contract perfectly, then a hacker may be able to find and use an error before you can patch it. That's the major pro and con of blockchain code – it’s extremely transparent but difficult to modify after being released.”

And at an infrastructural level, blockchain’s distributed architecture is very different from traditional client-server architecture, which has major implications for data centres, clearing houses and end users. Savoie says: “Risk managers will need to ensure business continuity and disaster recovery plans take into account these new technologies and new ways of hacking.”

Employee negligence is widely acknowledged as the main cause of cyber security breaches and the risk increases when work is remote, unmonitored and potentially taking place on unsecured personal devices or wi-fi networks.

Public wi-fi hotspots are often unprotected, giving malicious actors a potential opening to spy on a connection and harvest confidential company or client information. Using personal devices to access work networks and related systems can be problematic if, for example, software is not kept up-to-date, or employees leave the company without erasing confidential information.

According to business IT security provider Totality Services, a robust cyber-security plan should require remote staff to use mobile devices that adhere to industry-standard protocols, such as two-factor authentication (2FA), which require confirmation of identity using a biometric sensor or a text message to a company mobile.

Furthermore, staff in the field should always use a virtual private network (VPN) linked to a company router or firewall, which will encrypt company data over public wi-fi and place remote workers on the same local network as office staff, with the associated file access rules.

But even VPNs, firewalls, or other security precautions will fall flat if employees are lax and unaware of the risks. For this reason, a well-managed company IT policy that encourages staff compliance and conscientiousness can help bridge any gaps and keep cyber criminals at bay.

For more must-read Modus articles, sign up for the newsletter.