Building Data Security

Construction industry’s long-overdue shift to digital raises threat of cyber attacks

As more and more activities are conducted in the digital realm, some industries, such as banking, have made strides to reduce the risks that come with doing business online. The architecture, engineering and construction (AEC) industry, however, says Borja García de Soto, an assistant professor of civil and urban engineering at NYU Abu Dhabi, has been slow to adapt to the digital world. But the shift is now happening, he said, and it’s time to prepare for the impact this transformation will have on the industry.

García de Soto started his career as a structural engineer but later switched to construction management. He has held a variety of positions in construction that have given him an understanding of how the adoption of new technologies — such as robotics, 3D printing, and Internet of Things — can benefit an industry that has a reputation for doing business the old fashioned way. García de Soto is also a global network assistant professor of civil and urban engineering at the NYU Tandon School of Engineering and director of NYUAD’s S.M.A.R.T. Construction Research Group.

The shift to new, digital technologies in the construction industry — referred to as Construction 4.0 — is a welcome development that will bring many benefits, such as increased efficiency, improved safety conditions, and better quality, García de Soto believes, but there are also risks that come with it.

 

Small and medium enterprises don’t have the means to spend huge sums of money on information technology.

Borja García de Soto, NYUAD assistant professor of civil and urban engineering

One particular innovation in construction that is leading to huge benefits is what’s known as Building Information Modeling, or BIM, which essentially is a set of processes to produce, communicate, and analyze digital building models during the different phases of a project.

BIM files evolve during the lifecycle of a project, hold relevant data about a building, and include not only information about a structure’s geometry, but also other information, such as the manufacturer, price, maintenance requirements, and many other details about objects in the building at its components, García de Soto explained.

“This information isn’t significant on its own, but it’s context-specific,” he said. “For a single family home, the data isn’t that important. But for more sensitive infrastructures, such as government offices, power or water plants, which requires much more security,” these small pieces of information start to add up into something more meaningful.



Securing BIM files and how they are used is an achievable goal, but a limiting factor is the breadth and diversity of companies that collaborate and interact on large construction projects.

“Although great work has been done by the National Institute of Standards and Technology and the Institution of Engineering and Technology, in general, the AEC industry lacks the awareness, skills, and culture required for adequate consideration of cyber security. One reason is that we are made up of many small and medium enterprises and contractors who don’t have the means to spend huge sums of money on information technology,” García de Soto indicated.

“Awareness and investment in high-level cybersecurity in the industry are still very low, making this industry susceptible and particularly attractive to hackers,” he said.

The fact that hackers can access information on the BIM files is not the most critical problem. “What is of more consequence are cyber attacks on other large collections of data the industry possesses,” he said. “For example, typical data stored by contractors, subcontractors, designers, consultants, and suppliers include engineering designs, calculations and specifications, pricing, profit / loss data, employee information, intellectual property, and banking records. In some cases, this data contains highly confidential or proprietary information, and construction companies are significantly vulnerable,” he added.

Typical data stored by contractors, subcontractors, designers, consultants, and suppliers include engineering designs, calculations and specifications, pricing, profit / loss data, employee information, intellectual property, and banking records. In some cases, this data contains highly confidential or proprietary information, and construction companies are significantly vulnerable.


Like most in the construction sector, García de Soto wasn’t initially aware or interested in how cyber attacks could affect the industry. Indeed, within construction, there is a sentiment that cyber security should be left to others to address, he said. “But through working with experts at the Center for Cyber Security at NYU Abu Dhabi, I realized that the construction industry needs to be more proactive, and we should start thinking about how to address the challenges and cyber security implications from the inside to ensure a successful transition into the digital environment.”

García de Soto is working with colleagues within the industry and the Center for Cyber Security at NYUAD to survey the risks, publish research, and raise awareness. “There’s a critical need to fundamentally understand the cyber security aspects of the entire construction life cycle under Construction 4.0,” García de Soto said. “This includes what might be compromised, how a cyber attack might it happen, why would someone intend to undertake one, and what would be the impact. Part of the research conducted in the S.M.A.R.T. Construction Research Group at NYU Abu Dhabi is geared in that direction.”