Fifteen years ago it was unthinkable to carry around hundreds of drawings on a device the size of a magazine, even for bleeding edge firms. Today, we have simple single family home jobsites where every pair of boots has access to not only a full set of plans, but all of the other information carried with it. Where ten years ago a malicious actor might be able to photograph a sheet or three of a plan set, now they can download potentially every piece of information about a building in a few moments.
Rare in the grand scheme of building permits, it's not uncommon for particularly sensitive areas of buildings to be redacted from the primary building permit. While this is still simple to accomplish with BIM, we are now including so much more information in our models, that even something more mundane may be a security risk. We hear about Red Teams testing TSA and trying to penetrate corporate networks or facilities to identify and help patch weaknesses, but I've hardly heard a peep about model security or file access control other than issues in getting anyone who asks for it a shared password. Let alone Red Teams using XR and reality capture(they are).
Does it matter? I'm legitimately not certain, although I suspect it does. Until the mid 1970's no one had considered that a hijacked airliner could be used as a weapon, and that threat took decades to become a significant reality. We know that devices like smart light bulbs can and are actively used maliciously. We know that many HVAC control systems are functionally unsecured. Is simple knowledge of the use of certain technology an easy vulnerability for a red team or truly malicious actor?
As a hobby, I've studied locks as fun little 3-dimensional puzzles for over three decades now. The funny thing about lockpicking is that picking the lock is rarely the easiest way to defeat the protection the lock is supposed to provide, but lock picking has taught me a lot of bypass methods that go around the lock. A high security lock may just be an invitation to break a window. I spent a time moonlighting in physical security, helping to define mass casualty and incident response plans, but we never planned for a horse in armor landing on top of a toddler (the kid and horse were both fine). Security threats don't always take the most obvious means of attack. Let’s talk about access to data, and what that means for some of the potential security risks that might be impacted by BIM data.
About Michael Freiert:
Michael has many hobbies, has had a few professions, and is a strong believer in cross discipline problem solving. He has worked in ACAD since R12, Revit since 6.1, and has learned a bunch of things from varied work with Legos, wood, scenic design, SFX, security, machining, sewing, cooking, explosives and gardening - all influencing his design philosophy, choice of tools, and preference for using apt, if sometimes unconventional tools. For the last two decades he's focused pretty heavily on BIM. He's taught about BIM practice and Design Technology at conferences worldwide, and loves to find innovative yet pragmatic workflow solutions in the ever changing intersection of design and technology. He is the BIM Manager at Pope Design Group in St. Paul MN.
#AUPasses #BIM #buildinginformationmodeling #security