New code of practice puts cyber security at heart of built environment

Out-Law News | 27 May 2022 | 2:06 pm |

The Institution of Engineering & Technology (IET) has called for a systematic approach to cyber security across the lifespan of built assets in an updated code of practice.

The IET’s Code of Practice: Cyber Security in the Built Environment (100 page / 794 KB PDF) aims to provide guidance to those working on the construction and design of buildings and other structures, so that cyber security is embedded from the start.

The code encourages an approach which reduces cyber security risks to built assets and those occupying or using them. It seeks to establish clear responsibilities and lines of accountability so the right person does the right thing in relation to cybersecurity at the right time in the lifecycle of the asset.

The code aims to ensure cost-effective security of information and control systems, and suggests including protective security measures in the engineering design of a structure from the outset, to deliver a secure and resilient built environment while avoiding costly reworks.

The IET also proposes that those involved in the construction of built assets adopt a holistic design for physical and cyber security. They should take into account big data opportunities within the wider environment which enhance security; and all security measures should be assessed against a catastrophic failure event to ensure the security of ongoing and degraded operations.

Cybersecurity expert Sarah Cameron of Pinsent Masons said revisions to the code, which was first issued in 2014, were timely.

“With the exponential growth in Internet of Things (IoT) and Industrial Control Technology devices, a cyber physical security vision is an absolutely critical part of the strategy,” Cameron said.

Christian Toon of Pinsent Masons said: “As organisations look to integrate technology infrastructure into built assets it is vital for safety, security and privacy to be designed into the installation to maximise protections and minimise risk.”

“The benefits are clear – smart, connected infrastructure that provides convenience, control and commercial efficiencies. The risks posed to this technology can be huge if not protected over the asset’s lifecycle,” Toon said.

The IET code of practice sets out practical guidance for multidisciplinary teams in order for them to achieve its aims, through asking questions and identifying issues to be considered. The IET said the code was not intended to be a checklist of efficient cyber security for the built environment, and unlike guidance published about generic or IT control systems, the document addresses the complexity of both a built asset and the stakeholders’ lifecycles.

The code is intended to apply to a wide range of functions connected to the design, management, operation and security of buildings, the data associated with them, and the systems which help them function such as lighting, heating, security, lifts and industrial processes or equipment.

“This renewed publication of the code of practice is a welcome step in reinforcing the message of ‘byDesign’ principles to be integrated in the earliest point of the programme whilst considering cyber issues through the whole lifecycle of the assets,” Toon said.

“It is fair to say this should not been seen in isolation or indeed implemented as such. This code of practice should be integrated into your product and organisational management system for information and cyber security. This consistent approach will ensure standardisation and alignment to business objectives through an acceptable risk lens,” Toon said.

The UK government also set out an objective to secure the next generation of connected technologies by embracing a secure by design approach in its National Cyber Security Strategy, published in December 2021.

The Product Security and Telecommunications Infrastructure Bill is also making its way through parliament, and the Digital, Culture, Media & Sport committee has recently launched an inquiry into the implications of connected technology.

The code of practice also reinforces the fact that protection and resilience are required to protect the intellectual property, user data and other telemetry collected from a building and its systems, to reduce the likelihood of the technology being taken over remotely and used maliciously, and to remove the risk to safety systems and human life through system failure.

Toon said this was particularly relevant in the context of the increasing prevalence of malicious bots, or in the IoT context, networks of bots, and the threat they can pose to devices and systems.

However, the IET code of practice also reminds those involved in the security of built assets that threats can also come from non-malicious and malicious internal sources, and personnel security is a key factor in implementing cyber security protocols.