Methods of Ensuring Information Security in BIM

. Information security in BIM (Building Information Model) platforms is crucial, especially for mission-critical projects. Improper distribution and loss of confidential information can potentially lead to threats to physical security, financial losses, and loss of trust and reputation. The article discusses common methods of ensuring cybersecurity, potential threats


Introduction
The security of BIM platforms in shared data environments of joint projects is important because confidential information about the project is also stored and distributed through them.Improper exchange, leakage, or loss of confidential project information, such as financial and personal information in information modeling platforms and related software, can lead to serious consequences, such as financial losses, loss of trust in the data provided, which can affect the company's reputation.In addition, information security in the case of BIM projects of buildings of high state importance (military installations, power plants, government buildings and industrial buildings) is necessary to prevent political and commercial espionage.At the moment, there are very few comprehensive studies in the field of information security in BIM that define the security requirements for joint BIM platforms, despite the above arguments.
Collaborative BIM platforms are characterized by characteristics with unique security requirements (multi-disciplinary nature, multiple data providers and consumers, geographically separated stakeholders, network communication, etc.).Thus, first of all, it is necessary to identify specific risks and security requirements arising from the functional characteristics of BIM platforms.
The relevance of the topic under study is justified by the fact that the current implementation of security methods and technologies for joint BIM platforms is low and not systematic.The process of creating consolidated BIM models requires aggregation of BIM data from multiple data owners, therefore, data confidentiality (protection of confidential BIM data from unauthorized parties), data transmission security (protection of data from interception and misuse during transmission) must be ensured.Data authenticity requirements (versioned integrity and data up to date) must also be met.Therefore, the security requirements for collaborative BIM should be clearly and fully defined to assess the current state of BIM security.
The aim of the study is to develop a conceptual framework for the Information Security Strategy of the Building and Structure Information Modeling (BIM) process.
An information security strategy is a structured and interrelated set of actions aimed at improving the long-term security of an organization's confidential information and determining the best way to access it.In this paper, we work out the preparatory stage for developing an information security strategy aimed at ensuring an appropriate level of protection for information modeling processes.

Research methodology
The paper uses methods of analysis and synthesis of scientific literature, generalizations to identify the most common technologies used in conjunction with information modeling, identification of potential threats and optimal protection methods.The experiment consists of penetration testing (pentest) on simulated common work models directly in the information modeling process, as well as interpreting the results of the pentest and developing a strategy for improving the level of security in BIM.The scheme of the research is shown in Figure 1.According to the results of the study [1], four popular technologies were identified, namely: cloud computing, encryption, distributed database systems, and blockchain, as shown in Fig. 2. Further, each of these technologies will be considered in more detail together with potential information security threats and methods of prevention and protection [2][3][4][5][6][7][8][9][10].

Cloud Computing
Cloud BIM technologies are known as a cost-effective alternative to the current state of data exchange and storage [2], and their efficiency and low cost are potential advantages of cloud applications.As a result, BIM applications are gradually moving to cloud technologies, and BIM web services and cloud applications are gaining more and more popularity [3].
The main risks and key security threats associated with the use of cloud technologies as defined by the CSA (Cloud Security Alliance) are presented in Table 1.CSA is a nonprofit organization that researches best practices for ensuring the security of cloud computing and uses cloud technologies to ensure the security of other types of computing.The infrastructure-as-a-service (IaaS) model is the most widely used model for cloud services.IaaS contains a wide range of resources that are aggregated and managed under the full control of consumers.Figure 3 shows three cloud computing models (IaaS, Paas, and SaaS), where the dashed connections indicate that these parts are organized by the consumer, not the provider.Solid line connections indicate that these resources are provided by the provider (for example: in SaaS, data management is organized by the provider, and all other components are organized by the consumer).Because virtualization is at the core of this model, these concerns fall into two broad categories: cloud service providers and user responsibilities in the cloud.First, cloud service providers provide, manage the entire IT stack, and have full control over the hypervisor to predict network traffic.In addition, cloud users must protect their own environment from internal / external threats.
The IaaS model is an interesting area for research, for example, in the study [4], cryptographic methods were proposed to prevent threats and attacks on the components of the IaaS model for security.
Cloud-BIM is a term that refers to the combination of cloud computing and BIM technology, which involves distributing the software, computing power, and storage capacity required for BIM in the cloud, enabling efficient cross-regional collaboration between different actors using the same BIM model and reducing operating and maintenance costs.hardware [5], providing users with only one graphical user interface (GUI) [6].
According to research [7], existing BIM collaboration platforms have a high level of network security and an average level of data security (file or block-level encryption) due to the common network and data security protocols used by the underlying cloud platforms.Therefore, it will also be important to analyze common interaction models in BIM and develop a basic concept for the implementation of the project.information security strategies that take into account both potential threats and security components for identified characteristics and processes [11][12][13][14][15][16][17][18][19].Encryption.In a collaborative environment, you have the challenge of effectively sharing the information you need to work together while protecting other sensitive information in the product build model.This article [8] presents an innovative encryption approach for building models when working together.This approach relies on content encryption and is effective for securely sharing feature-based build models.
The main characteristics of the innovative approach are that the approach is based on functionality and is integrated into the main commercial computer-aided design (CAD) systems, flexible to meet the needs of various users in encrypting functions selected by users during collaboration, and the approach is parametrically controlled by adjusting position and size parameters to ensure the usability of the approach.
Attribute-based Encryption (ABE) provides a promising solution for providing scalable access control to encrypted data stored on untrusted servers (for example, in the cloud), due to its ability to perform randomization and decryption of data encryption defined by descriptive attributes.In order to link different components that correspond to different attributes in a custom attribute-based decryption key, most existing ABE schemes have used a key technique.The authors of [9] considered an ABE without key regeneration to prevent the user from randomizing their decryption key in any way, i.e. the user can only delegate their decryption key in exactly the same form without any changes, so that any pirated key can be traced back to its original owner.
The development of smart cities through digital communications has improved the quality of life and well-being of citizens.In these cities, IoT technology generates huge amounts of data at any given time, which is analyzed to provide services to citizens.When these cities are properly implemented, a critical problem is the violation of the privacy and security of citizens, which leads to distrust and pessimism in relation to the services of the «smart city» [10] .
Distributed database systems.Distributed database technology is a technology for integrating multiple databases to function as a single logical unit using data partitioning and data replication mechanisms primarily to improve data availability.To adapt to changes in the distributed database system, appropriate data reallocation strategies are needed to reduce the cost of data reallocation.For example, the authors of [11] showed that two algorithms with linear complexity can be used in distributed database systems of different sizes (partial reallocation and full reallocation algorithms).
In the article [12], researchers proposed an adaptive multi-level caching strategy for DDBS with joint consideration of DDBS characteristics and unbalanced data access.The proposed strategy can dynamically adjust the allocation of caching resources by adapting the caching size of different data nodes.In this case, hot data nodes can get more caching resources to speed up query execution and eliminate the bottleneck [20][21][22][23][24][25][26][27][28].
A comparison of distributed system technology with a centralized database is presented in Table 2.This database provides the user with a consistent and complete view.
Since it is distributed in different places, it is difficult for the user to provide a single view.

Data Consistency
This database has more data consistency than a distributed database.
This database may have some data replication, which reduces data consistency.

Failure
Users cannot access the database if the database fails.
In a distributed database, if one database fails, users gain access to other databases.
6 Cost A centralized database is less expensive.
This is a high-value database.

Maintenance
Easy maintenance as all data and information is available in one place and therefore easily accessible and accessible.
It is difficult to maintain because of the distribution of data and information in different locations.So, you need to check out data redundancy issues and ways to maintain data consistency.

Efficiency
A centralized database is less efficient because data retrieval becomes quite complex due to storing data and information in a specific location.
A distributed database is more efficient than a centralized database due to the separation of data in multiple locations, which makes it easier to search for data and takes less time.
9 Response speed the response speed is faster compared to a distributed database.
The response rate is lower compared to a centralized database.
10 Advantages -Data integrity -Security -Easy access to all information -Data is easily transferred -High performance due to workload separation.
-High availability due to the availability of available nodes to perform work.
-Independent nodes and better control over resources 11 Disadvantages -Data retrieval takes time -If the centralized server fails, the entire database will be lost.
-If multiple users are trying to access data at the same time, this can create problems.
-It is quite large and complex, so it is difficult to use and maintain it.
-It is difficult to ensure security -Data integrity problem -Increased storage and infrastructure requirements -Failure handling is quite a complex task Thus, we can conclude that it is not so easy to choose the best implementation methods and options, especially focusing solely on the cost.Each enterprise has its own tasks and needs, so there may not be a universal recommendation for choosing a database technology, but it is quite possible to use common models of collaboration in BIM to identify critical points and develop an effective cybersecurity strategy.Blockchain.Blockchain is a promising technology to address such risks by providing decentralized and immutable data storage.However, the integration of the blockchain with BIM faces the problem that the blockchain is inherently unsuitable for storing large files, such as BIM models, which prevents the blockchain from protecting the integrity of BIM data [13].Placing BIM models on the blockchain will lead to high latency and network congestion [14].As a result, the integrity and immutability of BIM data cannot be ensured.
The authors of [15] analyzed the applicability of blockchain technology for BIM models and shared data environments [16].Blockchains have attracted the attention of various industries, such as finance, insurance, logistics, energy and transport, to experiments with their application [17].
Researchers [18] noted problems related to vulnerability and privacy, despite the fact that the blockchain is considered secure, due to the fact that transactions occur with generated addresses, and not real identifiers.While blockchain represents the immutable nature of transactions and data, it raises concerns about data deletion (in the long run).Another challenge is to eliminate end-user errors, such as accidental key loss.Software updates and installations also lead to potential privacy leaks [18].
It is also worth noting research related to the Internet of Things (IoT), for example, the authors of [19] tried to integrate IoT and blockchain, and the authors of [20] presented a solution related to the "smart city", which consists in using blockchain technology to join the information exchange network and buy / sell energy between the nodes involved (energy suppliers and individuals).As a result, it follows that the main problems of using blockchain in IoT related to security are reduced to the following conclusions: 1. Problems in maintaining transparency and confidentiality: blockchain can guarantee transparency of transactions, which is important in some applications, especially in the financial industry, but user privacy can be violated when storing and accessing IoT data [21].To maintain a balanced degree of transparency and confidentiality, it is necessary to develop cost-effective access control to IoT using the blockchain.
2. Problems of Blockchain Regulation in IoT: While several technological features of the blockchain, including decentralization, immutability, anonymity, and automation, are promising security solutions for various IoT applications, these features combine to create various new regulatory challenges [22].Due to the anonymity of the DTL (Distributed Ledger Technology), it is not so easy to distinguish between parties performing transactions for illegal services.While the blockchain automation feature offers many benefits, the actors that cause certain behaviors, including code errors and code obfuscation, are ambiguous.Current IoT laws and regulations are becoming outdated, especially with the advent of new disruptive technologies such as blockchain, and they need to be reviewed for the adoption of DTL [23].

Common interaction models in BIM
According to [24], 57% of engineers use network folders and a local network (central network disk) for their work.A network drive or mapped drive is a disk or shared resource on another computer or server on the same network (for example, a local network).For example, when using a corporate network, you may have access to company or customer information on a network drive.Accessing a network drive is similar to accessing a local drive, but data is transferred from a remote computer to a computer over a network connection.
Disadvantages of using a network drive for collaboration in BIM: it is difficult to reuse data, links are lost, manual renaming, it is impossible to view where data is used, communication with engineering staff, it is impossible to block files for modification, version mismatch, local network congestion, correspondence histories are not stored [29][30][31][32][33][34][35].Product Data Management (PDM) helps companies improve the way they control, access, and share important files and information related to a product.Improvements to PDM lead to increased product profitability and business efficiency.About half of the companies that took part in the survey [24] reported that sharing information with others is the main task when designing.A similar number of reports that simply finding the right information makes design efforts more difficult.More than a third say they work with incorrect data.These issues significantly reduce performance and are easily addressed by using the basic data management, access, and exchange capabilities of the PDM.Only 8% of companies that do not use PDM say that this is because they do not have any problems related to data management (Figure 4) [36][37][38][39][40]. Reasons for not using PDM [24] PDM systems in BIM can be roughly divided into two categories: the first is data storage and management services in the cloud (for example: Autodesk BIM 360, Trimble Connect, VitroPark) and the second is an engineering data management system (Autodesk Vault, Pilot-BIM, Vitro-CAD, ProjectWice, etc.) The advantages of PDM are a single central access point, a BIM-enabled technical document flow, automation of the business process of exchanging design tasks, change management and versioning control, and increased protection of the company's intellectual property.
Thus, common interaction models in BIM that should be considered from the point of view of information security include the following types: 1. Working together on a network drive 2. Cloud-based PDM systems 3. EDM (Engineering Data Management Systems) Information security in construction industry projects using information modeling technologies has recently become an increasingly important topic of concern and discussion among its members.BIM security is not an area that remains untouched in existing BIM and document management platforms.Most existing BIM collaboration platforms, such as Autodesk BIM 360 and Aconex, are implemented using cloud service providers supported by standard (non-configurable) security measures.
The main security considerations of such cloud service providers are to provide network security to protect data during transmission and to ensure data security through file or blocklevel encryption.However, the security considerations of such cloud service providers do not meet the BIM security requirements, such as, secure data separation and data ownership (at the object or object family level) [7].
According to the research of Positive Technologies [25] «Actual cyber threats: results of 2021», state institutions and medical organizations were most often subjected to cyberattacks among all industries (Figure 5).The results of these studies confirm the need to improve cybersecurity in the processes of information modeling and develop an individual strategy to ensure it, since most statesignificant objects are designed using BIM and should be maximally protected from potential information security threats.
It is expected that the results of the planned study will raise awareness of cybersecurity for BIM platforms and serve as a basis for forming an Information Security Strategy in BIM processes.

Conclusion
Thus, the main functional characteristics for ensuring information security in BIM platforms are: 1. Data Privacy 2. Data transfer security 3. Integrity 4. Relevance The most common technologies are cloud computing, encryption, distributed database systems, and blockchain.Potential threats applicable to these technologies and protection methods are analyzed.
The main schemes of work in BIM are defined: network disk, cloud PDM, EDM, combined models of work should also be noted (for example, the main work in EDM, and information exchange or provision of selective information to the customer, contractor through the cloud, etc.) This work can be useful for improving approaches а to ensuring an appropriate level of cybersecurity in BIM platforms and developing universal steps for planning and implementing an effective information security strategy, since it is precisely a well-developed and implemented information security strategy in a company that can provide the required and controlled level of protection in BIM-processes.

Table 2 .
Centralized and distributed database.