Content uploaded by Erika Anneli Pärn
Author content
All content in this area was uploaded by Erika Anneli Pärn on Apr 12, 2019
Content may be subject to copyright.
Engineering, Construction and Architectural Management
Cyber threats confronting the digital built environment: Common data
environment vulnerabilities and block chain deterrence
Erika A. Parn, David Edwards,
Article information:
To cite this document:
Erika A. Parn, David Edwards, (2019) "Cyber threats confronting the digital built environment:
Common data environment vulnerabilities and block chain deterrence", Engineering, Construction
and Architectural Management, https://doi.org/10.1108/ECAM-03-2018-0101
Permanent link to this document:
https://doi.org/10.1108/ECAM-03-2018-0101
Downloaded on: 18 March 2019, At: 03:58 (PT)
References: this document contains references to 101 other documents.
To copy this document: permissions@emeraldinsight.com
The fulltext of this document has been downloaded 980 times since 2019*
Users who downloaded this article also downloaded:
(2018),"Valuing sustainable change in the built environment: Using SuROI to appraise built
environment projects", Journal of Facilities Management, Vol. 16 Iss 3 pp. 315-353 <a href="https://
doi.org/10.1108/JFM-11-2016-0044">https://doi.org/10.1108/JFM-11-2016-0044</a>
(2008),"Responsible property investing: what the leaders are doing", Journal of
Property Investment & Finance, Vol. 26 Iss 6 pp. 562-576 <a href="https://
doi.org/10.1108/14635780810908406">https://doi.org/10.1108/14635780810908406</a>
Access to this document was granted through an Emerald subscription provided by
Token:Eprints:JB72U3hvIPDiKsbRfIge:
For Authors
If you would like to write for this, or any other Emerald publication, then please use our Emerald
for Authors service information about how to choose which publication to write for and submission
guidelines are available for all. Please visit www.emeraldinsight.com/authors for more information.
About Emerald www.emeraldinsight.com
Emerald is a global publisher linking research and practice to the benefit of society. The company
manages a portfolio of more than 290 journals and over 2,350 books and book series volumes, as
well as providing an extensive range of online products and additional customer resources and
services.
Emerald is both COUNTER 4 and TRANSFER compliant. The organization is a partner of the
Committee on Publication Ethics (COPE) and also works with Portico and the LOCKSS initiative for
digital archive preservation.
*Related content and download information correct at time of download.
Downloaded by Ms erika parn At 03:58 18 March 2019 (PT)
Cyber threats confronting the
digital built environment
Common data environment vulnerabilities and
block chain deterrence
Erika A. Parn and David Edwards
School of Engineering and the Built Environment,
Birmingham City University, Birmingham, UK
Abstract
Purpose –Smart cities provide fully integrated and networked connectivity between virtual/digital assets
and physical building/infrastructure assets to form digital economies. However, industrial espionage, cyber-
crime and deplorable politically driven cyber-interventions threaten to disrupt and/or physically damage the
critical infrastructure that supports national wealth generation and preserves the health, safety and welfare of
the populous. The purpose of this paper is to present a comprehensive review of cyber-threats confronting
critical infrastructure asset management reliant upon a common data environment to augment building
information modelling (BIM) implementation.
Design/methodology/approach –An interpretivist, methodological approach to reviewing pertinent
literature (that contained elements of positivism) was adopted. The ensuing mixed methods analysis: reports
upon case studies of cyber-physical attacks; reveals distinct categories of hackers; identifies and reports upon
the various motivations for the perpetrators/actors; and explains the varied reconnaissance techniques adopted.
Findings –The paper concludes with direction for future research work and a recommendation
to utilize innovative block chain technology as a potential risk mitigation measure for digital built
environment vulnerabilities.
Originality/value –While cyber security and digitization of the built environment have been widely covered
within the extant literature inisolation, scant research has hithertoconducted an holistic review of the perceived
threats, deterrence applications and future developments in a digitized Architecture, Engineering, Construction
and Operations (AECO) sector. This review presents concise and lucid reference guidance that will intellectually
challenge, and better inform, both practitioners and researchers in the AECO field of enquiry.
Keywords Building information modelling, Integrated practice,
Information and communication technology (ICT) applications
Paper type General review
Introduction
We will neglect our cities to our peril, for in neglecting them we neglect the nation - John F. Kennedy
Throughout history, buildings and infrastructure (i.e. “physical assets”that cumulatively
constitute the built environment) have provided secure sanctuaries, protecting inhabitants
from theft and malicious attacks (Toy, 2006). Today’s built environment is no exception and
conserves this utilitarian physicality. However, contemporary operations and maintenance
(O&M) works have become increasingly dependent upon an expansive web of cyber-
physical connectivity. Such connectivity has been achieved via an amalgamation of smart
sensor-based network technologies (Lin et al., 2006), advanced computerization (Pärn and
Edwards, 2017) and computational intelligence techniques (Bessis and Dobre, 2014).
Contextualized as virtual assets, the voluminous data and information generated
throughout a physical building/infrastructure asset’s whole lifecycle (i.e. design,
construction and operations/occupancy phases) constitutes the basis for knowledge
propagation, insightful business intelligence and an invaluable commercial commodity
(Edwards et al., 2017). Intelligence on building/infrastructure asset performance augments
decision making via automated analytics geared towards driving economic prosperity,
Engineering, Construction and
Architectural Management
© Emerald Publishing Limited
0969-9988
DOI 10.1108/ECAM-03-2018-0101
Received 16 March 2018
Revised 8 May 2018
3 June 2018
Accepted 15 June 2018
The current issue and full text archive of this journal is available on Emerald Insight at:
www.emeraldinsight.com/0969-9988.htm
Common data
environment
vulnerabilities
Downloaded by Ms erika parn At 03:58 18 March 2019 (PT)
business profitability and environmental conservation (Lin et al., 2006; Ryan, 2017). These
palpable benefits have steered government reforms globally towards embedding
digitalization throughout the Architecture, Engineering, Construction and Operations
(AECO) sector –a sector that encapsulates the whole lifecycle of an asset’s design,
construction and subsequent use (Nye, 2017). For example, the UK government’s mandated
policy “Digital Built Britain 2025”represents a prominent epitome of ambitious plans to
coalesce digitized economies and infrastructure deployment (HM Government, 2015). This
strategic vision has been enacted via the building information modelling (BIM) Level 2
mandate to extend the frontiers of digitized asset handover for building and infrastructure
asset owners (HM Government, 2013). BIM has orchestrated a paradigm shift in the way
that information is managed, exchanged and transformed, to stimulating greater
collaboration between stakeholders who interact within a common data environment
(CDE) throughout the building/infrastructure asset’s whole lifecycle (Eastman et al., 2011).
Adaptation of a CDE for critical infrastructure (i.e. the processes, systems, technologies
and assets essential to economic security and/or public safety) constitutes a key facet of
effective asset digitalization and offers potential “long-term”lifecycle savings for both
government and private sector funded projects (Bradley et al., 2016). In the “short-term,”a
precipitous amount of front-loaded government expenditure earmarked to augment
operations management means that a concerted effort has been made to develop accurate
BIM asset information models (AIM) for large infrastructure asset managers (e.g. utility
companies, Highways England, Network Rail, Environment Agency) (BSI, 2014a).
Government policy edict will continue to transform the modus operandi for developing
and maintaining buildings and infrastructure within the smart built environment (Bessis
and Dobre, 2014). However, the proliferation of cyber-physical connectivity inherent within
a CDE has inadvertently created opportunities for hackers and terrorists, and an
omnipresent threat of cyber-crime prevails (Boyes, 2013a) –yet surprisingly, extant
literature is overtly sanguine about the conspicuous benefits accrued from digitalization
(BSI, 2014a, b, c; HM Government, 2015). Infrastructure stakeholders (e.g. clients, project
managers and designers and coordinators) are unwittingly confronted by clandestine cyber-
assailants targeting critical infrastructures through a digital portal facilitated by the CDE’s
integral networked systems that support O&M activities (Ficco et al., 2017). Curiously,
pertinent literature is replete with examples of public policy considerations that evaluate
critical infrastructure exposed to intentional attacks, natural disasters or physical accidents
(Mayo, 2016). However, the discourse is comparatively silent on substantial cyber-physical
security risks posed by a wholesale digital shift within the AECO sector (Kello, 2013).
Significant risks posed could disrupt the stream of virtual data produced and in turn, have a
profound detrimental impact upon a virtually enabled built environment, leading to physical
interruption and/or destruction of infrastructure assets (e.g. electricity generation) thereby
endangering members of the public.
Given this prevailing worldwide menace, a comprehensive literature review of cyber-
threats impacting upon the built environment, and specifically critical infrastructure, is
conducted. Concomitant objectives are to: report upon case studies of cyber-physical attack
to better comprehend distinct categories of hackers, their motivations and the
reconnaissance techniques adopted; and explore innovative block chain technology as a
potential risk mitigation measure for digital built environment vulnerabilities. The research
concludes with new hypothesis and research questions that will initiate much needed future
investigations and an expanded academic/practitioner discourse within this novel area.
Methodology
The methodology adopted an interpretivist research approach to reviewing extant literature
(Walsham, 1995) that contained elements of positivism, where the latter was founded upon
ECAM
Downloaded by Ms erika parn At 03:58 18 March 2019 (PT)
the assumption that published material has already been scientifically verified by a robust
peer review process. A systematic literature review conducted collected and critically
analyzed results emanating from existing studies found within extant literature, where the
literature constituted data and the population frame (Levy and Ellis, 2006). An iterative, four
stage process was implemented that consisted of: a broader review of wider literature to set
the context for this research study; a specific review of cyber-space and cyber-physical
attacks –case studies of cyber-attacks extracted from the Repository of Industrial Security
Incidents (RISI) online incident database were reviewed to identify the motivations for
hacking and to delineate and define the various types of hackers (otherwise known as
actors); a componential analysis of literature –a mixed methods componential analysis was
conducted to provide a richer understanding of the established, but fragmented, topic of
cyber-crime. A componential analysis is a manual qualitative technique that assigns the
meaning of a word(s) or other linguistic unit(s) to discrete semantic components (Fisher,
2018). In this instance, a cross comparative tabulation matrix of key industries studied and
recurrent emergent themes identified was constructed to present analysis findings; and a
report upon innovative cyber-deterrence techniques –an iterative process flow diagram is
utilized to explain how “block chain”can be successfully employed to provide superior
protection against ensuing cyber-threats (when compared to encryption and firewalls).
Collectively, this chain of documentary evidence and analysis of such provided a thorough
and holistic contextualization of cyber-threats confronting the digital built environment.
The digital Jacquerie
Globally, an insatiable desire within rural communities for economic migration to cities,
continues to engender an upsurge in urbanization –a trend further exacerbated by a
projected 9.7bn population growth by 2050 (UN, 2014a, 2015). For both developed and
developing countries, relentless urbanization presents a complex socio-economic
conundrum and raises portentous political issues such as: deficiencies in health care
provisions (UN, 2014b); lack of resources and malnutrition (UN, 2015); and environmental
degradation and pollution (UN, 2015). These dystopian challenges can be alleviated through,
for example, shrewd allocation of resources via social circumscription measures (UN, 2014b).
However, politicians worldwide have also contemplated the implicit assumption of
technology inertia as an impediment to government reform (cf. Mokyr, 1992). Policies
subsequently developed have responded accordingly by mandating advanced technologies
within smart city development as a panacea to these challenges within the AECO sector –a
sector sensu stricto berated for its reluctance to innovate (BSI, 2014a). Despite a notable
disinclination to change, the AECO sector is widely espoused as being a quintessential
economic stimulus (Eastman et al., 2011) –significantly contributing to gross domestic
product (HM Government, 2015) and providing mass-labor employment (DBIS, 2013).
Consequently, the AECO sector was a prime candidate for the UK government’s BIM Level
2 mandate that seeks to immerse it within a digital economy. Specifically, the Digital Built
Britain report (HM Government, 2015) aspires that:
The UK has the potential to lead one of the defining developments of the 21st century, which will
enable the country to capture not only all of the inherent value in our built assets, but also the data
to create a digital and smart city economy to transform the lives of all.
Within this digital insurgency, critical infrastructures are at the forefront of the UK
government’s strategic agenda (Bradley et al., 2016). Unabated advancements in
computerization have widened the capability of decision support to providing appropriate
resolutions to pertinent infrastructure challenges such as: optimizing planning and economic
development (Ryan, 2017); ensuring resilient clean air, water and food supply (Bradley et al.,
2016); and/or safeguarding integrated data and security systems (BSI, 2014a). Throughout the
Common data
environment
vulnerabilities
Downloaded by Ms erika parn At 03:58 18 March 2019 (PT)
various stages of an infrastructure asset’s lifecycle this transition is further fortified by BIM
technology and the use of a CDE that can improve information and performance management
(Pärn and Edwards, 2017). The palpable benefits of BIM and CDE extend beyond the design
and construction phases into the operations phase of asset occupancy and use. BIM
technology’s innate capability is essential during the asset’s operational phase which
constitutes up to 80 percent of the overall whole lifecycle expenditure. In congruence with this
statistic, the McNulty (2011) report ambitiously predicts that the potential savings associated
with digital asset management and supply chain management may reach up to £580m
between 2018 and 2019 and will be facilitated through: effective communications; the right
speed of action; a focus on detail and change; and incentives and contractual mechanisms that
encourage cost reduction. For the purpose of this review, digitization is acknowledged to
proliferate throughout all stages of an infrastructure asset’s lifecycle in a smart cities and
digital economies context; such has potentially severe implications businesses and
governments who may be exposed to cyber-crime and -espionage.
Smart cities and digital economies
The British Standards Institute (BSI, 2014a) defines smart cities as:
The effective integration of physical, digital and human systems in the built environment to deliver
a sustainable, prosperous and inclusive future for its citizens.
Within practice, the term smart cities is a linguistic locution that encapsulates fully
integrated and networked connectivity between digital infrastructure assets and physical
infrastructure assets to form digital economies (BSI, 2014a). A perspicacious hive mentality
is inextricably embedded within smart city philosophy and serves to augment intelligent
analysis of real-time data and information generated to rapidly optimize decisions in a cost
effective manner (Szyliowicz, 2013; Zamparini and Shiftan, 2013). Consequently, smart cities
within the digital built environment form a cornerstone of a digital economy that seeks to
provide more with less; maximize resource availability; reduce cost and carbon emissions
(whole lifecycle); enable significant domestic and international growth; and ensure that an
economy remains in the international vanguard (HM Government, 2015). The unrelenting
pace of digitization worldwide is set to continue with an expected $400bn (US Dollars)
investment allocated for smart city development by 2020; where smart infrastructure will
consist of circa 12 percent of the cost (DBIS, 2013). Yet, despite this substantial forecast
expenditure, scant academic attention has hitherto been paid to the complex array of
interconnected arteries of infrastructural asset management (e.g. roads, ports, rail, aviation
and telecommunications) that provide an essential gateway to global markets (DBIS, 2013).
The omnipresent threat of cyber-espionage and crime
Prior to meticulous review of papers an established understanding of the omnipresent threat
of cyber-espionage and crime is required. The implementation of smart city technologies has
inadvertently increased the risk of cyber-attack facilitated through expansive networked
systems (Mayo, 2016). However, cyber-crime has been largely overlooked within the built
environment and academic consensus concurs that a cavernous gap exists between the state
of security in practice and the achieved level of security maturity in standards (Markets and
Markets, 2014). Security specialists and practitioners operating smart buildings, grids and
infrastructures are said to coexist in a redundant dichotomy. Instead, academic and policy
attention has focused upon either: hypothesized scenarios within international security
studies (e.g. the protection of military, industrial and commercial secrets) (Rid, 2012); policy
planning for cyber-warfare (McGraw, 2013); and/or the safety of computer systems or
networks per se rather than cyber-physical attack (activities that could severely impact
upon nuclear enrichment, hospital operations, public building operation and maintenance
ECAM
Downloaded by Ms erika parn At 03:58 18 March 2019 (PT)
and traffic management) (Stoddart, 2016). Threats from cyber-crime have arisen partially
because of the increased adoption rate of networked devices but also as a result of industry’s
operational dependency upon IT systems (Boyes, 2013b).
Cyber-criminals are particularly adept at harnessing the intrinsic intangible value of digital
assets (BSI, 2015) and can decipher the digital economy and its intricacies more perceptively
than their counterpart industrialists and businesses that are under attack (Kello, 2013). The
most recent “WannaCry”ransomware attack personified the sophisticated measures deployed
by cyber-criminals in navigating networks and identifying, extracting and monetizing data
found (Hunton, 2012). While the inherent value of digital assets to owners and creators is often
indeterminate, cyber-criminals manipulate data and information to encrypt, ransom or sell it
piecemeal (Marinos, 2016). Several prominent instances of unsecure critical infrastructure
assets being physically damaged by persistent cyber-crime have been widely reported
upon (Peng et al., 2015). These include: the STUXNET worm that disarmed the Iranian
industrial/military assets at a nuclear facility (Lindsay, 2013); and the malware “WannaCry”
that caused significant damageto the UK’s National Health Service patient databases, German
railway operations and businesses globally (Clarke and Youngstein, 2017). Cyber-attacks
remain an omnipresent national security threat to a digital economy’s prosperity and digital
built environment’s functionality and safety. Reporting upon a veritable plethora of threats
posed presents significant challenges, as cyber-attacks engender greater anonymity as a
malicious activity (Fisk, 2012). Nevertheless, known cases and revolutionary deterrents will
form the premise upon which this literature review is based.
Cyber-space, cyber-physical attacks and critical infrastructure hacks
In the UK, security analysts from MI5 and MI6 have warned that industrial cyber-espionage is
increasing in prevalence, sophistication and maturity, and could enable an entire shutdown of
critical infrastructure and services including power, transport, food and water supplies
(Hjortdal, 2011). A number of pre-eminent politically driven infrastructure intrusions support
this assertion and serve as illustrative examples that a prediction of a global pandemic may
prove to be distressingly accurate. These intrusions include: the Russian led cyber-attacks on
digital infrastructures (banking, news outlets, electronic voting systems) in Estonia in 2007
(Lesk, 2007); the Chinese led hacking of the US electricity network in 2009 (Hjortdal, 2011); and
the USA led intrusion of Iranian nuclear plant facilities in 2005 (Denning, 2012).
Cyber-space constitutes the global, virtual, computer based and networked environment,
consisting of “open”and “air gapped”internet which directly or indirectly interconnects
systems, networks and other infrastructures critical to society’s needs (European
Commission, 2013). Within the vast expanse of cyber-space, Kello (2013) proffers that
three partially overlapping territories coexist, namely: the world wide web of nodes
accessible via URL; the internet consisting of interconnected computers; and the
“cyber-archipelago”of computer systems existing in isolation from the internet residing
within a so-called air gap. A CDE hosted on any of the aforementioned territories is
precariously exposed to cyber-physical attack (Figure 1).
Cyber-attack utilizes code to interfere with the functionality of a computer system for
strategic, ambiguous, experimental or political purposes (Nye, 2017). Gandhi et al. (2011)
expand upon this definition, stating that cyber-attack constitutes: “any act by an insider or
an outsider that compromises the security expectations of an individual, organization, or
nation.”Cyber-attacks can take many forms, for example, from publicized web defacements,
information leaks, denial of service (DoS) attacks, and other cyber actions sometimes related
to national security or military affairs. Cyber-physical attacks can cause disruption or
damage to physical assets thus posing serious threats to public health and safety, and/or the
desecration of the environment (Peng et al., 2015). One of the earliest publicly disclosed
cyber-physical attacks took place during the Cold War period, when a Soviet oil pipeline
Common data
environment
vulnerabilities
Downloaded by Ms erika parn At 03:58 18 March 2019 (PT)
exploded due to a so-called logic bomb. The NIST (2017) framework for enhancing the
ability of critical infrastructures to withstand cyber-physical attacks proposes that two
distinct dichotomous domains must be secured, namely, information technologies (IT) and
industrial control systems (ICS) (Rittinghouse and Hancock, 2003). Common threats incurred
via IT and ICS include: theft of intellectual property; massive disruption to existing
operations; and destruction, degradation or disablement of physical assets and operational
ability (Szyliowicz, 2013). The European Union Agency for Network and Information
Security outlines multiple common sources of nefarious attacks in its malware taxonomy,
including: viruses; worms; trojans; botnets; spywares; scarewares; roguewares; adwares;
and greywares (Marinos, 2016).
Such attacks are made possible via a huge cyber-attack surface within cyber-space,
where every circa 2,500 lines of code presents a potential vulnerability that is identified by a
hacker’s reconnaissance (Nye, 2017). Reconnaissance is the first and most important stage
for a successful cyber-attack and seeks to determine the likely strategy for the intrusion
(Marinos, 2016). Strategies vary but prominent methods include: scanning; fingerprinting;
footprinting; sniffing; and social engineering (refer to Table I).
Cyber-attack motivations and cyber-actors and incident analysis
The RISI database contains a comprehensive record of cyber-physical attack incidents
categorized as either confirmed or likely but confirmed (RISI, 2015). However, prominent
commentators contend that attacks are more prevalent than reports suggest and that
victims are often reluctant to disclose malicious cyber-attacks against themselves due to
potential reputational damage being incurred (Reggiani, 2013). Cyber-physical attacks are
therefore shrouded in secrecy by states and private companies, and many states have
already conceded the current digital arms race against a panoply of cyber-actors (or
“hackers”) including: hacktivists, malware authors, cyber-criminals, cyber-militias,
cyber-terrorists, patriot hackers and script kiddies.
Cyber-actors are frequently classified within one of three thematic categories, namely:
white hats; grey hats; and black hats, where the color of the hat portrays their intrinsic
intentions. White hats are predominantly legitimately employed security researchers who
perform simulated penetration testing hacks to assess the robustness of an organization’s
cyber-enabled systems (Cavelty, 2013). They do not have malevolent intentions but rather
LEVELS OF BIM
LOW TO MEDIUM VULNERABILITY MEDIUM TO HIGH VULNERABILITY
BIM
LEVEL 0
LOW
VULNERABILITY
LOW
VULNERABILITY
MEDIUM
VULNERABILITY
HIGH RISK
VULNERABILITY
BIM
LEVEL 1
BIM
LEVEL 2
BIM
LEVEL 3
URL
SQL
SQL DWG XML
DWG XML
INFORMATION
FORMAT 2D CAD 2D CAD+ 3D 3D
LOD 7
ARCHIVED
URL NODES
INTERCONNECTED
COMPUTER
COMPUTER
ARCHIPELAGO
PUBLISHED
SHARED
WORK IN
PROGRESS
LOD 6
LOD 5
LOD 4
LOD 3
LOD 2
LOD 1
INFORMATION
EXCHANGE
PAPER-BASED
COLLABORATION
i
FILE-BASED
COLLABORATION
OBJECT MODEL-BASED
COLLABORATION NETWORK-BASED
COLLABORATION
LOW TO MEDIUM
VULNERABILITY
MEDIUN TO HIGH
VULNERABILITY
Figure 1.
Cyber vulnerabilities
of CDE environment
adapted from BSI
levels of BIM
ECAM
Downloaded by Ms erika parn At 03:58 18 March 2019 (PT)
Thematic group
Industrial sector Author(s) Journal
National
and global
security
Smart
cities
Critical
infrastructure
Industrial
control
systems
Mobile or
cloud
computing
Digitalization
of built
environment
Percentage frequency across the four journal types 54.7% 40.4% 50% 40.4% 59.5% 28.5%
Architecture, Engineering,
Construction and Owner-
operated (AECO)
Chong et al. (2014) Automation in Construction |||
Howell et al. (2017) Automation in Construction || | |
Kochovski and
Stankovski (2018)
Automation in Construction |||
Fisk (2012) Intelligent Buildings
International
|
Mike (2006) Journal of Facilities
Management
|| |
Eom and Paek (2006) Journal of Information
Technology in Construction
(ITcon)
||
Jaatun et al. (2014) Procedia Engineering ||||
Koo et al. (2015) Procedia Engineering ||||
Nicałand Wodyński
(2016)
Procedia Engineering ||
Wang et al. (2011) Procedia Engineering || |
Percentage frequency in AECO journals 20% 40% 30% 50% 90% 60%
Transport and infrastructure Patel et al. (2009) Communications of the ACM |||
Wang and Lu (2013) Computer Networks || | |
Liu et al. (2012) IEEE, Communications
Surveys & Tutorials
|| |
Jones (2016) IEEE, Engineering &
Technology
|| | | |
Paridari et al. (2016) IEEE, International
Conference on Cyber-Physical
Systems (ICCPS)
||||
Ryan (2017) International Journal of Critical
Infrastructure Protection
|| |
Papa (2013) Transport Policy ||
(continued )
Table I.
Emerging thematic
groups in extant
literature
Common data
environment
vulnerabilities
Downloaded by Ms erika parn At 03:58 18 March 2019 (PT)
Thematic group
Industrial sector Author(s) Journal
National
and global
security
Smart
cities
Critical
infrastructure
Industrial
control
systems
Mobile or
cloud
computing
Digitalization
of built
environment
Reggiani (2013) Transport Policy |
Reniers and Dullaert
(2013)
Transport Policy ||
Szyliowicz (2013) Transport Policy ||
Zamparini and Shiftan
(2013)
Transport Policy |
Percentage frequency in transport and infrastructure journals 54.5% 54.5% 81.8% 27.2% 36.3% 18.1%
Information technology Hunton (2012) Computer Law & Security
Review
|| |
Weber and Studer
(2016)
Computer Law & Security
Review
|| | |
Metke and Ekl (2010) IEEE Transactions on Smart
Grid
||
Tan et al. (2018) IEEE Transactions on Smart
Grid
|| |
Xue et al. (2016) IEEE Trustcom/BigDataSE/
ISPA
|| | |
Ani et al. (2017) Journal of Cyber Security
Technology
|| | | |
Govinda (2015) Procedia Technology || | |
Rasmi and Jantan
(2013)
Procedia Technology ||
Safavi et al. (2013) Procedia Technology |
Shitharth and
Winston (2015)
Procedia Technology || | |
(continued )
Table I.
ECAM
Downloaded by Ms erika parn At 03:58 18 March 2019 (PT)
Thematic group
Industrial sector Author(s) Journal
National
and global
security
Smart
cities
Critical
infrastructure
Industrial
control
systems
Mobile or
cloud
computing
Digitalization
of built
environment
Percentage frequency in information technology journals 40% 60% 80% 20% 90% 30%
Political science/international
relations
Brantly (2014) Democracy and Security |||
Kello (2013) International Security |
Lindsay (2015) International Security || | | |
Nye (2017) International Security |||
Cavelty (2013) International Studies Review |
Canfil (2016) Journal of International
Affairs
|
Hjortdal (2011) Journal of Strategic Security ||
McGraw (2013) Journal of Strategic Studies ||
Stoddart (2016) Political Science Quarterly ||
Betz and Stevens
(2013)
Security Dialog |||
Lindsay (2013) Security Studies ||
Percentage frequency in political science/international relations journals 100% 9% 18.2% 63.6% 27.2% 9%
Table I.
Common data
environment
vulnerabilities
Downloaded by Ms erika parn At 03:58 18 March 2019 (PT)
act on behalf of security companies and concomitant public interest (F-Secure, 2014).
Contemporary cyber-Robin Hood(s) (or hacktivists) fall within the grey hat category and act
as vigilantes to puncture prevailing power structures (such as Government) by
embarrassing them with distributed denial of service (DDos) attacks, web defacements,
malware, ransomware and trojans. These hacktivists often dabble with illegal means to
hack but believe that they are addressing a social injustice and/or otherwise supporting a
good cause. Black hats are often affiliated with a criminal fraternity or have other malicious
intent (Cavelty, 2013). These criminals deploy the same tools used by grey and white hat
hackers, but with the deliberate intention to cause harm, vandalism, sabotage, website
shutdown, fraud or other illegitimate activities. Many states have increasingly focused upon
grey hats who have become the new uncontrolled source of hacking (Betz and Stevens,
2013). Table II highlights a number of prominent critical infrastructures hacks extracted
from the RISI database and cross references these against the motivations and cyber-actors.
Blurred lines: governments and civilians
State and non-state actors represent a two pronged source of malicious attacks or threats
facing the AECO sector; motivations for these actors are fueled by various catalysts,
including patriotism, liberal activism, political ideology, criminal intent and hobby interests
(Hjortdal, 2011; Rahimi, 2011). A state is a political entity (“government”) that has
sovereignty over an area of territory and the people within it (Rahimi, 2011). Within this
entity, state actors are persons who are authorized to act on its behalf and are therefore
subject to regulatory control measures (Betz and Stevens, 2013). A state actor’s role can be
myriad but often it strives to create positive policy outcomes through approaches such as
social movement coalitions (cf. Stearns and Almeida, 2004). Conversely, non-state actors are
persons or organizations who have sufficient political influence to act or participate in
international relations for the purpose of exerting influence or causing change even though
they are not part of government or an established institution (Betz and Stevens, 2013). Three
key types of legitimate non-state actors exist: intergovernmental organizations such as the
United Nations, World Bank Group and International Monetary Fund, which are established
by a state usually through a treaty (Betz and Stevens, 2013); international non-government
organizations such as Amnesty International, Oxfam and Greenpeace which are non-profit,
voluntary organizations that advocate or otherwise pursue the public good (i.e. economic
development and humanitarian aid) (UN); and multinational corporations who pursue their
own business interests largely outside the control of national states (UN). Illegitimate
non-state actors include terrorist groups and hacktivists acting upon a range of different
motivations including personal gain, digital coercion, malevolence and indoctrination of
others using ideological doctrine (Brantly, 2014). Since the millennium, governments
globally have become increasingly aware of cyber-crime and threats stemming from such
non-state actors. Some of the more notable actors include: Anonymous (Betz and Stevens,
2013); Ghost Net (Hunton, 2012); The Red Hacker Alliance (Fisher, 2018); Fancy Bear
“Прикольный медведь”(Canfil, 2016); and Iranian Cyber Army (Rahimi, 2011).
However, the boundary delineation between state actors and non-state actors engaging
in cyber-physical attacks has become increasingly blurred (Betz and Stevens, 2013; Papa,
2013). Such attribution has wider implications for the national security of states and
national responsibility for non-state actors who often act on behalf of the state, under
incitement of nationalistic and ideological motivation (Brantly, 2014). Henderson (2008)
aptly describes such blurred lines between governments and civilians by using Chinese
cyber-patriot hackers as an exemplar:
The alliance is exactly who and what they claim to be: an independent confederation of patriotic
youth dedicated to defending China against what it perceives as threats to national pride.
ECAM
Downloaded by Ms erika parn At 03:58 18 March 2019 (PT)
Standard Title Description
BS ISO/IEC
29100:2011
(ISO, 2011)
Information Technology.
Security Techniques. Privacy
Framework
This standard is applicable to organizations and businesses,
providing a privacy framework for those “involved in
specifying, procuring, architecting, designing, developing,
testing, maintaining, administering, and operating
information and communication technology systems or
services”with personally identifiable information (PII)
BS ISO/IEC
27001:2013
(ISO, 2013)
Information Technology.
Security Techniques.
Information Security
Management Systems.
Requirements
This international standard provides a framework for the
management of an information security management system
(ISMS) in order to keep digital information assets secure from
cyber-criminal activities and information breaches; it
encompasses procedures for creating, implementing,
operating, auditing and maintaining an ISMS. The standard
can be applied within organizations of any size, nature or type
IET/CPNI
Technical
Briefing
(IET, 2013)
Resilience and Cyber Security
of Technology in the Built
Environment
This document applies to professionals involved in the
development, procurement and operation of intelligent or
smart buildings. The guidance considers the whole building
lifecycle and examines the potential threats to resilience and
cyber security arising from the merging of technical
infrastructure and computer-based systems and their
connection in cyber-space. Case studies are provided plus a
set of 20 critical measures which could be applied to reduce
threats
PAS
555:2013
(BSI, 2013)
Cyber Security Risk.
Governance and Management.
Specification
The specification uses a business-led, “outcomes-based
approach”which studies physical, cultural and behavioral
features alongside technical ones, to aid organizations in
detecting which of their business assets need most protection,
e.g., corporate and customer data, intellectual property, brand
or reputation. The approach can be applied to any size/type of
organization, throughout its business activities
PAS
754:2014
(BSI, 2014c)
Software Trustworthiness.
Governance and Management.
Specification
This document identifies five principles of software
trustworthiness (safety, reliability, availability, resilience and
security) which should be attained when implementing
software on distributed applications in order to reduce the
risks from potential malicious threats. These principles are
based upon four concepts: governance measures; risk
assessment; control application for risk management
(physical, procedural and technical) and a compliance regime
to ensure execution of the first three
IET
Standards
(IET, 2014)
Code of Practice for Cyber
Security in the Built
Environment
This book provides good practice guidance on the need for,
and development of, cyber security strategy and policy
related to a building’s complete lifecycle as an integral part of
an organization’s management systems, with particular
emphasis on cyber physically connected building-related
systems. The pertinence of cyber security to each of the
multidisciplinary roles and responsibilities within an
organization is provided
PAS
1192-5:2015
(BSI, 2015)
Specification for Security-
minded Building Information
Modeling, Digital Built
Environments and Smart Asset
Management
This is the first standard published for security minded use of
BIM and digitalization of built assets. Relevant to all owners
and stakeholders of digitally built assets, it assists in
assessing security risks to the asset and implementing
measures to reduce the risk of loss or disclosure of
information which could impact on the safety and security of:
the built asset; personnel and other users of the asset and its
services; and commercial and other asset data and
information
Table II.
Industry standards
and codes of best
practice on cyber
security in the
AECO sector
Common data
environment
vulnerabilities
Downloaded by Ms erika parn At 03:58 18 March 2019 (PT)
A componential analysis of literature
From an operational perspective, the review protocol sourced published journal materials
contained within Science Direct, Web of Science, Scopus and Research Gate databases.
Keyword search terms used included: cyber security, hacking and any of the following
variations of the word cyber crime/cybercrime/or cyber-crime. Following a comprehensive
review of the journals, four prominent and pertinent clusters of industrial settings were
selected to provide the contextual sampling framework and knowledge base for the
analysis, namely: AECO; transport and infrastructure; information technology; and political
science/international relations. These clusters were selected because they contained the
majority of the journal publications on cyber-crime. Within the clusters, six recurrent
leitmotifs were identified: national and global security; smart cities; critical infrastructure;
ICS; mobile or cloud computing; and digitalization of the built environment. A cross
comparative componential analysis was then conducted (refer to Table III).
The componential analysis reveals: the percentage frequency that each of the identified
thematic groups occur across the four industrial classifications; and the percentage
frequency that each thematic group occurs within each individual industrial classification.
In ascending order of frequency across all four sectors, the most popular discussed topics
were: mobile cloud computing (59.5 percent); national global security (54.7 percent) and
critical infrastructure (50 percent); smart cities (40.4 percent); ICS (40.4 percent); and
digitization of the built environment (28.5 percent). Yet curiously within the AECO sector, an
inordinate amount of effort was input into mobile and cloud computing (90 percent); and
digitization of the built environment (60 percent) while far less attention was paid to critical
infrastructure (30 percent); and national and global security (20 percent). Moreover, none of
the papers reviewed were heavily focused upon expounding the virtues and concomitant
benefits of digitization but were similarly obvious to the omnipresent threat of cyber-crime
posed via the vulnerable CDE portal.
A CDE is commonly established during the feasibility or concept design phases of a
building/infrastructure project (BSI, 2014a, b). An information manager will then manage and
validate the processes and procedures for the exchange of information across a network for
each key decision gateway stage (including: work in progress, shared, published and archive
stages). Cloud-based CDE platforms are ubiquitous but common solutions include: ProjectWise;
Viewpoint (4P); Aconex; Asite; and SharePoint (Shafiq et al., 2013). The internal work flow and
typical external information exchange in BIM relies upon the re-use and sharing of information
Reconnaissance Technique Definition Example
In an active manner to monitor network packets passing
between hosts, or passive manner to transmit specially
created packets to the target machine and analyze the
response (Peng et al., 2015)
Scanning Ping sweep Network scanning is integral to stealthy information gathering from
a computer system. Prior knowledge of the operating system (OS) is
combined with the use of one of a plethora of readily available tools,
in order to identify and map out potential vulnerabilities on a target
network
Port scan
Network Mapping
Fingerprinting (OS)
Footprinting
Sniffing
Social Engineering
Device fingerprinting endeavors to break the privacy of URL
developers by revealing user actions and anonymity. It utilizes the
information collected from a remote computing device for the purpose
of uniquely identifying the device (Formby et al., 2016). Fingerprinting
can be used to identify the OS used on the target system
Footprinting is a process of obtaining as much information about the
target to be hacked as possible by drawing down open source
information from the internet. Footprinting is the most convenient way
of gathering information about a computer system and/or parties such
belong to
Sniffing has been likened to wiretapping and can be used to obtain
sensitive information that is being transferred over a network, such as:
FTP passwords; e-mail traffic; web traffic; telnet passwords; router
configurations; chat sessions; and DNS traffic. “Industrial Control
Systems (ICS)/Supervisory Control and Data Acquisition (SCADA)
sniffing” activites pose an imminent threat to cyber-physical connected
devices in buildings, factories and large industrial plants
Social engineering is an attack vector that relies upon tricking people
into breaking security procedures. Consequently, these are used to
exploit an individual’s weaknesses, typically employees and other
individuals who are familiar with the system. When successfully
implemented, hackers can help obtain information about the targeted
system
Techniques include: port scanning to identify the
available and open ports, DNS enumeration to locate the
domain name server and IP address, and PING sweeping
to map the IP address to a live host (Rittinghouse and
Hancock, 2003)
During footprinting a hacker can use passive or active
means to obtain information such as: domain name; IP
addresses; namespaces; employee information; phone
numbers; e-mails; and job information
“Havex” Malware reported, by F-Secure laboratories, is the
first of its kind since STUXNET and attempts to “sniff”
factory automation gear such as ICS and SCADA systems
(F-Secure Labs, 2014). Anonymized victims have included:
two major educational institutions in France; two German
industrial machine producers; one French industrial machine
producer; and a Russian structural engineering construction
company (F-Secure Labs, 2014)
Two common methods adopted are the physical gaining
of access to a computer through deception or the use of
phishing e-mails, which involves sending personalized
e-mails to targeted employees in an attempt to make them
click malicious links contained within
Table III.
Common
reconnaissance
techniques
ECAM
Downloaded by Ms erika parn At 03:58 18 March 2019 (PT)
in a CDE. Integrating BIM (and other file databases, e.g., IFC, GBXML, CSV, DWG, XML)
within a CDE ensures a smooth flow of information between all stakeholders and is specified
and articulated through its levels of development or design (Eastman et al., 2011; Lin and
Su, 2013). The level of design (LOD) is classified on a linear scale ranging from LOD 1 (covering
a conceptual “low definition”design) to LOD 7 (for an as-built “high definition”model). With
each incremental increase in LOD, the range and complexity of asset information within models
built begins to swell and the data contained within becomes accessible to an increased amount
of stakeholders. As a consequence, the magnitude of potential cyber-crime also increases and it
is imperative therefore, that effective cyber security deterrence measures are set.
Perhaps the most crippling aspect of deterrence is the poor rate of attribution (also
known as tracebacking or source tracking); where attribution seeks to determine the
identity or location of an attacker or attacker’s intermediary (Brantly, 2014). Affiliation
further exacerbates attribution rates, for example, nefarious and malicious attacks on
critical infrastructure by non-state “patriot”actors who proclaim cyber-warfare in the name
of nationalist ideologies can create ambiguity with state actors (Lindsay, 2015). Extant
literature widely acknowledges that states actively recruit highly skilled hackers to
counter-attack other state governed cyber-activities, in particular against critical
infrastructure assets (Thomas, 2009). Yet the paucity of identification or disclosure of
attacker identities has made the hacking culture even more enticing for both non-state
actors and state actors. Whilst network attribution or IP address traceability to a particular
geographical region is possible, lifting the cyber veil to reveal the affiliation between the
attacker and their government remains difficult (Canfil, 2016). In the case of potential threats
to the AECO sector, attribution of industrial cyber-espionage remains an imminent threat
not only to the business in operation but also for the nation state security.
Cyber-deterrence
Cyber-deterrence measures rely largely upon good practice adopted from standards ISO
27001 and ISO 27032 (ISO, 2012, 2013). In the context of the digital built environment (and
specifically BIM), recently published cyber security good practice manual PAS 1198-Part 5
suggests deploying five measures of deterrence: a built asset security manager; a built asset
security strategy; a built asset security management plan; a security breach/incident
management plan; and built asset security information requirements. For other sources of
cyber security guidance PAS 1198-Part 5 recommends adherence to other pre-existing
legislative documentation –refer to Table IV.
Other ambiguous guidance notes that refer to taking “appropriate mitigation strategies”
have largely ignored the increased vulnerability of semantic and geometric information that
is sustained within a BIM (BSI, 2013, 2014c). For example, Institute of Engineering and
Technology (Boyes, 2013b) report, entitled: “Resilience and Cyber Security of Technology in
the Built Environment”, states that:
Unauthorised access to BIM data could jeopardise security of sensitive facilities, such as banks,
courts, prisons and defence establishments, and in fact most of the Critical National Infrastructure.
Deterrence measures recommended in PAS 1192-5 have largely overlooked BIM data
contained within a CDE and the onslaught of cyber-physical connectivity in critical
infrastructures (Liu et al., 2012). Currently, the most common means of deterrence for
cyber-physical connectivity in critical BMS infrastructures is via network segregation (the
firewall) (Mayo, 2016) and secure gateway protection (encryption) for securing from external
threats complicit with ANSI/ISA-99 (ANSI, 2007). However, in a digital economy where over
50bn devices are continuously communicating, neither firewalls nor encryption alone can
guarantee effective cyber security. Hence, a more robust systemic means of data integrity is
required in the digital built environment.
Common data
environment
vulnerabilities
Downloaded by Ms erika parn At 03:58 18 March 2019 (PT)
Block chain –a new frontier for cyber-deterrence
Under the alias Satoshi Namamoto, the Bitcoin (crypto currency) was published as the first
block chain application on the internet (Turk and Klinc, 2017). This advancement opened a
springboard of applications that utilize block chain technology to remove third party
distribution of digital assets using peer-to-peer sharing (Turk and Klinc, 2017). While the
majority of current applications have utilized crypto currency and smart contracts, the
applications for digital asset transference seem limitless. Block chain’s earliest applications
were in economics (Huckle et al., 2016); software engineering (Turk and Klinc, 2017); Internet
of Things (Zhang and Wen, 2016); and medicine (Yue et al., 2016) –albeit, more recently
applications within the built environment have been explored (Sun et al., 2016). Block chain
technology has the potential to overcome the aforementioned cyber security challenges
faced in the digital environment, as a result of its distributed, secure and private nature of
data distribution. A positive correlation exists between an increasing number of
collaborators (or peers) within a CDE and the potential to secure such assets in a peer-to-peer
environment which thrives and increases in security.
Block chain technology is suitable for sectors with increased risk of: fraud –such as
susceptible, crucial infrastructures containing sensitive industrial information that is at risk
from industrial espionage, intermediaries –for example, providers of BMS systems and
other IT software vendors hosting sensitive infrastructure asset details; throughput –such
as operators updating and sharing asset information in a CDE; and stable data –for
instance, data generated for built assets can be utilized for up to 40 years post project
inception. Block chain technology offers better encryption against hacking than any other
current deterrence measures available and is commonly suggested in the cyber security
standards available (Turk and Klinc, 2017).
The application of block chain technology within digital built asset information
exchange is suggested due to its secure framework for data transference. Block chain
technology has been hailed as a hacker/tamper safe ecosystem for digital asset transfers
(Turk and Klinc, 2017). Figure 2 delineates a ten stage process to demonstrate how the
existing functionality of block chain technology can be harnessed in a CDE environment
when sharing sensitive digital information about assets –namely: asset information is
securely shared via a network (e.g. URL nodes, interconnected computer networks or an air
Motivation Actor Example
Black Hat Hacktivists USA, 2014 – Power and utilities – Hackers took advantage of a weak password vulnerability where mechanical devices were disconnected from
the control system for scheduled maintenance
Poland, 2008 – Transport – A 14-year old Polish student hacked into the tram system, enabling him to change track points in Lodz. 4 trams were
derailed and as a consequence 12 people were injured
USA, 2001 – Petroleum – The network monitoring personal computer (PC) provided a path from the internet, via the company business network,
onto the automation network. This made the company vulnerable to the Code Red Worm, used to deface the automation web pages of a large
oil company
Script kiddies
Cyber insiders
Cyber terrorists
Malware authors
Patriot hackers
Cyber militias
Script kiddies
Ordinary citizens
Hacktivists
Script kiddies
Organized cyber
criminals
Ego, personal animosity,
economic gain
Grey Hat
Ambiguous
White Hat
Idealism,
creativity,
respect for the
law
Spain, 2011 – Traffic – Spanair flight 5,022 crashed just after take-off from Madrid-Brajas International Airport killing 154 with 18 survivors.
Trojan malware detected on the central computer system is speculated to have played a role in the crash by causing the computer to fail to
deliver power to the take-off early warning system and detect three technical problems with the aircraft
Iran, 2012 – Petroleum – Iran was forced to disconnect key oil facilities after suffering a malware attack which it is believed hit the internal
computer systems at Iran’s oil ministry and its national oil company
USA and Europe, 2014 – Energy sector – Operating since 2011, the Dragonfly group has targeted defence and aviation companies in USA
and Canada cyber-espionage with the likely intention of sabotage. In 2013, the group targeted USA and European energy firms, gaining entry
through: spear phishing e-mails, malware, watering hole attacks and infecting legitimate software from three different industrial control systems
(ICS) equipment manufacturers
Canada, 2012 – Energy sector – Telvent Canada Ltd., provider of software and services for remote administration of large sections of the
energy industry, was subject to information theft. Installed malware was used to steal project files related to one of its key products. The digital
fingerprints were traced to a Chinese hacking group (the “Comment Group”), linked to cyber-espionage against Western interests
Iran, 2010 – Nuclear – The Stuxnet malworm was responsible for damaging crucial centrifugal devices used for Uranium enrichment at the
Natanz nuclear plant causing it to be shut down for week. This remains as one of the most profilic cyber-physical attacks in an exemplified
case of government and civilian blurred lines and created a new forefront of cyber militia, becoming the first proclaimed cyber weapon
USA, 2012 – Water/waste management – A former employee of the Key Largo Wastewater Treatment District hacked the company resulting
in modification and deletion of files
Venezuela, 2002 – Petroleum – Venezuela’s state oil company became embroiled in a bitter strike when it was extensively sabotaged by an
employee who gained remote access to a program terminal and erased all Programmable Logic Controller (PLC) programs in port facility
Canada, 2002 – Petroleum – A white hat hacker simulated an attack on a data center security (DCS), where network access to the control local
area network (LAN) was used to connect to selected DCS operator stations and obtain full administration privileges. This was accomplished
through the vulnerabilities in the Windows operating system and a number of Netbios that lacked proper password protection
USA, 2014 – Traffic – One of the first hacks on a traffic management system was incurred on road signs in San Francisco, where the signs
were photographed flashing “Godzilla Attack! Turn Back”
Source: Available online at www.risidata.com
Table IV.
Snapshot of cyber-
physical hacking
examples from the
RISI online incident
database
ECAM
Downloaded by Ms erika parn At 03:58 18 March 2019 (PT)
gapped internet); asset data (whether a 3D or digital model) are converted into a block which
represent a digital transaction of asset data; stakeholder interaction within a federated CDE
environment will receive a tracked record of the individual transaction created by nodes
sharing the block; block chain miners (usually computer scientists) validate and maintain
the newly created block chain; payment methods for block chain miners vary but a group of
miners enter into a competitive process where the first to validate the block chain receives
payment; the federated block chain environment is approved; the new block is added to the
existing chain of digital transactions to extend the block chain; the digital asset can now be
securely shared upon validation; to hack the network, assailants would need to hack every
single node within the block chain, thus making the task far more difficult; the network of
nodes created by multiple stakeholders’transactions provides a more sophisticated and
secure approach to protecting digital assets when compared to encryption and firewalls.
Herein lies the novelty of this review –blockchain technology can offer a potential
framework to future AECO software applications and systems designed to secure the
transfer of sensitive project data in a BIM and CDE environment.
Limitations and future work
Contrary to within the fields of computer science, political science/international relations
and international law, cyber security is far less understood within the AECO sector (Mayo,
2016). Consequently, existing controls are inadequate and poorly managed. Key findings
emanating from these other eminent fields provide invaluable insights into the cyber
security technologies and developments (such as block chain) that can be successfully
transferred and applied to critical infrastructure within the AECO sector to address current
deficiencies (Baumeister, 2010). However, successful practitioner alignment and knowledge
enhancement requires time and investment for additional research and testing of such
concepts (Metke and Ekl, 2010) –such exceeded the current confines of this review paper.
Within the international security research realm, the following predispositions have
ASSET NEEDS TO BE
SHARED SECURELY
ASSET IS CONVERTED
INTO A BLOCK
BLOCK IS BROADCAST TO ALL
NODES IN FEDERATED CDE
ENVIRONMENT
BLOCK CHAIN MINERS
COMPETE TO MINE NEW
BLOCK
BLOCK CHAIN IS EXTENDED
WITH NEW DIGITAL ASSET
XML DWG
DWG
XML
FEDERATED CDE
ENVIRONMENT APPROVES
BLOCK CHAIN MINER
VALIDATES BLOCK AGAINST
CHAIN
BLOCK OF DIGITAL ASSET
IS SHARED SECURELY
BLOCK CHAIN OF ASSETS NEEDS TO
BE HACKED INDIVIDUALLY ACROSS AN
ENTIRE NETWORK
BLOCK CHAIN OF
SHARING ASSETS
i) ii) iii) iv)
v) vi) vii)
viii) ix) x)
Figure 2.
Block chain
technology application
with digital built asset
information exchange
Common data
environment
vulnerabilities
Downloaded by Ms erika parn At 03:58 18 March 2019 (PT)
weakened scholarly understanding of cyber-threat occurrences and the likelihood of attacks
on critical infrastructure. These limitations require future work, namely:
(1) Improved understanding of motivations –an inordinate amount of attention is paid
to “cyber-threats”under the guise of malevolent lines of code. Yet finding a
resolution to the root cause of cyber-crime requires a deeper understanding of the
motivations behind such malicious scripts and attacks.
(2) Address the specific operational threats to bespoke critical infrastructure –each
individual critical infrastructure project (e.g. hospitals, nuclear facilities, traffic
management systems) has bespoke operational functionality and hence different
vulnerabilities. Mapping of these vulnerabilities is required as a first step to
developing efficient and effective risk mitigation strategies to better secure assets.
(3) Distinguish between physical destruction and theft –literature and standards have
predominantly focused upon data protection within the context of cyber-attack.
However, physical damage has received far less attention even though such could lead
to catastrophic economic damage. Greater distinction between physical destruction
and theft is therefore needed to delineate the scale and magnitude of cyber-crime.
(4) Consolidate greater international governmental collaboration –cyber-attacks can
readily cross international borders and national law enforcement agencies often find it
difficult to take action in jurisdictions where limited extradition arrangements are
available. Although standard international agreements have been made on such
issues (cf. the Budapest Convention on Cyber-crime), which seek to criminalize
malevolent cyber-activities, notable signatories (such as China and Russia) are absent.
Far greater cooperation between sovereign states is therefore urgently needed to
develop robust international agreements that are supported by all major governments.
(5) Gauge practitioner awareness –future work should seek to identify existing
predispositions and awareness of cyber-attack and cyber-crime amongst AECO
professionals either through in depth interviews or practitioner surveys. Case
studies are also required to measure and report upon contemporary industry
practice and how any cyber-crime incidents were managed.
(6) Proof of concept –development and testing of an innovative proof of concept
blockchain application specifically designed for AECO professionals. Such
developmental work would allow the thorough testing of blockchain technology
in practice to confirm or otherwise its effectiveness.
Future work
To reconcile the challenges of future work, researchers and practitioners within the AECO
sector will have to investigate how to adopt cyber-deterrence approaches applied within more
technologically advanced and sensitive industries such as aerospace and automotive. Such
knowledge transference may propagate readily available solutions to challenges posed. Cyber
security awareness and deterrence measures within the BIM and CDE process will help secure
critical infrastructure, developed, built and utilized –the challenges and opportunities identified
here require innovative solutions such as block chain technologies to transform standard
industry practice and should be augmented with far greater industry-academic collaboration.
Conclusion
Infrastructure provides the essential arteries and tributaries of a digital built environment
that underpins a contemporary digital economy. However, cyber-attack threatens the
ECAM
Downloaded by Ms erika parn At 03:58 18 March 2019 (PT)
availability and trustworthiness of interdependent networked services on both corporate
and national security levels. At particular risk are the critical infrastructure assets (such
as energy networks, transport and financial services) hosted on large networks connected
to the internet (via a CDE) to enable cost-efficient remote monitoring and maintenance.
Any disruption or damage to these assets could have an immediate and widespread
impact by jeopardizing the well-being, safety and security of citizens. To combat the
potential threat posed, greater awareness among AECO stakeholders is urgently
needed; this must include governments internationally and private sector partners
collaborating together to expand upon existing ISO and BIM-related standards for
improved response to a cyber-incident. As well as preventative measures, reactive
national plans are required (i.e. raising cyber security awareness on government funded
BIM projects) to quickly deal with breaches in security and ensure services are provided
with minimum disruption.
It is argued in this paper that the CDE adopted with BIM in the AECO sector acts as a
springboard for the wider stakeholder engagement with networked data sharing in a
centralized manner yielding such systems vulnerable for future cyber-physical attacks. The
pinnacle of cyber security research breakthroughs in cryptography have resulted in the
development of decentralized block chain technology. It is hypothesized that block chain
technology offers a novel and secure approach to storing information, making data
transactions, performing functions and establishing trust, making it suitable for sensitive
digital infrastructure data contained in BIM and CDE environment high security
requirements. While block chain applications are largely at a nascent stage of development
within the AECO sector, this review paper has highlighted its novel application to fortify
security of digital assets residing within a BIM and CDE environment –thus extending
applications beyond its origins in crypto currency. Future research will be required to prove,
modify or disprove this hypothesis presented. However, block chain alone cannot guarantee
total immunity to cyber-attacks so additional research is required to: understand the
motivations for cyber-attack/crime; identify the specific operational threats to bespoke
critical infrastructure and develop appropriate strategies to mitigate these; develop more
exhaustive international standards (or enhance existing standards) to distinguish between
physical destruction and theft; and establish measures needed to consolidate greater
international governmental collaboration.
References
Ani, U.P.D., He, H. and Tiwari, A. (2017), “Review of cybersecurity issues in industrial critical
infrastructure: manufacturing in perspective”,Journal of Cyber Security Technology, Vol. 1 No. 1,
pp. 32-74.
ANSI (2007), “ISA-99.00.01-2007 security for industrial automation and control systems; part 1:
terminology, concepts, and models”, ISA, available at: https://web.archive.org/web/20110312
111418/www.isa.org/Template.cfm?Section=Shop_ISA&Template=%2FEcommerce%
2FProductDisplay.cfm&Productid=9661 (accessed February 9, 2019).
Baumeister,T.(2010),“Literature review on smart grid cyber security, collaborative software
development laboratory at the University of Hawaii”, available at: www.tbaumeist.com/
publications/LiteratureReviewOnSmartGridCyberSecurity_2010.pdf (accessed February 9, 2019).
Bessis, N. and Dobre, C. (2014), Big Data and Internet of Things: A Roadmap for Smart Environments,
ISBN: 978-3-319-05029-4, Springer International Publishing, London.
Betz, D.J. and Stevens, T. (2013), “Analogical reasoning and cyber security”,Security Dialogue, Vol. 44
No. 2, pp. 147-164.
Boyes, H. (2013a), “Cyber security of intelligent buildings”,8th IET International System Safety
Conference Incorporating the Cyber Security Conference,Cardiff.
Common data
environment
vulnerabilities
Downloaded by Ms erika parn At 03:58 18 March 2019 (PT)
Boyes, H. (2013b), Resilience and Cyber Security of Technology in the Built Environment the Institution of
Engineering and Technology, IET Standards Technical Briefing, London, available at: www.
theiet.org/resources/standards/-files/cyber-security.cfm?type=pdf (accessed February 9, 2019).
Bradley, A., Li, H., Lark, R. and Dunn, S. (2016), “BIM for infrastructure: an overall review and
constructor perspective”,Automation in Construction, Vol. 71 No. 2, pp. 139-152.
Brantly, A.F. (2014), “The cyber losers”,Democracy & Security, Vol. 10 No. 2, pp. 132-155.
BSI (2013), “PAS 555:2013 cyber security risk”, Governance and Management Specification, available at:
https://shop.bsigroup.com/ProductDetail/?pid=000000000030261972 (accessed February 9, 2019).
BSI (2014a), PAS 180 Smart Cities, Vocabulary, British Standards Institution, London, available at:
www.bsigroup.com/en-GB/smart-cities/Smart-Cities-Standards-and-Publication/PAS-180-smart-
cities-terminology/ (accessed February 9, 2019).
BSI (2014b), PAS 1192-3 Specification for Information Management for the Operational Phase of Assets
using Building Information Modelling, British Standards Institution, London, available at:
https://shop.bsigroup.com/ProductDetail/?pid=000000000030311237 (accessed February 9, 2019).
BSI (2014c), PAS 754:2014 software trustworthiness: governance and management, Specification,
available at: https://shop.bsigroup.com/ProductDetail/?pid=000000000030284608 (accessed
February 9, 2019).
BSI (2015), PAS 1192-5 (2015) Specification for Security Minded Building Information Modelling,
Digital Built Environments and Smart Asset Management, British Standards Institution,
London, available at: https://shop.bsigroup.com/ProductDetail/?pid=000000000030314119
(accessed February 9, 2019).
Canfil, J.K. (2016), “Honing cyber attribution: a framework for assessing foreign state complicity”,Journal
of International Affairs, Vol. 70 No. 1, pp. 217-226, available at: www.questia.com/read/1G1-
476843518/honing-cyber-attribution-a-framework-for-assessing (accessed February 9, 2019).
Cavelty, M.D. (2013), “From cyber-bombs to political fallout: threat representations with an impact in
the cyber-security discourse”,International Studies Review, Vol. 15 No. 1, pp. 105-122.
Chong, H.Y., Wong, J.S. and Wang, X. (2014), “An explanatory case study on cloud computing
applications”,Automation in Construction, Vol. 44, pp. 152-162.
Clarke, R. and Youngstein, T. (2017), “Cyberattack on Britain’s national health service”,New England
Journal of Medicine, Vol. 377, August, pp. 409-411.
DBIS (2013), “Smart city market: opportunities for the UK”, Department for Business, Innovation and
Skills, BIS Research Papers Ref: BIS/13/1217, DBIS, London, available at: www.gov.uk/
government/publications/smart-city-market-uk-opportunities (accessed February 9, 2019).
Denning, D. (2012), “Stuxnet: what has changed?”,Future Internet, Vol. 4 No. 3, pp. 672-687.
Eastman, C., Eastman, C.M., Teicholz, P., Sacks, R. and Liston, K. (2011), BIM Handbook: A Guide to
Building Information Modeling for Owners, Managers, Designers, Engineers and Contractors,
ISBN: 978-0-470-54137-1, John Wiley & Sons, Hoboken, NJ.
Edwards, D.J., Pärn, A.E., Love, P.E.D. and El-Gohary, H. (2017), “Research note: machinery,
manumission, and economic machinations”,Journal of Business Research, Vol. 70, January,
pp. 391-394.
Eom, S.-J. and Paek, J.-H. (2006), “Planning digital home services through an analysis of customers
acceptance”, ITcon, Vol. 11, Special issue IT in Facility Management, pp. 697-710, available at:
www.itcon.org/2006/49 (accessed February 9, 2019).
European Commission (2013), Cybersecurity Strategy of the European Union: An Open, Safe and Secure
Cyberspace, JOIN 1 Final, European Commission, Brussels, available at: https://eeas.europa.eu/
archives/docs/policies/eu-cyber-security/cybsec_comm_en.pdf (accessed February 9, 2019).
Ficco, M., Choraś, M. and Kozik, R. (2017), “Simulation platform for cyber-security and vulnerability
analysis of critical infrastructures”,Journal of Computational Science, Vol. 22, September,
pp. 179-186.
ECAM
Downloaded by Ms erika parn At 03:58 18 March 2019 (PT)
Fisher, R.D. (2018), “Cyber warfare challenges and the increasing use of American and European dual-use
technology for military purposes by the people’s Republic of China (PRC)”, United States House of
Representatives, Committee on Foreign Affairs, Birmingham, available at: http://archives-
republicans-foreignaffairs.house.gov/112/Fis041511.pdf (accessed February 9, 2019).
Fisk, D. (2012), “Cyber security, building automation, and the intelligent building”,Intelligent Buildings
International, Vol. 4 No. 3, pp. 169-181.
Formby, D., Srinivasan, P., Leonard, A., Rogers, J. and Beyah, R.A. (2016), “Who’s in control of your
control system? Device fingerprinting for cyber-physical systems”,Network and Distributed
System Security Symposium (NDSS),February 26–March 1,San Diego, CA.
F-Secure Labs (2014), “Havex hunts for ICS and SCADA systems”, available at: www.f-secure.com/
weblog/archives/00002718.html (accessed February 9, 2019).
Gandhi, R., Sharma, A., Mahoney, W., Sousan, W., Zhu, Q. and Laplante, P. (2011), “Dimensions of
cyber-attacks: cultural, social, economic, and political”,IEEE Technology and Society Magazine,
Vol. 30 No. 1, pp. 28-38.
Govinda, K. (2015), “Design of smart meter using Atmel 89s52 microcontroller”,Procedia Technology,
Vol. 21, pp. 376-380, available at: https://doi.org/10.1016/j.protcy.2015.10.053
Henderson, S. (2008), “Beijing’s rising hacker stars: how does mother China react?”, IO Sphere Journal,
Birmingham, February 28, available at: www.noexperiencenecessarybook.com/jplV6/beijing-39-
s-rising-hacker-stars-how-does-mother-china-react.html (accessed February 9, 2019).
Hjortdal, M. (2011), “China’s use of cyber warfare: espionage meets strategic deterrence”,Journal of
Strategic Security, Vol. 4 No. 2, pp. 1-24.
HM Government (2013), Building Information Modeling Industrial Strategy: Government and Industry
in Partnership, Government Construction Strategy, London, available at: www.gov.uk/
government/uploads/system/uploads/attachment_data/file/34710/12-1327-building-information-
modelling.pdf (accessed February 9, 2019).
HM Government (2015), Digital Built Britain: Level 3 Building Information Modelling –Strategic Plan,
26 February 2015, HM Publications, London, available at: www.gov.uk/government/
publications/uk-construction-industry-digital-technology (accessed February 9, 2019).
Howell, S., Rezgui, Y. and Beach, T. (2017), “Integrating building and urban semantics to
empower smart water solutions”,Automation in Construction, Vol. 81, September,
pp. 434-448.
Huckle, S., Bhattacharya, R., White, M. and Beloff, N. (2016), “Internet of things, blockchain and shared
economy applications”,Procedia Computer Science, Vol. 98, pp. 461-466, available at: https://doi.
org/10.1016/j.procs.2016.09.074
Hunton, P. (2012), “Data attack of the cybercriminal: investigating the digital currency of cybercrime”,
Computer Law & Security Review, Vol. 28 No. 2, pp. 201-207.
IET (2013), “Resilience and cyber security of technology in the built environment”, Institution of
Engineering and Technology, Birmingham, available at: www.theiet.org/resources/standards/
cyber-buildings.cfm?origin=pr (accessed February 9, 2019).
IET (2014), “Code of practice for cyber security in the built environment”, Institution of Engineering
and Technology, Birmingham, available at: https://electrical.theiet.org/books/standards/cyber-
cop.cfm? (accessed February 9, 2019).
ISO (2011), “ISO/IEC 29100:2011 information technology –security techniques –privacy framework”,
available at: www.iso.org/standard/45123.html (accessed February 2018).
ISO (2012), 27032 Information Technology –Security Techniques –Guidelines for Cybersecurity,
International Organization for Standardization (ISO), Geneva, available at: www.itgovernance.
co.uk/shop/product/iso27032-iso-27032-guidelines-for-cybersecurity (accessed February 9, 2019).
ISO (2013), 27001 The International Information Security Standard, International Organization for
Standardization (ISO), Geneva, available at: www.itgovernance.co.uk/iso27001 (accessed
February 9, 2019).
Common data
environment
vulnerabilities
Downloaded by Ms erika parn At 03:58 18 March 2019 (PT)
Jaatun, M.G., Røstum, J., Petersen, S. and Ugarelli, R. (2014), “Security checklists: a compliance alibi, or a
useful tool for water network operators?”,Procedia Engineering, Vol. 70, pp. 872-876.
Jones, L. (2016), “Securing the smart city: built environment cyber security”,Engineering and
Technology, Vol. 11 No. 5, pp. 30-33, doi: 10.1049/et.2016.0501.
Kello, L. (2013), “The meaning of the cyber revolution: perils to theory and statecraft”,International
Security, Vol. 38 No. 2, pp. 7-40.
Kochovski, P. and Stankovski, V. (2018), “Supporting smart construction with dependable edge
computing infrastructures and applications”,Automation in Construction, Vol. 85, January,
pp. 182-192.
Koo, D., Piratla, K. and Matthews, C.J. (2015), “Towards sustainable water supply: schematic
development of big data collection using internet of things (IoT)”,Procedia Engineering,
Vol. 118, pp. 489-497.
Lesk, M. (2007), “The new front line: Estonia under cyber assault”,IEEE Security & Privacy, Vol. 5
No. 4, pp. 76-79.
Levy, Y. and Ellis, T.J. (2006), “A systems approach to conduct an effective literature review in support
of information systems research”,Informing Science, Vol. 9, pp. 181-212, available at: http://
inform.nu/Articles/Vol9/V9p181-212Levy99.pdf (accessed February 9, 2019).
Lin, S., Gao, J. and Koronios, A. (2006), “Key data quality issues for enterprise asset management in
engineering organisations”,International Journal of Electronic Business Management, Vol. 4
No. 1, pp. 96-110, available at: http://ijebm.ie.nthu.edu.tw/IJEBM_Web/IJEBM_static/Paper-V4_
N1/A10-E684_3.pdf (accessed February 2018).
Lin, Y.C. and Su, Y.C. (2013), “Developing mobile-and BIM-based integrated visual facility maintenance
management system”,The Scientific World Journal, Vol. 2013, 10pp., available at: https://doi.org/
10.1155/2013/124249
Lindsay, J.R. (2013), “Stuxnet and the limits of cyber warfare”,Security Studies, Vol. 22 No. 3, pp. 365-404.
Lindsay, J.R. (2015), “The impact of China on cybersecurity: fiction and friction”,International Security,
Vol. 39 No. 3, pp. 7-47.
Liu, J., Xiao, Y., Li, S., Liang, W. and Chen, C.P. (2012), “Cyber security and privacy issues in smart
grids”,IEEE Communications Surveys & Tutorials, Vol. 14 No. 4, pp. 981-997.
McGraw, G. (2013), “Cyber war is inevitable (unless we build security in)”,Journal of Strategic Studies,
Vol. 36 No. 1, pp. 109-119.
McNulty (2011), “Realising the potential of GB Rail –final independent report of the rail value for
money study –summary report”, Department for Transport, London, available at: www.gov.uk/
government/uploads/system/uploads/attachment_data/file/4203/realising-the-potential-of-gb-
rail-summary.pdf (accessed February 9, 2019).
Marinos, L. (2016), ENISA Threat Taxonomy: A Tool for Structuring Threat Information,
European Union Agency for Network and Information Security, Birmingham, available at:
www.enisa.europa.eu/topics/threat-risk-management/threats-and-trends/enisa-threat-
landscape/etl2015/enisa-threat-taxonomy-a-tool-for-structuring-threat-information/view
(accessed February 9, 2019).
Markets and Markets (2014), “Smart HVAC controls market by product type, components, application,
operation & geography –analysis and forecast to 2014–2020”, Birmingham, available at:
http://goo.gl/Ay2LjI (accessed February 9, 2019).
Mayo, G. (2016), “Bas and cyber security: a multiple discipline perspective”, in Long, S., Ng, E.-H.,
Downing, C. and Nepal, B. (Eds), Proceedings of the American Society for Engineering Management
2016 International Annual Conference, American Society for Engineering Management, Concord,
NC, available at: www.researchgate.net/publication/309480358_BAS_AND_CYBER_SECURITY_
A_MULTIPLE_DISCIPLINE_PERSPECTIVE (accessed February 2018).
Metke, A.R. and Ekl, R.L. (2010), “Security technology for smart grid networks”,IEEE Transactions on
Smart Grid, Vol. 1 No. 1, pp. 99-107.
ECAM
Downloaded by Ms erika parn At 03:58 18 March 2019 (PT)
Mike, T. (2006), “Integrated building systems: strengthening building security while decreasing
operating costs”,Journal of Facilities Management, Vol. 4 No. 1, pp. 63-71.
Mokyr, J. (1992), “Technological inertia in economic history”,The Journal of Economic History, Vol. 52
No. 2, pp. 325-338.
Nicał, A.K. and Wodyński, W. (2016), “Enhancing facility management through BIM 6D”,Procedia
Engineering, Vol. 164, pp. 299-306, available at: https://doi.org/10.1016/j.proeng.2016.11.623
NIST (2017), “Framework for improving critical infrastructure cybersecurity”, National Institute of
Standards and Technology, Draft Vesion 1.1, January 10, Birmingham, available at: www.google.co.
uk/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&ved=0ahUKEwiq0orLhOHUAhVkBsAKHf
JLB6oQFgg8MAE&url=https%3A%2F%2Fwww.nist.gov%2Fdocument%2Fdraft-cybersecurity-
framework-v11pdf&usg=AFQjCNGCtebSkMYn_Eo8A-49ANj7TEz2NA&cad=rjt (accessed
February 9, 2019).
Nye, J.S. (2017), “Deterrence and dissuasion in cyberspace”,International Security, Vol. 41 No. 3, pp. 44-71.
Papa, P. (2013), “US and EU strategies for maritime transport security: a comparative perspective”,
Transport Policy, Vol. 28, pp. 75-85.
Paridari, K., Mady, A.E., La Porta, S., Chabukswar, R., Blanco, J., Teixeira, A., Sandberg, H. and
Boubekeur, M. (2016), “Cyber-physical-security framework for building energy management
system”,ACM/IEEE 7th International Conference on Cyber-Physical Systems (ICCPS), Vienna,
pp. 1-9, doi: 10.1109/ICCPS.2016.7479072.
Pärn, E.A. and Edwards, D.J. (2017), “Conceptualizing the FINDD API plug-in: a case study of BIM/FM
integration”,Automation in Construction, Vol. 80, August, pp. 11-21.
Patel, S.C., Bhatt, G.D. and Graham, J.H. (2009), “Improving the cyber security of SCADA
communication networks”,Communications of the ACM, Vol. 52 No. 7, pp. 139-142.
Peng, Y., Wang, Y., Xiang, C., Liu, X., Wen, Z. and Chen, D. (2015), “Cyber-physical attack-oriented
Industrial Control Systems (ICS) modeling, analysis and experiment environment”,International
Conference on Intelligent Information Hiding and Multimedia Signal Processing, pp. 322-326.
Rahimi, B. (2011), “The agonistic social media: cyberspace in the formation of dissent and consolidation
of state power in postelection Iran”,The Communication Review, Vol. 14 No. 3, pp. 158-178.
Rasmi, M. and Jantan, A. (2013), “A new algorithm to estimate the similarity between the intentions of
the cyber crimes for network forensics”,Procedia Technology, Vol. 11, pp. 540-547.
Reggiani, A. (2013), “Network resilience for transport security: some methodological considerations”,
Transport Policy, Vol. 28, July, pp. 63-68.
Reniers, G.L.L. and Dullaert, W. (2013), “A method to assess multi-modal hazmat transport security
vulnerabilities: hazmat transport SVA”,Transport Policy, Vol. 28, July, pp. 103-113.
Rid, T. (2012), “Cyber war will not take place”,Journal of Strategic Studies, Vol. 35 No. 1, pp. 5-32.
RISI (2015), “The repository of industrial security incidents database”, Birmingham, available at:
www.risidata.com/Database (accessed February 9, 2019).
Rittinghouse, J. and Hancock, W.M. (2003), Cybersecurity Operations Handbook, Elsevier Science,
Amsterdam, ISBN: 978-1-55558-306-4.
Ryan, D.J. (2017), “Engineering sustainable critical infrastructures”,International Journal of Critical
Infrastructure Protection, Vol. 17, pp. 28-29.
Safavi, S., Shukur, Z. and Razali, R. (2013), “Reviews on cybercrime affecting portable devices”,
Procedia Technology, Vol. 11, pp. 650-657.
Shafiq, M.T., Matthews, J. and Lockley, S.R. (2013), “A study of BIM collaboration requirements and
available features in existing model collaboration systems”,Journal of Information Technology
in Construction (ITcon), Vol. 18, pp. 148-161.
Shitharth, S. and Winston, D.P. (2015), “A comparative analysis between two countermeasure
techniques to detect DDoS with sniffers in a SCADA network”,Procedia Technology, Vol. 21,
pp. 179-186.
Common data
environment
vulnerabilities
Downloaded by Ms erika parn At 03:58 18 March 2019 (PT)
Stearns, L.B. and Almeida, P.D. (2004), “The formation of state actor-social movement coalitions and
favorable policy outcomes”,Social Policy, Vol. 51 No. 4, pp. 478-504.
Stoddart, K. (2016), “Live free or die hard: US-UK cybersecurity policies”,Political Science Quarterly,
Vol. 131 No. 4, pp. 803-842.
Sun, J., Yan, J. and Zhang, K.Z. (2016), “Blockchain-based sharing services: what blockchain technology
can contribute to smart cities”,Financial Innovation, Vol. 2 No. 1, pp. 1-26, doi: 10.1186/s40854-
016-0040-y.
Szyliowicz, J.S. (2013), “Safeguarding critical transportation infrastructure: the US case”,Transport
Policy, Vol. 28 No. C, pp. 69-74.
Tan, S., Song, W.Z., Stewart, M., Yang, J. and Tong, L. (2018), “Online data integrity attacks against
real-time electrical market in smart grid”,IEEE Transactions on Smart Grid, Vol. 9 No. 1,
pp. 313-322.
Thomas, N. (2009), “Cyber security in East Asia: governing anarchy”,Asian Security,Vol.5No.1,pp.3-23.
Toy, S. (2006), History of Fortification from 3000 BC to AD 1700 (No. 75), Pen and Sword Military
Classics, Barnsley, ISBN: 1-88415-358-4.
Turk, Ž. and Klinc, R. (2017), “Potentials of blockchain technology for construction management”,
Procedia Engineering, Vol. 196, pp. 638-645.
UN (2014a), “2014 revision of the world urbanization prospects”, Birmingham, available at: https://goo.gl/x
wOSDS (accessed February 9, 2019).
UN (2014b), “World urbanization trends 2014: key facts”, Statistical Papers –United Nations (Ser. A),
Population and Vital Statistics Report, United Nations, New York, NY.
UN (2015), “World population projected to reach 9.7 billion by 2050”, Birmingham, available at: www.
un.org/en/development/desa/news/population/2015-report.html (accessed February 9, 2019).
Walsham, G. (1995), “The emergence of interpretivism in is research”,Information Systems Research,
Vol. 6 No. 4, pp. 376-394.
Wang, S., Zhang, G., Shen, B. and Xie, X. (2011), “An integrated scheme for cyber-physical building
energy management system”,Procedia Engineering, Vol. 15, pp. 3616-3620.
Wang, W. and Lu, Z. (2013), “Cyber security in the smart grid: survey and challenges”,Computer
Networks, Vol. 57 No. 5, pp. 1344-1371.
Weber, R.H. and Studer, E. (2016), “Cybersecurity in the internet of things: legal aspects”,Computer
Law & Security Review, Vol. 32 No. 5, pp. 715-728.
Xue, N., Huang, X. and Zhang, J. (2016), “S2Net: a security framework for software defined intelligent
building networks”, IEEE Trustcom/BigDataSE/ISPA, Tianjin, August 23-26, pp. 654-661.
Yue, X., Wang, H., Jin, D., Li, M. and Jiang, W. (2016), “Healthcare data gateways: found healthcare
intelligence on blockchain with novel privacy risk control”,Journal of Medical Systems, Vol. 40
No. 10, pp. 218-229.
Zamparini, L. and Shiftan, Y. (2013), “Special issue –transport security: theoretical frameworks and
empirical applications”,Transport Policy, Vol. 28, pp. 61-62.
Zhang, Y. and Wen, J. (2016), “The IoT electric business model: using blockchain technology for IoT”,
Peer-to-Peer Networking and Applications, Vol. 10 No. 4, pp. 1-12.
Corresponding author
Erika A. Parn can be contacted at: erikaparn@gmail.com
For instructions on how to order reprints of this article, please visit our website:
www.emeraldgrouppublishing.com/licensing/reprints.htm
Or contact us for further details: permissions@emeraldinsight.com
ECAM
Downloaded by Ms erika parn At 03:58 18 March 2019 (PT)
