The UK’s leading cybersecurity agency has helped develop a newly revised industry code of practice designed to mitigate cyber risk in the built environment.
The Code of Practice: Cyber Security in the Built Environment document is essential reading for stakeholders involved in the design, management, operation and security of building-related systems.
It focuses on the security principles these stakeholders should apply to a wide range of technologies found in the built environment – that is, both individual buildings and built assets such as campuses, pipelines and transport infrastructure.
Developed by the National Cyber Security Centre (NCSC), the Institute of Engineering and Technology (IET), and the UK’s Centre for the Protection of National Infrastructure (CPNI), the code of practice was “extensively revised and restructured” to take account of a new era in connected technology.
“A building being designed today is, as you can expect, lightyears away from one designed only a few decades ago, and even more so from those designed and built in previous centuries that still stand in our towns and cities,” explained NCSC CTO for economy and society, Rich M.
“As the role and use of a building will evolve over its lifetime, it’s important to understand and consider its position in the super-connected modern environment and make efforts to protect those using the building: the tenants; their suppliers and visitors; even those using the structure to host technology rather people, and the building’s own ‘in house’ systems.”
At its heart is the principle of security-by-design, the idea that protective security measures are built into systems and engineering designs from the outset to save costs and prevent major incidents later on.
It also calls for a holistic design for both physical and cybersecurity of the built asset, based on a risk assessment of any connected systems which might impact operational resilience or information assets.
The move comes just a few months after the NCSC released its first-ever cybersecurity guidance for the construction sector. Given the increasing digital footprint of firms operating in this area, the sensitive data they hold and the large sums of money they handle, such organizations have become an increasingly popular target for attackers.