When it comes to a non-Disclosure-Agreement, Cyber-security policy in the Construction Industry Is High-Risk for Backbone Infrastructures
I recently was issued an RFP from a government agency that included a non-disclosure-agreement (NDA), as well as a confidentiality agreement, for a public transportation project. Upon further inspection, the guidelines included strict protocols for document storage, sharing, reproduction, archiving, and destruction. Frankly, I was impressed.
I was impressed because I know that although these non-disclosure-agreement guidelines exist at most public agencies, I have never actually signed one, and this was the first time I can remember. Things have become more slack, Lax attitudes toward confidentiality and cyber-security mean that the agreements are poorly disclosed, implemented, and enforced. That is a cause for concern of who’s calling the shots.
Agency RFP design documentation is open-source to any Bozo with access.
Every day, RFPs with detailed drawings of public projects and their backbone infrastructures are more or less freely distributed to any contractor who purchase them. Even to a lay person, the implications of this must be staggering. Once drawings leave the agency, they are at risk of being used as guides for sabotage and terrorism.
The letting of a large transit project may publicly circulate hundreds of copies of drawings and specifications on the street. Only a handful of these will use the drawings if they are not contracted. What then? The drawings lay around the office for the taking, or perhaps in a dumpster somewhere – also open source.
A full set of drawings would show information that is easily interpreted. For example, the following inclusions of backbone systems:
- Life safety system networks
- Communication & Emergency Networks
- Command Centers
- Valve boxes
- Security camera locations
- Fibre optic splice boxes
- Fire Alarm Systems
- Project Logic Controllers (PLCs)
- Switch locations
- Access doors and hatches
- Safety disconnect locations
- Building Management Systems (BMS)
- Ventilation controls
- Structural specifications and details
- Interior layouts and room designations
-you get the idea: it’s pretty much everything. The natural question to ask is: “how then do we maintain secure bidding environments without creating these risks?”
There is no simple answer, however, we can mitigate our risk in the following ways:
- Mandate high level NDA and confidentiality agreements at all public agencies, and create a watchdog agency to enforce it
- Require certifiable archiving of bid documents by contractors
- Discontinue the process of providing high level system network diagrams in bid packages
- Incorporate security points or sensors at any and all system critical entry points: virtual and actual
- Discontinue the process of providing point to point (PTP) network wiring diagrams
- Limit network drawing distribution to a short-list of security cleared suppliers and especially, systems integrators.
- Publish a number of ‘decoy’ documents into circulation, so to at least create some confusion
- Revamp security protocols at the public agencies to be compliant with present security operations, and monitor them with independent oversight
There’s only so much we can do to stop saboteurs, terrorists, nut-jobs, but that doesn’t mean we should make it so easy for them. Cavalier attitudes and a lack of accountability are impediments to developing more robust measures of project deployment. So will be implementation of new protocols: nothing moves slower than change at the executive level – a circumstance very few of us can do anything about, save for increasing awareness, and demanding change.