The Convergence Point
Building Information Modelling has evolved well beyond its origins as a 3D drafting tool. Modern BIM models for major infrastructure projects contain not just the geometric information of the physical asset, but rich data about the systems embedded in that asset: mechanical equipment specifications, electrical system design, control panel locations, network infrastructure routing, instrumentation placement, and increasingly, the data architecture of the operational technology networks that will control the facility once it is commissioned.
That evolution has created a convergence point that the infrastructure engineering community has not fully recognized: BIM models now contain detailed information about OT network topology — information that has significant security implications if the model is not itself properly secured and if the OT design information it contains is not reviewed through a cybersecurity lens during the design phase.
What BIM Models Reveal About OT Systems
A detailed BIM model for a water treatment plant, a power substation, or a district cooling facility contains the location of every PLC cabinet, every SCADA workstation, every HMI, every network switch in the control system, and the routing of the control system cabling between them. It contains the logical architecture of the control system — which equipment is controlled by which PLC, how the PLCs communicate with each other and with the supervisory SCADA system, and how the SCADA system connects to the corporate IT network for reporting and remote access.
This information is essential for the engineering team designing and installing the control system. It is also a detailed map of the OT network topology that a threat actor with access to the BIM model could use to plan an attack on the facility’s operational technology systems. The same information that makes the BIM model useful for engineering is what makes it valuable to a malicious actor — if they can access it.
The Design Stage Integration Opportunity
The convergence of BIM and OT cybersecurity creates a significant opportunity that most infrastructure projects are not currently capturing: the integration of OT security review into the BIM design process at the point when the OT network architecture is being developed.
When OT security specialists review the BIM model at the network architecture design stage — typically at 30-40% design completion — they can identify security weaknesses in the OT network design and recommend modifications before the architecture is committed to detailed design and procurement. A network segmentation gap that is visible in the BIM model at 35% design is resolved through a design revision. The same gap discovered during commissioning requires physical network modifications, software reconfiguration, and delays to the commissioning programme.
The practical process is straightforward: include OT security review as a formal gate in the BIM design review process, alongside structural, mechanical, and electrical reviews. The OT security reviewer examines the control system design elements of the BIM model against the applicable security framework (IEC 62443, NCA OTCC) and produces a findings report with design-stage recommendations. The project team incorporates the recommendations into the design before the review milestone.
Digital Twin Security
The convergence extends into operations through digital twins. A digital twin that contains real-time OT operational data — sensor readings, equipment status, network traffic patterns — is an information asset that requires the same security consideration as the OT environment itself. If the digital twin is connected to the OT network and accessible through the corporate IT environment or externally, the security of that connection needs to be designed as carefully as the security of the OT network it mirrors.
Concept Dash’s combined BIM and OT cybersecurity capability — integrating our digital twin practice with our OT security team — positions us to provide this integrated design review for infrastructure projects in Saudi Arabia. If you are developing a BIM model for a facility that will have significant OT infrastructure, the time to integrate the security review is now, not at commissioning. Contact us to discuss how this can be incorporated into your project’s design workflow.
Leave a Reply