NCSC shares cyber guidance for large infrastructure builds

The UK’s National Cyber Security Centre (NCSC) has published refreshed guidance for construction firms working on major infrastructure projects, such as HS2, developed in collaboration with both government and industry.

The NCSC has been working alongside construction sector kingpins such as Balfour Beatty and Sir Robert McAlpine, as well as the Department for Business, Energy and Industrial Strategy (BEIS) and the Centre for the Protection of National infrastructure (CPNI), to address the information security risks that dog projects of extreme size, value and complexity.

The resulting best practice guide – which is now available for interested parties to download from the NCSC website – offers advice to help firms keep sensitive data safe from malicious actors by offering tailored advice on the data created, stored and shared in joint venture projects. It covers physical, personnel and cyber security.

“Joint ventures in construction are responsible for some of the UK’s largest building projects and the data they handle must be protected to keep crucial infrastructure safe,” said Sarah Lyons, deputy director for economy and society resilience at the NCSC.

“Failure to protect this information not only impacts individual businesses but can jeopardise national security, so it’s vital joint ventures secure their sites, systems and data.

“By following this new guidance – a first-of-its-kind collaboration between industry and government – construction firms can help put a holistic strategy in place to effectively manage their risks.”

“With cyber attacks becoming increasingly more intelligent, cyber security and protecting our own, our employees, our supply chain and customers’ data has never been more important,” added Balfour Beatty CIO Jon Ozanne.

“The introduction of the new Information Security Best Practice guide will play a key role in helping to combat the operational risks faced across the sector; raising the standard and educating those to the measures required to protect against cyber threats.”

Sir Robert McAlpine CISO Andy Black said: “Cross industry collaboration is important to help the construction sector level up its approach to information security. We are grateful for this opportunity to share our expertise and collaborate with our peers, the NCSC, BEIS and CPNI to develop this best practice guide for joint ventures.”

Among the guide’s recommendations are:

• To establish information security governance and accountability within construction joint ventures, and to secure board-level engagement;
• To identify staff who will hold responsibility for assessing specific information security risks, and developing a shared information security strategy;
• To understand the specific risks and any regulatory requirements for the joint venture, and agree a shared risk appetite across all parties;
• And to develop and agree on a shared information security strategy to manage and mitigate the risks holistically, including physical, personnel and cyber risks.

Earlier this year, the NCSC issued more generalised cyber guidance for the construction industry, pitched more at small and medium-sized organisations and sole traders or contractors. This guide, which was co-written by the Chartered Institute of Building (CIOB), can be found here.

This guidance is split into two parts, with the first aimed at helping owners and managers in construction understand why they need to pay attention to cyber security and why it matters, and the second aimed at providing more practical advice for staff with responsibility for IT equipment within construction companies and on building sites.