Site Network and BIM Data Path Governance
Construction projects involve dozens of contractors sharing temporary networks on active sites. BIM models, structural calculations, and building management systems contain sensitive data that defines the physical security of the built environment.
Construction
A stolen BIM model does not just represent intellectual property loss. It provides a complete blueprint of a building's physical security systems, structural weaknesses, and access points.
100%
BIM data path isolation from site networks
Zero
Persistent contractor access between visits
4
Site network zones with independent governance
Full
BIM security and ISO 19650 compliance
Construction sites present unique network risks.
BIM Data Exposure
Building Information Models contain detailed structural, mechanical, and security system data that, if stolen, reveals the physical vulnerabilities of critical buildings.
Multi-Contractor Access
Dozens of subcontractors share temporary site networks with varying security standards, each creating potential entry points for attackers.
Temporary Infrastructure
Construction site networks are inherently temporary and often lack the security controls applied to permanent corporate infrastructure.
The Scenario
Scenario: BIM Data Theft from Critical Infrastructure Project
A subcontractor's laptop, connected to the construction site Wi-Fi, is compromised through an unpatched vulnerability. The attacker uses the site network to access the BIM collaboration server, downloading complete structural and security system models for a new government building. The models reveal every security camera location, access control point, and structural reinforcement detail. With Firevault Control, the BIM collaboration environment is physically separated from the general site network. Subcontractor access to BIM data requires multi-party authorisation and operates within controlled time windows. The compromised laptop cannot reach BIM systems because the path does not exist.
"We found the BIM model for a Ministry of Defence facility on a contractor's personal laptop. It contained the complete security system layout, structural details, and utility routing. The contractor had left the project six months earlier."
Where each Control module is deployed across office, project, site and supply chain.
Construction networks carry an office estate, project systems that hold BIM and designs, site networks that link plant and IoT, and a deep supply chain. Control puts a real boundary at the places that matter.
Grounded in PAS 1192-5 / ISO 19650-5 and NCSC supply chain guidance.
Internet / Cloud
External
External traffic stops at the perimeter.
Head office IT
IT
Office cannot reach project systems on its own terms.
Project systems
IT
Where the designs live.
Where the designs live.
Designs move to site on a named, controlled route.
Site systems
Field
Supplier access opens on a schedule.
Supply chain
DMZ · trust boundary
Crown jewels
Off-network
Detail callout · A
Offline Secure Storage
Designs, contracts, drawings, evidence and any record you have to keep recoverable.
Offline by design · secure by defaultModules & symbols
Where each module is deployed, and what it does there.
One row per module. Placement on the network, then plain-English purpose at that point.
-
Firebreak
On the C0 to C1 link and the supply chain link
Real hardware off switches on the public and supplier boundaries, ready to cut the live path the moment a supply chain incident is called.
-
Validate
On the C0 to C1 link and the C1 to C2 link
Requests crossing into project systems are checked for origin, integrity and authority.
-
Isolate
On the C1 to C2 link
Office and project systems sit on their own fabrics. A compromise in office does not reach the designs.
-
Transfer
On the C2 to C3 link
When designs and data move to site, Transfer governs the route and the landing point.
-
Lock
On the C2 to C3 link
Site access ties to named users with the right role.
-
Relay
On the supply chain link
Supplier access opens for the window of work and not a minute more.
-
Unlink
On the supply chain link
When a supplier engagement ends, Unlink removes the persistent connection and the inherited trust.
Featured In
'%3e%3cpath%20fill='%23E40784'%20d='M141.363%2026.6a5.905%205.905%200%200%201-5.899-5.9%205.905%205.905%200%200%201%205.899-5.895%205.901%205.901%200%200%201%205.895%205.895%205.9%205.9%200%200%201-5.895%205.9Zm0-8.347a2.448%202.448%200%200%200%200%204.895%202.449%202.449%200%200%200%202.447-2.448%202.449%202.449%200%200%200-2.447-2.447ZM141.363%200c-.821%200-1.638.052-2.447.144v3.731a16.897%2016.897%200%200%201%202.447-.177c9.373%200%2017.002%207.626%2017.002%2017.002%200%20.825-.063%201.642-.177%202.448h3.732c.095-.81.143-1.627.143-2.448%200-11.411-9.285-20.7-20.7-20.7Z'/%3e%3cpath%20fill='%23E40784'%20d='M141.363%207.268c-.825%200-1.645.077-2.447.228v3.787a9.733%209.733%200%200%201%202.447-.313c5.369%200%209.734%204.368%209.734%209.734%200%20.832-.107%201.652-.313%202.447h3.783c.151-.802.228-1.623.228-2.447.004-7.412-6.024-13.436-13.432-13.436Z'/%3e%3cpath%20fill='%23fff'%20d='M71.382%207.537h-2.84a5.82%205.82%200%200%200-5.815%205.818v9.785h4.037v-9.789a1.78%201.78%200%200%201%201.777-1.777h2.841V7.537ZM80.539%2019.1a3.787%203.787%200%200%201-3.783-3.784%203.787%203.787%200%200%201%203.783-3.783%203.787%203.787%200%200%201%203.783%203.784%203.787%203.787%200%200%201-3.783%203.783Zm0-11.6c-4.313%200-7.82%203.507-7.82%207.82%200%204.313%203.507%207.82%207.82%207.82%201.372%200%202.66-.357%203.78-.982v.982h4.036V15.32c.004-4.313-3.503-7.82-7.816-7.82ZM41.806%2018.71a5.512%205.512%200%200%201-4.34%202.1%205.55%205.55%200%200%201-5.541-5.541%205.55%205.55%200%200%201%205.542-5.543c1.696%200%203.279.766%204.339%202.102l.088.114%201.656-1.656-.077-.092a7.865%207.865%200%200%200-6.01-2.797c-4.339%200-7.871%203.533-7.871%207.872s3.532%207.871%207.871%207.871a7.865%207.865%200%200%200%206.01-2.797l.077-.091-1.656-1.656-.088.113ZM19.479%207.397c-4.34%200-7.872%203.53-7.872%207.872%200%204.342%203.533%207.871%207.872%207.871a7.883%207.883%200%200%200%207.205-4.71l.081-.18H24.15l-.037.058a5.543%205.543%200%200%201-10.05-1.873h13.2l.015-.11c.048-.357.073-.714.073-1.053%200-4.346-3.529-7.875-7.871-7.875Zm-5.417%206.705a5.54%205.54%200%200%201%205.417-4.376%205.54%205.54%200%200%201%205.417%204.376H14.06ZM46.192%2023.14h2.33v-8.847a4.599%204.599%200%200%201%204.593-4.592%204.599%204.599%200%200%201%204.592%204.592v8.844h2.33v-9.149h-.008a6.887%206.887%200%200%200-2.082-4.648%206.89%206.89%200%200%200-4.832-1.972%206.863%206.863%200%200%200-4.593%201.751V.545h-2.33V23.14ZM2.686%207.393H0v2.33h2.686v8.471a4.944%204.944%200%200%200%204.94%204.939h2.435v-2.33H7.625a2.613%202.613%200%200%201-2.609-2.612V9.726h3.772v-2.33H5.016V1.84h-2.33v5.553ZM101.968%208.457a7.721%207.721%200%200%200-2.547-.858c-.088-.014-.177-.03-.265-.04-.1-.011-.199-.022-.302-.03a9.993%209.993%200%200%200-.574-.029c-.022%200-.04-.004-.062-.004h-.037c-4.313%200-7.82%203.507-7.82%207.82%200%204.313%203.507%207.82%207.82%207.82h.037c.25%200%20.496-.014.743-.04l.037-.003a7.742%207.742%200%200%200%203.003-.939v.979h4.037L106.005.537h-4.037v7.92Zm0%206.863a3.788%203.788%200%200%201-3.769%203.78%203.786%203.786%200%200%201-3.76-3.78c0-2.08%201.688-3.772%203.764-3.78a3.787%203.787%200%200%201%203.765%203.78ZM119.75%2023.11h4.037V15.299c-.011-4.302-3.515-7.798-7.82-7.798-4.313%200-7.821%203.507-7.821%207.82%200%204.313%203.508%207.82%207.821%207.82%201.372%200%202.66-.357%203.783-.982v.953Zm-3.783-4.01a3.786%203.786%200%200%201-3.783-3.784%203.786%203.786%200%200%201%203.783-3.783%203.79%203.79%200%200%201%203.783%203.78v.003a3.787%203.787%200%200%201-3.783%203.784ZM132.273%207.5a5.824%205.824%200%200%200-5.818%205.818v9.822h4.037v-9.822a1.78%201.78%200%200%201%201.777-1.777h2.841V7.5h-2.837ZM173.736%2020.807a5.534%205.534%200%200%201-5.527-5.527%205.534%205.534%200%200%201%205.527-5.528%205.535%205.535%200%200%201%205.528%205.528%205.535%205.535%200%200%201-5.528%205.527Zm0-13.399a7.852%207.852%200%200%200-5.527%202.274V7.393h-2.344V30h2.344v-9.127a7.836%207.836%200%200%200%205.527%202.275c4.339%200%207.872-3.533%207.872-7.872s-3.533-7.868-7.872-7.868ZM186.735%2023.14h-2.385v-9.81a5.84%205.84%200%200%201%205.833-5.834h2.848v2.385h-2.848a3.45%203.45%200%200%200-3.448%203.448v9.811ZM202.813%209.774a5.535%205.535%200%200%200-5.528%205.528%205.535%205.535%200%200%200%205.528%205.527%205.534%205.534%200%200%200%205.527-5.527%205.534%205.534%200%200%200-5.527-5.528Zm0%2013.4c-4.339%200-7.872-3.533-7.872-7.872%200-4.34%203.533-7.872%207.872-7.872s7.872%203.53%207.872%207.872c0%204.339-3.533%207.871-7.872%207.871Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h210.68v30H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
Key Capabilities
Sovereign Project Data
All BIM models and project data remain within the agreed jurisdiction in secured Firevault Bunkers, meeting government construction security requirements.
Multi-Contractor Governance
Each contractor organisation receives isolated access paths with independent authorisation and logging, preventing cross-contractor compromise.
ISO 19650 Compliance
Automated compliance logging supports ISO 19650 information management requirements and government construction security standards.
Site Cellular Management
Out-of-band management via cellular connectivity ensures governance capability independent of temporary site network infrastructure.
Project Audit Trail
Every access to BIM data and building systems is recorded in tamper-proof logs that persist beyond the construction phase.
Project Data Archive
Verified baselines of project configuration ensure long-term preservation beyond the life of temporary construction site infrastructure.
Demo to Live
Adoption Guide
Project Security Assessment
Assess BIM data sensitivity, contractor access requirements, and building management system connectivity for the project or estate.
Site Zone Architecture
Design physically separated zones for general site access, BIM collaboration, building management, and corporate project systems.
Single Site Pilot
Deploy on a representative construction site with full contractor access governance, BIM data isolation, and compliance logging.
Estate-Wide Adoption
Standardised deployment across all construction sites with centralised data archives, continuous compliance evidence, and cellular management.
Project Security Assessment
Assess BIM data sensitivity, contractor access requirements, and building management system connectivity for the project or estate.
Site Zone Architecture
Design physically separated zones for general site access, BIM collaboration, building management, and corporate project systems.
Single Site Pilot
Deploy on a representative construction site with full contractor access governance, BIM data isolation, and compliance logging.
Estate-Wide Adoption
Standardised deployment across all construction sites with centralised data archives, continuous compliance evidence, and cellular management.
Questions
Frequently Asked
Speak to the team to organise a PoC
Walk through your blueprint with the Firevault team and scope a proof of concept on your estate. 30 minutes, no sales pitch.