Background
NUAR is a repository of information about underground assets, owned by statutory undertakers (i.e., utility companies) and public authorities (i.e. local, regional, and national). The initial use case for its creation related to safe digging, i.e., reducing the risk of accidental injury or death, reducing the economic harm arising from damage to the buried assets, and improving the efficiency of street works by reducing the time it takes for excavators to get asset owners’ data from 6 days to 6 seconds. NUAR contains data covering England, Wales and Northern Ireland. Scotland has its own system, the Community Apparatus Data Vault system (Vault for short).
The security advice provided to the NUAR team has thus far focussed on deterring, and to the extent feasible, denying its use as a hostile reconnaissance tool by parties seeking to disrupt asset operation and thus deny the service to users at infrastructure endpoints. A selection of security measures deployed in the system include:
- personnel security, such as security awareness briefings, limiting access by user role, with greater access provided to those in salaried roles within asset owners;
- information security, limiting information access by role, and provision of features to mask sensitive assets, where necessary.
- cyber security, related to the design, testing, monitoring and operation of the NUAR platform.
Access to NUAR data is limited to asset owners and their supply chain, with restrictions in place based on the asset owners’ service areas. An asset owner and their suppliers based for example in Cornwall cannot view asset information outside of the service area, such as in London.
A key consideration asset owners should be aware of is how the aggregation of underground asset information, both as a single source and in combination with other data sources, may be used in a harmful or malicious manner, whether at local, regional, or national scale.
Security minded approach
The remainder of this document explains the types of measures envisaged. The measures are viewed in terms of:
- Nature of access – how information is delivered in response to individual use cases, i.e., graphical (e.g. a map showing the extent of an asset owners’ service areas, or a map showing asset locations) or text (e.g. asset owner contact details). The bulk collection of geospatial information for use in training or exploiting artificial intelligence (AI) systems is a growing risk. It is therefore important to protect bulk data concerning underground assets and their association or relationships to other built assets and/or service or end users.
- Granularity – the level of detail presented to the user, this can range from detailed street-level information showing the anticipated location of individual underground assets, to summary information presented either as text or as graded information in respect of a hexagon grid [1] at varying levels of hexagon size.
- Extent – the scope of the area within which a user can access information. Existing options include radius, point, bounding box, and linear geometries. Potential future options include site (e.g. parcel of land registered with HMLR), regional or national.
- Legitimacy of access – to discourage hostile reconnaissance and third-party access to underground asset information about sensitive built assets/sites, appropriate measures should be deployed to determine whether access is legitimate. For example, the individual/organisation owns the site, or is undertaking an activity/task on behalf of the owner.
The above aspects contribute to creating and managing a culture that promotes security minded information management. Applied in an appropriate and proportionate manner the principles and measures described below aim to encourage responsible access to and use of infrastructure information.
[1] Based on H3: Uber’s Hexagonal Hierarchical Spatial Index, adapted to align with OS’s coordinate system.
Security Principles
The principles set out below represent guardrails protecting data supplied by asset owners from unauthorised access, use, distribution or disclosure.
1. Detailed location information for all underground assets should by default only be accessible to those involved in safe digging (i.e. planning or executing works involving or in the vicinity or underground assets). Other use cases shall be assessed on a case-by-case as to the level of detail and the scope of sectors or assets legitimately required. Such data should not be published under open terms,
2. To the extent practicable, unless specifically required as part of the use case, associations between underground assets and specific premises or sites should be avoided and ideally obfuscated,
3. To the extent practicable, unless specifically required as part of the use case, associations between individual or collections of underground assets and their individual or overall capacity should be avoided and ideally obfuscated,
4. Where a party that is not an asset owner is seeking information about asset locations, capacity, etc. the identity of the party, organisation and/or individual should be verified before access is granted,
5. Where a party requesting access claims to be an asset owner, but has not already been onboarded, appropriate due diligence should be applied to verify the authenticity of the party, and the extent of the area serviced by their underground assets,
6. All access to the NUAR data, including derived data is to be logged and retained for audit purposes,
7. By default, downloading of asset geospatial data for processing outside NUAR will not be permitted as this could enable uncontrolled replication, distribution and disclosure of asset data. Data in a static, read-only form (e.g., PDF work packs as per current working practices) is permissible, subject to appropriate controls. For example, technical and/or licencing measures to limit access to those for whom the static content was generated.
Note: it is assumed that asset owners are subject to an onboarding process, that includes authentication of the organisation, the area served by its assets and its agreement to abide by the terms and conditions associated with the platform or service. Once onboarded asset owners will have access to relevant asset information about underground assets in their service area, plus those in an appropriate guard zone surrounding the service area. The extent of the guard zone is likely to vary according to use case and type of user and area.
Potential Controls
Nature of access to NUAR data
The current system is designed to allow users to access detailed geospatial information in the form of a map with an overlay of assets. This is appropriate and proportionate for asset owners planning and undertaking safe digging. For other use cases, it may be more appropriate to provide relevant information, for example:
- What asset owners have connections to this site/property – provide underground asset owners’ name and contact details,
- Does the site/property have capacity for an increased load – to the extent that capacity information is available – a yes/no/unknown response with the underground asset owners’ name and contact details,
- Which statutory undertakers provide a service in this area – service area map.
- A filtered view of detailed information, for example only including sectors relevant to the use case
Granularity of spatial information
Except for use cases involving safe digging or the planning of safe digging, there is generally little justification for providing detailed asset maps covering all sectors. For example, in the feasibility and planning stages of heat network projects, the density of underground assets is a key factor. This type of information involves aggregation of information about the presence of assets in the highway and can be represented using hexagon grids to provide a heat map. The Annex illustrates how hexagons of varying sizes can be used to achieve aggregation on various scales.
Retention
There are two important considerations regarding retention of underground asset data by parties other than the asset owners:
a) security of data held by the non-asset owners, including measures to prevent unauthorised disclosure or further dissemination,
b) validity and continuing utility of data held outside of NUAR and asset owners’ systems, noting that such data may become obsolete due to network changes, or in the case of capacity data due to variations in network loads.
For safety and security reasons it is important that potentially outdated information is not used for decision-making. Where information is supplied in PDF file format, or equivalent, for use on site for safe digging, appropriate security protocols should be in place to securely delete file copies on completion of the relevant works, e.g., expiry of the relevant streetworks licence.
Geospatial extent accessed
As far as is practicable, the extent of the underground asset data access should be limited to that necessary to fulfil the use case, allowing for a small safety margin (i.e., buffer of a few metres) around the area of interest. Appropriate technical mechanisms should be deployed to detect and log any sequential or aggregate requests for access to proximate, adjacent or overlapping searches by a user. Where such activity appears to relate to an asset owner, the relevant account administrator should be contacted to confirm the legitimacy of such searches. Where such activity relates to a non-asset owner, the system administrators should take steps to investigate the legitimacy of such searches and in the interim consider suspending the user account pending the outcome of their enquiries.
Legitimacy of access to information
Where a developer, conveyancer, or member of the public seeks access to underground asset information, there should be a means of testing the legitimacy of the access request. This is necessary to prevent this type of access becoming a backdoor route to gaining access to NUAR data. An obvious case for legitimate access is a request from a land or property owner seeking to identify whether there are underground assets passing under the land/property or immediately adjacent to the property boundaries. In this scenario there is a need to validate the legitimacy of the request, e.g. via information held by HM Land Registry. Such validation would require validation of the user’s identity and their relationship to the ownership records.
Recommendation
The concepts in this document should form the security approach that inform development of security strategies, policies, processes and procedures regarding increasing access to underground, and to the extent practicable – above ground, national infrastructure assets covering the energy, water and telecoms sectors.
Annex - Spatial Geometry of Uber’s Hexagonal Hierarchical Spatial Index
|
Resolution |
Average edge length (Km) |
Average edge length (m) |
Average Hexagan Area (m2) |
|
0 |
1281.26 |
1,281,256.01 |
4,357,449,416,078.39 |
|
1 |
483.06 |
483,056.84 |
609,788,441,794.13 |
|
2 |
182.51 |
182,512.96 |
86,801,780,399.00 |
|
3 |
68.98 |
68,979.22 |
12,393,434,655.09 |
|
4 |
26.07 |
26,071.76 |
1,770,347,654.49 |
|
5 |
9.85 |
9,854.09 |
252,903,858.18 |
|
6 |
3.72 |
3,724.53 |
36,129,062.16 |
|
7 |
1.41 |
1,406.48 |
5,161,293.36 |
|
8 |
0.53 |
531.41 |
737,327.60 |
|
9 |
0.20 |
200.79 |
105,332.51 |
|
10 |
0.08 |
75.86 |
15,047.50 |
|
11 |
0.03 |
28.66 |
2,149.64 |
|
12 |
0.01 |
10.83 |
307.092 |
|
13 |
0.00 |
4.09 |
43.87 |
|
14 |
0.00 |
1.55 |
6.267 |
|
15 |
0.00 |
0.58 |
0.895 |
Hexagons at resolutions 5 to 13 potentially provide granular flexibility for aggregation of underground asset information. The resolution level selected should be proportionate to the granularity of summary data necessary to satisfy the use case.