The US Department of Homeland Security (DHS) has fallen down on the job when it comes to addressing the potential cyber-risk to building and access controls systems in federal facilities.
That’s the word from the Government Accountability Office, which has issued a report chastising DHS for dropping the ball when it comes to the security of the computers that monitor and control building operations such as elevators, electrical power and heating, ventilation and air conditioning—computers that are increasingly connected to the internet.
“The increased connectivity heightens their vulnerability to cyber attacks, which could compromise security measures, hamper agencies' ability to carry out their missions, or cause physical harm to the facilities or their occupants,” GAO said in its report.
In fact, the GAO paints a fairly ugly picture of the department’s preparedness profile, noting that as of October 2014, no one at all within DHS is assessing or addressing cyber risk to building and access control systems at the nearly 9,000 federal facilities protected by the Federal Protective Service (FPS).
In fact, DHS has not been addressing the situation at all, according to the government watchdog.
“DHS lacks a strategy that: (1) defines the problem, (2) identifies the roles and responsibilities, (3) analyzes the resources needed, and (4) identifies a methodology for assessing this cyber risk. A strategy is a starting point in addressing this risk,” GAO said.
DHS itself told the GAO that it has not developed such a strategy, in part, because cyber-threats involving these systems are an emerging issue.
“By not developing a strategy document for assessing cyber-risk to facility and security systems, DHS [has] not effectively articulated a vision for organizing and prioritizing efforts to address the cyber-risk facing federal facilities that DHS is responsible for protecting,” the GAO blasted back.
Further, the Interagency Security Committee (ISC), which is housed within DHS and is responsible for developing physical security standards for nonmilitary federal facilities, has not incorporated cyber-threats to building and access control systems in its Design-Basis Threat report. This identifies numerous “undesirable events,” both cyber and otherwise, and an ISC official told the GAO that recent active shooter and workplace violence incidents have caused ISC to focus its efforts on policies in those areas first.
Nonetheless, GAO has “recommended” (gov-speak for officially calling out) that DHS direct ISC to revise its report to include cyber-threats to building and access control systems ASAP.
And finally, adding insult to injury, the investigation uncovered that the General Services Administration (GSA) has not fully assessed the risk of building control systems to a cyber-attack in a manner that actually identifies the elements of risk (e.g., threat, vulnerability and consequence). GSA also has not yet conducted any sort of security control assessments for many of its building control systems, leaving many of these aging mechanisms vulnerable. All of which is inconsistent with the Federal Information Security Management Act of 2002 (FISMA) and its implementation guidelines.
“For example, five of the 20 reports we reviewed showed that GSA assessed the building control device to determine if a user's identity and password were required for login but did not assess the system to determine if password complexity rules were enforced,” the GAO noted. “This could potentially lead to weak or insecure passwords being used to secure building control systems.”
GAO thus has also recommended that GSA assess cyber-risk of its building control systems fully, reflecting FISMA and its guidelines. Both DHS and GSA agreed with the recommendations (unsurprisingly) but no timeline has been set (also unsurprisingly).