GAO: Agencies face cyber risk in building access systems
- By Mark Pomerleau
- Jan 23, 2015
The Homeland Security Department may have its hands full protecting the nation’s infrastructure from terrorist attacks, but the Government Accountability Office said the department needs to do much more to improve the cybersecurity of access and control systems in the thousands of buildings it operates.
In that area, DHS is only at square one, according to a recent GAO report.
According to the report, “no one at DHS is assessing or addressing cyber risk to building and access control systems particularly at the nearly 9,000 federal facilities protected by the Federal Protective Service (FPS) as of October 2014.”
Moreover, the report said, DHS lacks a strategy that “defines the problem, identifies roles and responsibilities … and identifies a methodology for assessing this cyber risk.”
The Interagency Security Committee, the division within DHS responsible for physical security standards for nonmilitary facilities, has not incorporated policies related to cyber threats in building and access control systems. The ISC attributes this failure to recent incidents of active shooters and workplace violence, which it has deemed a priority over cyber threats.
GAO’s report cited cybersecurity experts who stated building and access control systems are vulnerable to cyber attacks, especially considering control systems were not originally designed with cybersecurity in mind.
Incorporating the cyber threat to building and access control systems will inform agencies about this threat so they can begin to assess its risk, the GAO said, “and could prevent federal agencies from expending limited resources on methodologies that may result in duplication.”
Examples of building and access control systems in federal buildings include closed circuit camera systems with surveillance apparatuses, access control systems with card readers, control panels, access control servers, and infrastructure that can restrict access behind certain doors.
In the name of efficiency, such systems are controlled centrally and sometimes through automation. Building and access control systems are configured through Internet connections, which enable them to be controlled from a remote location.
Some systems, such as information networks, are protected by a firewall, a common safeguard against unwelcomed cyber activity. Other systems, such as control devices and building automation systems are directly connected to the Internet.
GAO’s report noted that these systems can be targeted by corrupt employees that might hold a grudge against their former or current agency, criminal groups, hackers and/or terrorists. DHS witnessed a 74 percent increase in cyber incidents from fiscal year 2011 to 2014 that involved building and access control systems, according to the report.
Other consequences of a breach in federal building and access control systems include unauthorized access to facilities, damage of equipment, disabled or evacuated facilities and damage to government credibility.
“By not developing a strategy document for assessing the cyber risk to facility and security systems, DHS has not effectively articulated a vision for organizing efforts to address the cyber risk facing federal agencies that (it) is responsible for protecting,” GAO concluded.
The GAO leveled part of its criticism against the General Services Administration, which it said, “has not fully assessed the risk of building control systems to a cyber attack in a manner that is consistent with the Federal Information Security Management Act (FISMA).”
GSA IT officials said GSA had conducted security assessments of building control systems in about 500 of its 1,500 FPS-protected facilities and plans to complete the checks in the remainder the year or when systems are connected to the network or Internet,” according to the report.
About 20 of 110 security assessments GSA prepared between 2010 to 2014 were not consistent with FISMA guidelines, said GAO.
Mark Pomerleau is a former editorial fellow with GCN and Defense Systems.