CybersecurityCyber protection of DHS’s and other federal facilities is weak: GAO

Published 16 January 2015

While most cybersecurity threats against government agencies tend to focus on network and computer systems, a growing number of access control systems, responsible for regulating electricity use, heating, ventilation, and air-conditioning (HVAC), and the operation of secured doors and elevators are also vulnerable to hacking. .” GAO warns that despite the seriousness of the vulnerabilities, agencies tasked with securing federal facilities have not been proactive.

While most cybersecurity threats against government agencies tend to focus on network and computer systems, a growing number of access control systems, responsible for regulating electricity use, heating, ventilation, and air-conditioning (HVAC), and the operation of secured doors and elevators are also vulnerable to hacking. As more federal facilities subscribe to the Internet of Things — the connection of critical devices to the Web — those tasked with securing government buildings must be at the forefront of cybersecurity.

According to a 12 December 2014 report from the Government Accountability Offic (GAO), attacks on access control systems could “compromise security measures, hamper agencies’ ability to carry out their missions or cause physical harm to the facilities or their occupants.” GAO warns that despite the seriousness of the vulnerabilities, agencies tasked with securing federal facilities have not been proactive.

NextGov reports that hackers have already begun to take advantage of the cyber vulnerabilities posed by public and private sector access control systems. In 2009 a security guard at a Dallas hospital infiltrated fourteen computers including one that controlled the hospital’s HVAC system. GAO reports that incidents involving access control systems reported to DHS have increased by 74 percent over the past three years.

Still, “no one within DHS is assessing or addressing cyber risk to building and access control systems,” GAO investigators noted. In 2013, DHS’s National Protection and Programs Directorate (NPPD), tasked with reducing and eliminating threats to the nation’s critical physical and cyber infrastructure, conducted an assessment of the physical security and cybersecurity of a federal facility, but more work needs to be done, GAO wrote in the report; adding that DHS currently lacks a strategy that defines the various vulnerabilities within access control systems and identifies the DHS agencies that will address those vulnerabilities. DHS’s Federal Protective Service, a component of NPPD, is responsible for securing approximately 9,000 federal facilities including court houses and immigration centers, but the agency is just beginning to investigate the cyber risk to access control systems and DHS is far from implementing a strategy for dealing with the threats. NPPD has not developed a strategy “in part, because cyber threats involving these systems are an emerging issue,” the GAO report noted.

DHS’s Interagency Security Committee (ISC), which is responsible for developing physical security standards for nonmilitary federal facilities, has only recently begun to draft a set of guidelines for cybersecurity. Representatives for the committee told GAO they are currently focusing most of their efforts on securing facilities from active-shooter and workplace violence related incidents.

Concluding the report, GAO auditors recommended DHS develop a strategy for addressing cyber vulnerabilities within access control systems and to direct ISC to address such vulnerabilities in ISC’s list of undesirable events in its upcoming Design-Basis Threat report.