Amid reports that US Central Command’s social media accounts were attacked by hackers claiming allegiance to the Islamic State (IS), the Government Accountability Office (GAO) issued an audit report indicating DHS is unprepared to address the increasing vulnerablilty of federal facilities to cyber attacks.
GAO found the Department of Homeland Security (DHS)—the agency responsible for protecting federal facilities—lacks a strategy to address cyber risk to building and access control systems in federal facilities. Consequently, the nearly 9,000 federal facilities protected by Federal Protection Services (FPS) remain vulnerable to cyber threats.
“Federal facilities contain building and access control systems—computers that monitor and control building operations such as elevators, electrical power, and heating, ventilation, and air conditioning—that are increasingly being connected to other information systems and the Internet,” GAO said.
The GAO auditors added, “The increased connectivity heightens their vulnerability to cyber attacks, which could compromise security measures, hamper agencies’ ability to carry out their missions, or cause physical harm to the facilities or their occupants.”
The increase in the connectivity of these systems has also led to an increase in vulnerability to cyber attacks. For example, in 2009, a security guard in a Dallas-area hospital uploaded malware to a hospital computer which controlled the heating, air conditioning, and ventilation for two floors. Court documents indicate that the breach could have interfered with patient treatment, highlighting the danger cyber intrusions pose to building and access control systems.
A cyber expert told GAO these systems were not designed with cybersecurity in mind.
“Security officials we interviewed also said that cyber attacks on systems in federal facilities could compromise security countermeasures, hamper agencies’ ability to carry out their missions, or cause physical harm to the facilities and their occupants,” GAO said.
Sources of cyber threats to building and access control systems include corrupt employees, criminal groups, hackers and terrorists. In particular, insiders—which include disgruntled employees, contractors or other persons abusing their positions of trust—represent a significant threat to these systems.
Editor’s note: Read the report, Getting Inside the Insider Threat, by Nadia Short, vice president and general manager of Cyber and Intelligence Solutions at General Dynamics Advanced Information Systems, in Homeland Security Today’s Oct./Nov. special section on cybersecurity.
Cyber incidents reported to DHS involving industrial control systems increased from 140 to 243 incidents, a 74 percent increase, between fiscal years 2011 and 2014. Despite this increase, DHS does not have a strategy to address cyber risk to building and access control systems.
Specifically, DHS lacks a strategy that defines the problem, identifies the roles and responsibilities, analyzes the resources needed, and identifies a methodology for assessing cyber risk to building and access control systems.
According to GAO, “The absence of a strategy that clearly defines the roles and responsibilities of key components within DHS has contributed to the lack of action within the department. For example, no one within DHS is assessing or addressing cyber risk to building and access control systems particularly at the nearly 9,000 federal facilities protected by FPS.”
DHS’s failure to develop a strategy has led to confusion among several components within DHS about their roles and responsibilities.For example, FPS’s Deputy Director for Policy and Programs indicated FPS’s authority includes cybersecurity. However, the official said that FPS is not assessing cyber risk because FPS does not have the expertise.
Moreover, DHS lacks clear guidance on how federal agencies should report cybersecurity incidents. Before 2014, for instance, DHS did not specify that information systems included industrial control systems. DHS clarified this guidance in 2014 in part because of questions GAO auditors asked during their review.
“By not assessing the risk to these systems and taking steps to reduce that risk, federal facilities may be vulnerable to cyber attacks,” GAO said.
In addition, the Interagency Security Committee (ISC), which is housed within DHS and is responsible for developing physical security standards for nonmilitary federal facilities, has not incorporated cyber threats to building and access control systems in its Design-Basis Threat report.
Despite warnings from former Secretary of Defense Leon Panetta that the US faces the possibility of a “cyber Pearl Harbor,” an ISC official told GAO that it “views this threat as one among a number of threats facing federal facilities.”
However, an ISC official indicated the agency is currently pursuing efforts to mitigate cyber threats.
The Federal Information Security Management Act of 2002 (FISMA) requires federal agencies to periodically assess the cyber risk. However, neither the General Services Administration (GSA), which manages real property for many civilian federal agencies, nor DHS is fully assessing the risk of building control systems in a manner consistent with FISMA guidelines.
GAO’s review of 20 of 110 of the security assessment reports GSA prepared during 2010 to 2014 showed they were not comprehensive or fully consistent with FISMA implementation guidelines. GSA owns building control systems in about 1,500 FPS-protected facilities, so adherence to FISMA is crucial to protecting the nation’s critical infrastructure.
“Because federal facilities are a part of the nation’s critical infrastructure and include some highly symbolic federal and commercial office buildings, laboratories, and warehouses—some of which are used to store high risk items such as weapons and drugs—determining the extent to which building and access control systems within them are vulnerable to cyber attacks is critical to providing security,” GAO said.
However, GAO added, “No one in DHS is assessing the cyber risk to building and access control systems at the almost 9,000 facilities protected by FPS. A strategy will help DHS to begin addressing this threat.”
In addition to developing and implementing a plan to address cyber risk, GAO recommended that ISC revises its Design-Basis Threat report and that GSA assess the cyber risk of its building control systems to fully reflect FISMA’s guidelines.
DHS and GSA agreed with GAO’s recommendations.