The U.S. General Accounting Office (GAO) has published a new report calling for the Department of Homeland Security (DHS) and the General Services Administration (GSA) to better secure building and access control systems from cyber threats.
While acknowledging DHS has taken some preliminary steps to understand the threats posed to these systems in federal facilities, the GAO said more work needs to be done, and that DHS has failed to develop a strategy that: defines the problem; identifies roles and responsibilities; analyzes the resources needed and identifies a methodology for assessing cyber risk to building and access control systems.
“Because federal facilities are a part of the nation’s critical infrastructure and include some highly symbolic federal and commercial office buildings, laboratories, and warehouses—some of which are used to store high risk items such as weapons and drugs—determining the extent to which building and access control systems within them are vulnerable to cyber attacks is critical to providing security,” according to the report.
“However, DHS faces challenges in determining the extent to which building and access control systems in federal facilities are vulnerable to cyber attacks because it lacks a strategy that defines the problem, identifies the roles and responsibilities for securing these systems, analyzes the resources needed to assess cyber risk to the systems, and a methodology for assessing cyber risk to building and access control systems,” the report continues. “Moreover, without a strategy that addresses cyber risk to building and access control systems in federal facilities, key stakeholders, particularly within NPPD (National Protection and Programs Directorate), do not have a clear understanding of their roles and responsibilities. And as a result, no one in DHS is assessing the cyber risk to building and access control systems at the almost 9,000 facilities protected by FPS (Federal Protective Service).”
Among the other findings in the GAO report are that neither GSA nor DHS is fully assessing the risk of building control systems in about 1,500 FPS-protected facilities.
According to the report, in November 2014 GSA information technology officials said that from 2009 to 2014 the agency conducted 110 security assessments of the building control systems in about 500 of the 1,500 facilities. In addition, GSA has not yet assessed the security of control systems with network or Internet connections in about 200 buildings.
“Further, our review of 20 of 110 of GSA’s security assessment reports (between 2010 and 2014) show that they were not comprehensive and not fully consistent with NIST guidelines,” according to the report. “For example, in 5 of the 20 reports we reviewed, GSA assessed the building control device to determine if a user’s identity and password were required for login but did not assess the device to determine if password complexity rules were enforced. This could potentially lead to weak or insecure passwords being used to secure building control devices.”
Given the valuable assets they hold, there is an obvious need to increase awareness and take stock not only in the digital holes but also the physical holes within these widely relied-on facilities, said Matt Zanderigo, product marketing manager at ObserveIT.
“I think we will see reports of this kind coming out across all verticals: retail, healthcare, financial services, etc, as all organizations become more alert and aware of their inherent digital and physical vulnerabilities,” he said.
“However,” he added, “no matter how much money federal facilities spend in their security budget, no matter how many firewalls, IPS/IDS systems, anti-Virus/malware software, SIEM event management systems and more, there will always be one weak part in the chain – the users.”
