Think of the many ways in which computers control buildings, from HVAC systems to electronic door locks and the flow of gas, water, and electricity. Now think of the many ways in which those computers can go haywire, from corrupt software to a power surge. Finally, think of what a person with bad intentions might do to a building’s computer system by means of another computer—with results ranging from mere inconvenience to outright destruction.
In the view of the Government Accountability Office (GAO), the Department of Homeland Security (DHS) and the General Services Administration (GSA) have not been thinking nearly hard enough about these matters, which clearly fall under their purview. In a report publicly issued on January 12, GAO observes that DHS lacks a coherent strategy to the problem of assessing threats and countering risks to federal buildings and access control systems. So absent is this strategy, in fact, that no one within DHS has even begun the work of assessing those risks in the 9,000-odd federal facilities that fall under the oversight of the Federal Protective Service (FPS).
Meanwhile, the GAO continues, the Interagency Security Committee within DHS has failed even to identify cybersecurity issues in its official report on the broad topic of “design-basis threat,” contrary to directives within the Federal Information Security Management Act (FISMA) of 2002. The ISC counters that it has been busy addressing the problems of shooters and workplace violence that have so prominently announced themselves at federal facilities, but as the GAO report puts it in so many words, if building cybersecurity is not listed as an area of concern, then no one will be concerned with it.
The GAO report observes that access control systems—“computers that monitor and control building operations such as elevators, electrical power, and heating, ventilation, and air conditioning,” by its definition—are increasingly connected to the Internet, and thus vulnerable to cyber attack. “Cyber threat sources include corrupt employees, criminal groups, hackers, and terrorists,” the report notes. “These threat sources vary in terms of the capabilities of the actors, their willingness to act, and their motives, which can include monetary or political gain or mischief, among other things.”
That threat requires strong countermeasures, and strong leadership in the face of the vaguely delineated responses that are now in place. As the GAO study notes, for instance, in a survey of federal security assessment reports, about a quarter give some indication that GSA has examined how users can gain access to those systems, but only to the extent that a user name and password are required—and not whether federal rules on password complexity are being met.
The GAO report concludes with three recommendations for executive action, the first two concerning DHS and the last concerning GSA. We quote verbatim:
- Recommendation: The Secretary of Homeland Security, in consultation with GSA, should develop and implement a strategy to address cyber risk to building and access control systems that, among other things: (1) defines the problem; (2) identifies roles and responsibilities; (3) analyzes the resources needed; and (4) identifies a methodology for assessing this cyber risk.
- Recommendation: The Secretary of Homeland Security should direct ISC to incorporate the cyber threat to building and access control systems into ISC’s list of undesirable events in its Design-Basis Threat report.
- Recommendation: The Administrator of the General Services Administration should assess the building and access control systems that it owns in FPS- protected facilities in a manner that is fully consistent with FISMA and its implementation guidelines.
According to GAO, both DHS and GSA concur that these measures need to be put in place. The full GAO report is available here.