Civil watchdogs at the Government Accountability Office are warning the Department of Homeland Security and the Government Services Agency about unaddressed risks posed to building access control systems at federal facilities.
The systems in question are those that prevent unauthorized access to federal facilities like door locks and other security devices. Of course, these devices are increasingly interconnected and exposed to a bevy of threats that could be exploited by an attacker to breach physical security barriers in government buildings.
According to a GAO report, the DHS has virtually no strategy and no personnel in place to define, assess or address the risk posed by cyberattacks targeting building access control systems at more than 9,000 federal facilities protected by the Federal Protective Service (FPS) as of October 2014.
The report also concluded that the GSA has neither assessed the risk of building control systems nor has it conducted security control assessments for many of its building control systems. However, the GSA has conducted security assessments of the building control systems that are in about 500 of its 1,500 FPS-protected facilities and plans to complete the remainder in fiscal year 2015.
The GAO assessed 20 of the GSA’s 110 security assessment reports prepared between 2010 and 2014 and found that those reports were not comprehensive or fully consistent with FISMA implementation guidelines. For example, the watchdog says that 25 percent of reports it examined looked at access device systems to determine whether users were required to enter usernames and passwords before login. However, these audits did not check if these systems enforced password complexity requirements.
The @DHSgov has failed to address risks posed to federal facilities by vulnerabilities in building access control systemsTweet
“By not developing a strategy document for assessing cyber risk to facility and security systems, DHS and, in particular, NPPD have not effectively articulated a vision for organizing and prioritizing efforts to address the cyber risk facing federal facilities that DHS is responsible for protecting,” the GAO wrote.
The DHS’s National Protection and Programs Directorate (NPPD) claims their lack of strategy is “because cyber threats involving these systems are an emerging issue.” The Interagency Security Committee (ISC), the DHS unit tasked with developing physical security standards, says it’s been too bogged down with recent incidents involving active shooters and other workplace violence to revise its Design-Basis Threat report. That report, which is issued to the various federal agencies, examines how exposed federal facilities are to attack and what needs to be done in order to protect those buildings.
The GAO is recommending that Homeland Security develop and implement a strategy to address cyber risks posed to building and access control systems that defines the problem, identifies roles and responsibilities, analyzes the resources needed and identifies a methodology for assessing this cyber risk. They say the DHS should also direct the ISC to revise its Design-Basis Threat report to include cyber threats to building and access control systems and assess cyber risk of its building control systems fully reflecting Federal Information Security Management Act and its guidelines.
The DHS and GSA agree with the GAO’s recommendations.
“According to experts and security officials we interviewed, not addressing this threat could result in disruptions of agency operations or harm to occupants of federal facilities,” the GAO said. “In addition, because GSA owns building control systems in about 1,500 FPS protected facilities that are part of the nation’s critical infrastructure, it is vital that these systems are assessed in a manner that is fully consistent with FISMA and its implementation guidelines.”