The U.S. Department of Homeland Security (DHS) is putting a spotlight on cybersecurity threats to federal buildings. In response, it is developing a strategy to thwart potential cyber attacks against electronic card readers, heating equipment and a host of other computerized “building and access control systems” at thousands of federal facilities.
The department, which expects to complete the document by May 29, revealed its plans in response to a recent report by the Government Accountability Office (GAO), which urged the federal government to do more to defend such systems.
DHS said its National Protection and Programs Directorate (NPPD) is leading the strategy development and is coordinating with the General Services Administration (GSA) and other federal agencies. The strategy will define the problem and identify who should address it and how.
“Because federal facilities are a part of the nation’s critical infrastructure and include some highly symbolic federal and commercial office buildings, laboratories, and warehouses — some of which are used to store high risk items such as weapons and drugs — determining the extent to which building and access control systems within them are vulnerable to cyber attacks is critical to providing security,” the GAO wrote.
Computerized Building Access = Greater Security Vulnerability
According to the GAO, building and access control systems are computers that monitor and control building operations, such as air conditioning, electrical power, electronic card reading, elevators, fire alarms and fire suppression, heating, lighting, ventilation and video surveillance. These systems are increasingly connected to other information systems and the Internet. While this trend improves automation and enables remote operations, it also makes the systems more vulnerable to cyber attacks.
Before DHS disclosed it was working on a strategy, the GAO found that no one was addressing cyber risks to these systems at nearly 9,000 federal facilities protected by the DHS Federal Protective Service. Cyber threats to these systems were still considered “an emerging issue,” and a cyber expert told the GAO that such systems were not designed with cybersecurity in mind.
The threat to such systems is growing, the GAO said. For instance, from fiscal year 2011 to FY 2014, the number of cyber incidents involving industrial control systems, including building and access control systems, rose from 140 incidents to 243 incidents, a 74-percent jump. And in 2013, intruders used the credentials of a heating, ventilation and air conditioning vendor to breach Target’s network and gain access to the retailer’s payment card data.