Federal Facility Cybersecurity:
DHS and GSA Should Address Cyber Risk to Building and Access Control Systems
GAO-15-6: Published: Dec 12, 2014. Publicly Released: Jan 12, 2015.
Additional Materials:
- Highlights Page:
- Full Report:
- Accessible Text:
Contact:
(202) 512-2834
goldsteinm@gao.gov
Gregory C. Wilshusen
(202) 512-6244
wilshuseng@gao.gov
Office of Public Affairs
(202) 512-4800
youngc1@gao.gov
What GAO Found
The Department of Homeland Security (DHS) has taken preliminary steps to begin to understand the cyber risk to building and access controls systems in federal facilities. For example, in 2013, components of DHS's National Protection and Programs Directorate (NPPD) conducted a joint assessment of the physical security and cybersecurity of a federal facility. However, significant work remains.
- Lack of a strategy: DHS lacks a strategy that: (1) defines the problem, (2) identifies the roles and responsibilities, (3) analyzes the resources needed, and (4) identifies a methodology for assessing this cyber risk. A strategy is a starting point in addressing this risk. The absence of a strategy that clearly defines the roles and responsibilities of key components within DHS has contributed to a lack of action within the Department. For example, no one within DHS is assessing or addressing cyber risk to building and access control systems particularly at the nearly 9,000 federal facilities protected by the Federal Protective Service (FPS) as of October 2014. According to an NPPD official, DHS has not developed a strategy, in part, because cyber threats involving these systems are an emerging issue. By not developing a strategy document for assessing cyber risk to facility and security systems, DHS and, in particular, NPPD have not effectively articulated a vision for organizing and prioritizing efforts to address the cyber risk facing federal facilities that DHS is responsible for protecting.
- Cyber threat not identified in report for federal agencies: The Interagency Security Committee (ISC), which is housed within DHS and is responsible for developing physical security standards for nonmilitary federal facilities, has not incorporated cyber threats to building and access control systems in its Design-Basis Threat report that identifies numerous undesirable events. An ISC official said that recent active shooter and workplace violence incidents have caused ISC to focus its efforts on policies in those areas first. Incorporating the cyber threat to building and access control systems in the Design-Basis Threat report will inform agencies about this threat so they can begin to assess its risk. This action also could prevent federal agencies from expending limited resources on methodologies that may result in duplication.
GSA has not fully assessed the risk of building control systems to a cyber attack in a manner that is consistent with the Federal Information Security Management Act of 2002 (FISMA) or its implementation guidelines. Although GSA has assessed the security controls of these systems, the assessments do not fully assess the elements of risk (e.g., threat, vulnerability, and consequence). GSA also has not yet conducted security control assessments for many of its building control systems. GSA information technology officials said that GSA has conducted security assessments of the building control systems that are in about 500 of its 1,500 FPS-protected facilities and plans to complete the remainder in fiscal year 2015 or when systems are connected to the network or the Internet. Further, our review of 20 of 110 of the security assessment reports that GSA prepared during 2010 to 2014 showed that they were not comprehensive or fully consistent with FISMA implementation guidelines. For example, 5 of the 20 reports we reviewed showed that GSA assessed the building control device to determine if a user's identity and password were required for login but did not assess the system to determine if password complexity rules were enforced. This could potentially lead to weak or insecure passwords being used to secure building control systems.
Why GAO Did This Study
Federal facilities contain building and access control systems—computers that monitor and control building operations such as elevators, electrical power, and heating, ventilation, and air conditioning—that are increasingly being connected to other information systems and the Internet. The increased connectivity heightens their vulnerability to cyber attacks, which could compromise security measures, hamper agencies' ability to carry out their missions, or cause physical harm to the facilities or their occupants.
GAO's objective was to examine the extent to which DHS and other stakeholders are prepared to address cyber risk to building and access control systems in federal facilities. GAO reviewed DHS's and other stakeholders' authorities to protect federal facilities from cyber attacks; visited selected FPS-protected facilities to determine what stakeholders were doing to address cyber risks to these systems; and interviewed experts about the cyber vulnerability of building and access control systems and related issues. GAO also reviewed GSA's security assessment process and a sample of reports.
What GAO Recommends
GAO recommends that DHS (1) develop and implement a strategy to address cyber risk to building and access control systems and (2) direct ISC to revise its Design-Basis Threat report to include cyber threats to building and access control systems. GAO also recommends that GSA assess cyber risk of its building control systems fully reflecting FISMA and its guidelines. DHS and GSA agreed with the recommendations.
For more information, contact Mark L. Goldstein at (202) 512-2834 or goldsteinm@gao.gov or Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov.
Recommendations for Executive Action
Status: Open
Comments: When we confirm what actions DHS has taken in response to this recommendation, we will provide updated information.
Recommendation: The Secretary of Homeland Security, in consultation with GSA, should develop and implement a strategy to address cyber risk to building and access control systems that, among other things: (1) defines the problem; (2) identifies roles and responsibilities; (3) analyzes the resources needed; and (4) identifies a methodology for assessing this cyber risk.
Agency Affected: Department of Homeland Security
Status: Closed - Implemented
Comments: In December 2014, we reported that building and access control systems--computers that monitor and control building operations such as elevators, electrical power, and heating, ventilation, and air conditioning--in federal facilities are increasingly being connected to other information systems and the internet, which heightens their vulnerability to cyber attacks. However, the Interagency Security Committee, which is housed within DHS and is responsible for developing physical security standards for nonmilitary federal facilities, had not incorporated cyber threats to building and access control systems in its Design-Basis Threat report, which identifies and describes numerous undesirable events under various scenarios and their probability of occurring as well as establishing a profile of the types, composition, and capabilities of adversaries. We recommended that DHS direct the Interagency Security Committee to incorporate the cyber threat to building and access control systems into the Committee's list of undesirable events in its Design-Basis Threat report. In response, in January 2016, the Interagency Security Committee issued a revised version of this report which incorporated the cyber threat to building and access control systems into the list of undesirable events. As a result of the action, agencies will be informed about this threat and can begin to assess its risk, which will enhance federal facility cybersecurity.
Recommendation: The Secretary of Homeland Security should direct ISC to incorporate the cyber threat to building and access control systems into ISC's list of undesirable events in its Design-Basis Threat report.
Agency Affected: Department of Homeland Security
Status: Closed - Implemented
Priority recommendation
Comments: Federal facilities contain building and access control systems--computers that monitor and control building operations such as elevators, electrical power, and heating, ventilation, and air conditioning--that are increasingly being connected to other information systems and the Internet. The increased connectivity heightens their vulnerability to cyber attacks, which could compromise security measures, hamper agencies' ability to carry out their missions, or cause physical harm to the facilities or their occupants. In 2014, GAO reported that GSA had not fully assessed the risk of building control systems to a cyber attack in a manner that is consistent with the Federal Information Security Management Act of 2002 (FISMA) or its implementation guidelines. GAO also reported that GSA had not conducted security control assessments of the systems in all of its 1,500 facilities. Therefore, GAO recommended that GSA assess the control systems that it owns in a manner that is fully consistent with FISMA and its implementation guidelines. In 2017, GAO confirmed that out of 1,533 facilities, GSA had completed cyber risk assessments of the control systems or that assessments were not needed in all but 142 lower-risk facilities. GSA plans to assess the cyber risk of the systems in those remaining facilities by contacting property management staff or conducting site visits. As a result, GSA's action increases federal facility security by reducing the risk of cyber attacks on control systems.
Recommendation: The Administrator of the General Services Administration should assess the building and access control systems that it owns in FPS-protected facilities in a manner that is fully consistent with FISMA and its implementation guidelines.
Agency Affected: General Services Administration
Explore the full database of GAO's Open Recommendations
»
Apr 18, 2018
-
Immigration Detention:
Opportunities Exist to Improve Cost EstimatesGAO-18-343: Published: Apr 18, 2018. Publicly Released: Apr 18, 2018.
Apr 13, 2018
-
Coast Guard Acquisitions:
Status of Coast Guard's Heavy Polar Icebreaker AcquisitionGAO-18-385R: Published: Apr 13, 2018. Publicly Released: Apr 13, 2018.
Mar 29, 2018
-
Border Security:
Actions Needed to Strengthen Performance Management and Planning for Expansion of DHS's Visa Security Program [Reissued with Revisions Mar. 29, 2018]GAO-18-314: Published: Mar 20, 2018. Publicly Released: Mar 27, 2018.
Mar 15, 2018
-
Border Security:
Progress and Challenges with the Use of Technology, Tactical Infrastructure, and Personnel to Secure the Southwest BorderGAO-18-397T: Published: Mar 15, 2018. Publicly Released: Mar 15, 2018. -
U.S. Ports of Entry:
CBP Public-Private Partnership Programs Have Benefits, but CBP Could Strengthen Evaluation EffortsGAO-18-268: Published: Mar 15, 2018. Publicly Released: Mar 15, 2018.
Mar 14, 2018
-
Customs and Border Protection:
Automated Trade Data System Yields Benefits, but Interagency Management Approach Is NeededGAO-18-271: Published: Mar 14, 2018. Publicly Released: Mar 14, 2018.
Mar 7, 2018
-
Coast Guard:
Actions Needed to Improve Data Quality and Transparency for Reporting on Mission Performance and Capital PlanningGAO-18-408T: Published: Mar 7, 2018. Publicly Released: Mar 7, 2018.
Feb 15, 2018
-
Critical Infrastructure Protection:
Additional Actions Are Essential for Assessing Cybersecurity Framework AdoptionGAO-18-211: Published: Feb 15, 2018. Publicly Released: Feb 15, 2018.
Feb 7, 2018
-
Critical Infrastructure Protection:
Electricity Suppliers Have Taken Actions to Address Electromagnetic Risks, and Additional Research Is OngoingGAO-18-67: Published: Feb 7, 2018. Publicly Released: Feb 7, 2018.
Feb 1, 2018
-
Aviation Security:
TSA Uses Current Assumptions and Airport-Specific Data for Its Staffing Process and Monitors Passenger Wait Times Using Daily Operations DataGAO-18-236: Published: Feb 1, 2018. Publicly Released: Feb 1, 2018.
Looking for more? Browse all our products here