Systems that control the elevators, lights, ventilation, and fire alarms in federal buildings are vulnerable to cyberattacks that could compromise security or result in serious harm to government workers.
In a report released within hours of high-profile social media hacks at U.S. Central Command, the Government Accountability Office said homeland security officials have little understanding of the risks presented by Internet-based control systems and don’t have a clear strategy for dealing with an attack if one were to occur.
The congressional watchdog is worried that cyberattacks on the access and control systems of federal buildings could “damage the government’s credibility.”
Such attacks could allow outsiders to access restricted federal buildings or result in death if fire alarms and sprinklers were switched off during a blaze, the report said.
The Department of Homeland Security is responsible for protecting thousands of office complexes, laboratories and warehouses, many of which are managed by the General Services Administration.
GAO has designated both federal information systems and federal property management as “high risk areas.”
Because functions like air conditioning, closed-circuit TV surveillance and door locks are increasingly automated and centralized, federal buildings face a heightened risk of cyberattack.
Such threats can come from “corrupt employees, criminal groups, hackers, and terrorists,” GAO said. “No one in DHS is assessing the cyber risk to building and access control systems at the almost 9,000 facilities” under the agency’s protection.
GSA officials have also yet to inspect the cybersecurity of control systems in hundreds of federal buildings, the report said.
Between 2011 and 2014, cyber incidents involving control systems jumped from 140 to 243, an increase of 74 percent.
GAO pointed to the highly-publicized breach of customer information at Target stores in 2013 as an example of the threat digital control systems can pose, claiming the attack likely occurred “after intruders obtained a heating, ventilation, and air-conditioning system vendor’s credentials to access the outermost portion” of Target’s network.
Access and control systems “were not designed with cybersecurity in mind,” the report noted.
What’s more, DHS has yet to “define the problem,” let alone determine what resources it will need to arm buildings against cyber attacks, the report said.
Federal facilities that “store high-risk items such as weapons and drugs” are more likely to be the target of a cyber attack, according to the the report.
Go here to read the full GAO report.
