The U.S. Government Accounting Office (GAO) issued a report this month calling on the Department of Homeland Security (DHS) and General Services Administration (GSA) to develop and implement a strategy to address cyber risks to building and access control systems, including the computers that monitor and control building operations such as elevators, electrical power, and heating, ventilation, and air conditioning. As these systems are increasingly connected to other information systems and the Internet, there is greater vulnerability to cyber attacks, which, the report explains, “could compromise security measures, hamper agencies’ ability to carry out their missions, or cause physical harm to the facilities or their occupants.”
The Interagency Security Committee (ISC), a unit within Department of Homeland Security that develops mandatory security standards for all nonmilitary federal facilities, has been silent on the growing risk to building access and control systems, which was a major concern of the GAO. In light of recent active shooter and workplace violence incidents, the GAO believes Department of Homeland Security must update the ISC Design-Basis Threat report, the agency’s standalone document establishing a profile of the type, composition and capabilities of adversaries.
“Lack of strategy” is how the GAO has characterized DHR’s treatment of this emerging cyber risk, and recommends four areas of “significant work” to improve this vital area of security:
(1) define the problem;
(2) identify roles and responsibilities;
(3) analyze necessary resources; and
(4) identify a methodology for assessing this cyber risk.
Developing a cyber security plan to address these emerging threats is paramount, as an attack on a building’s access or operations system has marked potential for physical damage and injury. As the GAO correctly reports, with greater dependence on computer systems to operate our offices, elevators, and automated warehouses, there comes an increased risk of cyber attacks that will extend beyond disclosure of sensitive data.