US feds failing to protect govt buildings from cyber threats

The US Department of Homeland Security has failed to adequately address potential cyber threats to certain systems within federal offices, warehouses and labs, according to the country's Government Accountability Office.

In a report released this week [pdf], the GAO said the agency had only taken "preliminary" steps to protect building and access control systems within federal facilities, despite the systems increasingly becoming connected to other internal systems and networks, as well as the internet.

The GAO reported that the number of cyber incidents reported to Homeland Security involving industrial control systems soared in fiscal year 2014 by 74 percent - with 243 incidents reported compared to 140 in fiscal year 2011.

It cited the Target breach - in which hackers stole login credentials from a heating and air conditioning contractor to gain entry into the Target network - as one example of how such systems are at risk.

Homeland Security - which is responsible for protecting federal facilities - had failed to act on a 2013 discussion paper prepared by the Federal Protective Service which identified building systems (including closed-circuit video, security command control centres and heating and air conditioning) at risk of cyber attack, according to the GAO.

The office reported that DHS had not developed a strategy to address the issue in part because "cyber threats involving these systems are an emerging issue," the GAO reported a DHS staff member as saying.

"Because federal facilities are a part of the nation’s critical infrastructure and include some highly symbolic federal and commercial office buildings, laboratories, and warehouses—some of which are used to store high risk items such as weapons and drugs—determining the extent to which building and access control systems within them are vulnerable to cyber attacks is critical to providing security," the GAO stated in its report.

"However, DHS faces challenges in determining the extent to which building and access control systems in federal facilities are vulnerable to cyber attacks because it lacks a strategy that defines the problem, identifies the roles and responsibilities for securing these systems, analyses the resources needed to assess cyber risk to the systems, and a methodology for assessing cyber risk to building and access control systems."

The GAO urged the DHS to develop such a strategy to ensure government buildings did not fall victim to unauthorised access, damage to equipment that relies on temperature control (such as data centres), and loss of power, among other things.

The problem is worsened by a recent DHS policy that means federal agencies are not required to track infosec incidents involving industrial control systems, the GAO reported, which may have contributed to a lack of reporting.

"From fiscal year 2010 to August 2014, out of 851 reported industrial control system incidents, DHS received only one report from a federal agency, which did not involve a building or access control system," the report said.

Homeland Security amended the policy in October. Its guidelines now include reporting of incidents involving industrial control systems.

The agency accepted recommendations that it implement a strategy to address cyber risks to building and access control systems, and revise the design of its threat report to include such risks.