The Department of Homeland Security has not developed a strategy to protect federal buildings from cyber attacks, leaving thousands of buildings vulnerable, according to a Government Accountability Report released Jan. 14.
While the agency has taken some preliminary steps to develop a cyber protection strategy it has no way to define cyber problems, figure out the resources needed and identify a way to measure the risks for each facility, the report said.
Resource: Read the GAO report
Many federal facilities building and access control systems that operate systems such as heating, power, ventilation, air conditioning and elevators that are increasingly connected to the Internet,according to the GAO.
"The increased connectivity heightens their vulnerability to cyber attacks, which could compromise security measures, hamper agencies' ability to carry out their missions or cause physical harm, to the facilities or their occupants," the GAO wrote in the report.
The Interagency Security Committee (ISC) – housed within DHS – has yet to incorporate cyber threat standards into its physical security guidelines, according to the GAO.
While the ISC identifies numerous negative events from cyber attacks against federal buildings the ISC is focused primarily on workplace violence and active shooter issues, GAO said.
The GAO recommended that DHS:
- Develop and implement a strategy to address cyber risk to building and access control systems.
- Direct the ISC to revise its threat reports to include cyber threats to buildings.
- Work with GSA to assess cyber risk for building controls.