This post is also available in: עברית (Hebrew)
The U.S. is realizing step by step to what degree it is vulnerable to Cyber attacks.
According to HomeLand Security News Wire, while most cybersecurity threats against government agencies tend to focus on network and computer systems, a growing number of access control systems, responsible for regulating electricity use, heating, ventilation, and air-conditioning (HVAC), and the operation of secured doors and elevators are also vulnerable to hacking.
As more federal facilities subscribe to the Internet of Things – the connection of critical devices to the Web – those tasked with securing government buildings must be at the forefront of cybersecurity.
According to a 12 December 2014 report from the Government Accountability Office (GAO), attacks on access control systems could “compromise security measures, hamper agencies’ ability to carry out their missions or cause physical harm to the facilities or their occupants.” GAO warns that despite the seriousness of the vulnerabilities, agencies tasked with securing federal facilities have not been proactive.
NextGov reports that hackers have already begun to take advantage of the cyber vulnerabilities posed by public and private sector access control systems. In 2009 a security guard at a Dallas hospital infiltrated fourteen computers including one that controlled the hospital’s HVAC system. GAO reports that incidents involving access control systems reported to DHS have increased by 74 percent over the past three years.
Still, “no one within DHS is assessing or addressing cyber risk to building and access control systems,” GAO investigators noted. In 2013, DHS’s National Protection and Programs Directorate (NPPD), tasked with reducing and eliminating threats to the nation’s critical physical and cyber infrastructure, conducted an assessment of the physical security and cybersecurity of a federal facility, but more work needs to be done, GAO wrote in the report.
GAO further adds that DHS currently lacks a strategy that defines the various vulnerabilities within access control systems and identifies the DHS agencies should address in the framework of those vulnerabilities.