Secure your buildings? uhhhh….

I had to emit a sad chuckle at the GAO report on cyber security for federal buildings.

GAO buildings report cover

In way of background, DHS, through its Federal Protective Service (FPS), provides security at more than 9,000 federal facilities nation-wide.

I’ve read lots of GAO reports. This one is about as scathing as GAO sterilely-objective grammar permits:

DHS lacks a strategy that: (1) defines the problem, (2) identifies the roles and responsibilities, (3) analyzes the resources needed, and (4) identifies a methodology for assessing this cyber risk. A strategy is a starting point in addressing this risk. The absence of a strategy that clearly defines the roles and responsibilities of key components within DHS has contributed to a lack of action within the Department.

Unfortunately, building automation is one of the most overlooked areas of cyber security. In the commercial world, some buildings are leased rather than owned; facilities maintenance teams often fall under separate management than corporate  IT; facilities maintenance personnel are not likely to have cyber security training/forethought, and so on.

On one hand I understand that the folks at FPS haven’t thought about cyber. Has your guard force? Imagine walking up to one of these cops and saying “Hey, I bet there’s an ActiveX control in your HVAC HMI with a stack based buffer overflow. It could probably be exploited via malicious redirect employed by strategic Web compromise.”

He or she will look at you like you are from another planet.

In addition, I recognize that the DHS mission is enormous and ill-defined; oversight is lacking; leadership has surprising turnover; bureaucracy can be oppressive and slow.

For those reasons, I don’t mean to imply that implementing cyber security into federal building automation environments is easy.

One the other hand, it has been two and a half years since Billy Rios knocked building automation cyber security into the limelight. That should be time enough to at least have some type of plan/strategy.

And it would have been, had DHS risk management leaders been relying on a competent and appropriately-resourced *integrated cyber-physical intelligence team* to bring important developments in the external threat environment to leadership attention!