Building Automation System Cyber Networks: An Unmitigated Risk to Federal Facilities
Originally posted on HSAJ.org:
In 2007, Congress passed the Energy Independence and Security Act, directing all government agencies to reduce their buildings’ energy levels by 30 percent by 2015. Accordingly, the General Services Administration (GSA), responsible for managing federal facilities, began taking the necessary steps to accomplish this goal. In 2012, to reduce energy costs and improve performance, GSA began retrofitting 50 of the most energy-inefficient federal facilities. This retrofit included networking facility building automation systems (BAS)—a type of industrial control system (ICS) to the Internet—to give “property managers real-time information and diagnostic tools that keep facilities working at peak efficiency.” These BAS networks control such actions as HVAC, facility lighting, and elevators. Although this technology has created both a centralization of control and a level of convenience for GSA property managers and building engineers, allowing them to perform facility maintenance from the click of a mouse, it has also made the facilities vulnerable to cyber intrusions due to their active Internet connections.
Currently, the Department of Homeland Security (DHS) is not monitoring BAS networks, investigating network intrusions, or conducting risk assessments of BAS networks inside GSA-owned facilities, despite current presidential executive orders (E.O.s) and federal laws such as the Federal Information Security Management Act of 2002 (FISMA), requiring federal networks be secured.DHS and the GSA are the agencies responsible for the Government Facilities Sector (GFS), one of the 16 critical infrastructure sectors outlined in the National Infrastructure Protection Plan (NIPP); the GSA is ultimately responsible for federal facility BAS security.
Currently, there is insufficient collaboration within the DHS with respect to securing federal facility BAS networks, despite well-known threats and vulnerabilities such as password-management deficiencies, unsubstantial intrusion detection, and inferior private-sector network monitoring. Though the reason for the DHS’s lack of collaboration is unknown, it may be because the Department has not yet seen that these networks operating in federal facilities are susceptible to penetration and subsequent exploitation. This has likely led to poor motivation within the DHS and GSA to address the issue. Other potential factors could be limited resources—no trained personnel and budget constraints—and confusion related to jurisdiction or authority. Finally, existing federal laws, presidential EOs, and cybersecurity frameworks may not be sufficient to provide the necessary roadmap for collaboration between federal agency stakeholders to secure federal facility BAS networks.
There are both tangible and intangible consequences related to a cyberattack upon a federal facility BAS. First, disruption in HVAC, lighting, or elevator operations could cause facility closure until the problem is resolved, creating a backlog for government entitlement agencies such as the Social Security Administration and the Department of Veterans Affairs. Second, if the HVAC system were tampered with, increasing temperatures in the facility could render individual agencies’ network servers inoperable or, worse, could cause health and safety concerns for the young and elderly. Third, if an attacker surreptitiously enters a BAS network, the attacker could subsequently gain access to the GSA.gov network, potentially compromising personally identifiable information (PII) of GSA customers (the rest of the federal government). Finally, if a federal facility BAS network attack became public, confidence in government would likely be further eroded; A June 2014 Gallup poll found that more than 70 percent of the American people have already lost confidence in the federal government.