Building Automation System Cyber Networks: An Unmitigated Risk to Federal Facilities

Shawn Tupper

EXECUTIVE SUMMARY

pdf

 

In 2007, Congress passed the Energy Independence and Security Act, directing all government agencies to reduce their buildings’ energy levels by 30 percent by 2015.[1] Accordingly, the General Services Administration (GSA), responsible for managing federal facilities, began taking the necessary steps to accomplish this goal.[2] In 2012, to reduce energy costs and improve performance, GSA began retrofitting 50 of the most energy-inefficient federal facilities.[3] This retrofit included networking facility building automation systems (BAS)—a type of industrial control system (ICS) to the Internet—to give “property managers real-time information and diagnostic tools that keep facilities working at peak efficiency.”[4] These BAS networks control such actions as HVAC, facility lighting, and elevators.[5] Although this technology has created both a centralization of control and a level of convenience for GSA property managers and building engineers, allowing them to perform facility maintenance from the click of a mouse, it has also made the facilities vulnerable to cyber intrusions due to their active Internet connections.

Currently, the Department of Homeland Security (DHS) is not monitoring BAS networks, investigating network intrusions, or conducting risk assessments of BAS networks inside GSA-owned facilities, despite current presidential executive orders (E.O.s) and federal laws such as the Federal Information Security Management Act of 2002 (FISMA), requiring federal networks be secured.[6] DHS and the GSA are the agencies responsible for the Government Facilities Sector (GFS), one of the 16 critical infrastructure sectors outlined in the National Infrastructure Protection Plan (NIPP); the GSA is ultimately responsible for federal facility BAS security.[7]

Currently, there is insufficient collaboration within the DHS with respect to securing federal facility BAS networks, despite well-known threats and vulnerabilities such as password-management deficiencies, unsubstantial intrusion detection, and inferior private-sector network monitoring.[8] Though the reason for the DHS’s lack of collaboration is unknown, it may be because the Department has not yet seen that these networks operating in federal facilities are susceptible to penetration and subsequent exploitation. This has likely led to poor motivation within the DHS and GSA to address the issue. Other potential factors could be limited resources—no trained personnel and budget constraints—and confusion related to jurisdiction or authority. Finally, existing federal laws, presidential EOs, and cybersecurity frameworks may not be sufficient to provide the necessary roadmap for collaboration between federal agency stakeholders to secure federal facility BAS networks.

There are both tangible and intangible consequences related to a cyberattack upon a federal facility BAS. First, disruption in HVAC, lighting, or elevator operations could cause facility closure until the problem is resolved, creating a backlog for government entitlement agencies such as the Social Security Administration and the Department of Veterans Affairs. Second, if the HVAC system were tampered with, increasing temperatures in the facility could render individual agencies’ network servers inoperable or, worse, could cause health and safety concerns for the young and elderly. Third, if an attacker surreptitiously enters a BAS network, the attacker could subsequently gain access to the GSA.gov network, potentially compromising personally identifiable information (PII) of GSA customers (the rest of the federal government). Finally, if a federal facility BAS network attack became public, confidence in government would likely be further eroded; A June 2014 Gallup poll found that more than 70 percent of the American people have already lost confidence in the federal government.[9]

This thesis examines current legislation and DHS cyber capabilities, and answers the primary research question:

  • How can the DHS leverage existing federal laws, presidential directives, executive orders, and frameworks, and its current cyber and investigative capabilities to establish a strategy to secure federal facility building automation system networks?

The following secondary research questions are answered to properly address the primary research question:

  • If existing resources are not sufficient, what additional resources should be obtained to mitigate the risks?
  • How should the DHS leverage its components’ law enforcement authorities to augment technical cyber defense measures?

 

The current DHS strategy to secure federal facility BAS is non-existent; however, both the DHS and GSA have recently agreed to work together to develop a strategy.[10] There are many challenges associated with increasing cybersecurity within the federal government, and specifically within cybersecurity of federal facility BAS networks. Some challenges include determining if existing laws are sufficient to prosecute bad actors, finding the balance between security and privacy, determining roles and responsibilities for government agencies, addressing lack of trained personnel, and planning for the constantly changing nature of the threat. This thesis analyzes the current roadblocks to achieving security of BAS networks inside federal facilities, cybersecurity law and legal authorities the federal government already possesses to secure federal facility BAS networks, and the DHS and GSA responsibilities in this effort.

Perhaps the biggest roadblock to securing federal facility BAS is the DHS and GSA’s lack of control over the contractors currently maintaining most BAS networks. As of March 2015, approximately three hundred federal facility BAS networks are housed on the GSA network, and protected behind the GSA firewall; the remaining facilities are operated on private contractor networks.[11] While GSA is in the process of moving these facilities over to their network, until this happens, these networks are essentially beyond the control of the government.

Another roadblock the DHS faces is that it does not currently have sufficient technical expertise to assess these networks on a broad scale, nor to investigate possible intrusions for eventual prosecution of bad actors, with the lone exception of the United States Secret Service (USSS).[12] The Industrial Control System Cyber Emergency Response Team (ICS-CERT) informed the author they have less than 30 personnel who are trained to respond to cybersecurity incidents of ICS networks and they lack law enforcement authority. Conversely, the Federal Protective Service (FPS) has the necessary law enforcement authority and responsibility to protect federal facilities, yet lacks the technical expertise to perform cybersecurity duties.[13] Currently, the only DHS component with both law enforcement authority to conduct criminal investigations and ICS forensic expertise is the USSS.[14] The Secret Service, however, is not currently conducting any investigative activity related to GSA-owned facility BAS network intrusions.

Five options are offered in this inquiry and were assessed using five categories: DHS acceptability, compliance (with laws and presidential executive orders and directives), ease of implementation, overall effectiveness, and time needed to implement the option.[15] A subsequent comparative analysis was completed to discover which option earned the highest ratings.

The comparative analysis findings demonstrated that the DHS should adopt and implement Option IV(A) by initially utilizing experienced, cleared private contractors, overseen by FPS, to perform risk assessments and network analysis of federal facility BAS. Additionally, Option IV(A) calls for the DHS to direct the USSS to provide incident response for network intrusions, as well as subsequent forensically sound criminal investigations into the discovered intrusions. Once the FPS has established their own cybersecurity capability, the agency would be charged with taking over the mission completely. This option provides an almost immediate, cost-effective risk mitigation strategy to reduce the vulnerabilities identified in Government Accountability Office (GAO) report 15-6.

 

EXECUTIVE SUMMARY REFERENCES

 

General Services Administration. “New Smart Building Technology to Increase Federal Buildings Energy Efficiency.” May 12, 2012. http://www.gsa.gov/portal/content/ 135115.

McCarthy, Justin. “Americans Losing Confidence in All Branches of U.S. Gov’t.” Gallup. June 20, 2014. http://www.gallup.com/poll/171992/americans-losing-confidence-branches-gov.aspx.

U.S. Department of Homeland Security. National Infrastructure Protection Plan. (NIPP 2013). Washington, DC: U.S. Department of Homeland Security, 2013). http://www.dhs.gov/sites/default/files/publications/NIPP%202013_Partnering%20for%20Critical%20Infrastructure%20Security%20and%20Resilience_508_0.pdf.

U.S. Government Accountability Office. Federal Facility Cybersecurity: DHS and GSA Should Address Cyber Risk to Building and Access Control Systems. (GAO-15-6). Washington, DC: U.S. Government Accountability Office, 2014. http://www.gao.gov/assets/670/667512.pdf.

 

 

[1] Energy Independence and Security Act of 2007, Pub. L. No. 110–140 Stat. 1596 (2007)

[2] Federal Green Buildings, U.S. House of Representatives, 111th Cong., (statement by Kevin Kampschroer, Director Office of Federal High-Performance Green Buildings).

[3] “New Smart Building Technology to Increase Federal Buildings Energy Efficiency,” General Services Administration, May 12, 2012, http://www.gsa.gov/portal/content/135115.

[4] Ibid.

[5] U.S. Government Accountability Office, Federal Facility Cybersecurity: DHS and GSA Should Address Cyber Risk to Building and Access Control Systems (GAO-15-6) (Washington, DC: U.S. Government Accountability Office, 2014), 10, http://www.gao.gov/assets/670/667512.pdf.

[6] Ibid., 17.

[7] U.S. Department of Homeland Security, National Infrastructure Protection Plan (NIPP 2013) (Washington, DC: U.S. Department of Homeland Security, 2013), 8, http://www.dhs.gov/sites/default/files/ publications/NIPP%202013_Partnering%20for%20Critical%20Infrastructure%20Security%20and%20Resilience_508_0.pdf.

[8] U.S. Government Accountability Office, Federal Facility Cybersecurity, 22.

[9] Justin McCarthy, “Americans Losing Confidence in All Branches of U.S. Gov’t,” Gallup, June 20, 2014, http://www.gallup.com/poll/171992/americans-losing-confidence-branches-gov.aspx.

[10] U.S. Government Accountability Office, Federal Facility Cybersecurity, Appendix III, IV.

[11] Josh Mordin and Sandy Schadchehr, “Building Monitoring and Control Systems in GSA,” presented at the Cybersecurity Building Control Systems Workshop, Washington, DC, March 24, 2015

[12] Senate Committee on Appropriations, Subcommittee on Homeland Security, Investing in Cybersecurity: Understanding Risks and Building Capabilities for the Future (statement by Special Agent in Charge William Noonan, May 7, 2014.

[13] U.S. Government Accountability Office, Federal Facility Cybersecurity, 5, 18.

[14] Fighting Fraud: Improving Information Security: Joint Hearing Before the House Subcommittee on Financial Institutions And Consumer Credit of the Committee on Financial Services, 108th Cong., 1(2003) (statement of Tim Caddigan, Special Agent in Charge, Financial Crimes Division, United States Secret Service).

[15] Todd R. Consolini, “Regional Security Assessments: A Regional Approach to Securing Federal Facilities” (master’s thesis, Naval Postgraduate School, 2009).

No Comments

Post a Comment