What the GAO found
The country’s critical infrastructure sectors rely on electronic systems, including the Internet of Things (IoT) and operational technology (OT) devices and systems. IoT generally refers to technologies and devices that allow the connection to the network and the interaction of a wide range of “objects”, in places such as buildings, transport infrastructure or homes. OTs are programmable systems or devices that interact with the physical environment, such as building automation systems that control machinery to regulate and monitor temperature.
Figure: Overview of Connected Computing, Internet of Things (IoT), and Operational Technology
To help federal agencies and private entities manage cybersecurity risks associated with IoT and OT, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST ) have published guidance and provided resources. Specifically, CISA has issued guidelines, initiated programs, issued alerts and advisories on vulnerabilities affecting IoT and OT devices, and established OT task forces. NIST has published several guidance documents on IoT and OT, maintained a cybersecurity center of excellence, and established numerous task forces. Additionally, the Federal Acquisition Regulatory Council is considering updating the Federal Acquisition Regulation to better manage IoT and OT cybersecurity risks.
Some federal agencies playing a leading role have reported various cybersecurity initiatives to help protect three critical infrastructure sectors with heavy use of IoT or OT devices and systems.
Title: Internet of Things (IoT) or Operational Technology (OT) Cybersecurity Initiatives of Sector Lead Agencies
|
Sector (responsible federal agency) |
Examples of IoT or OT initiatives |
|---|---|
|
Energy (Department of Energy) |
Considerations for OT Cybersecurity Monitoring Technologies The guidance provides suggested assessment considerations for OT cybersecurity monitoring technologies for systems that, for example, distribute electricity through the grid.
Cybersecurity for the operational technology environment The methodology aims to improve the detection of abnormal behavior threats in the energy sector in OT networks, such as electricity distribution networks. |
|
Health care and public health (Ministry of Health and Social Services) |
Pre-market tips for managing cybersecurity identifies cybersecurity issues that manufacturers need to consider in the design and development of their medical devices, such as diagnostic equipment.
Post-marketing medical device cybersecurity management provides recommendations for managing cybersecurity vulnerabilities for marketed and distributed medical devices, such as infusion pumps. |
|
Transportation Systems (Departments of Homeland Security and Transportation) |
Surface Transportation Cybersecurity Toolkit is designed to provide informative cyber risk and resource management tools for control systems that, for example, operate on ship mechanics.
Department of Homeland Security Transportation Security Administration Railway Cyber Security Enhancement Directive requires actions, such as conducting a cybersecurity vulnerability assessment and developing cybersecurity incident response plans for high-risk railways. |
Source: GAO analysis of agency documentation │ GAO-23-105327
However, none of the selected lead agencies had developed metrics to measure the effectiveness of their efforts. Additionally, the agencies had not conducted IoT and OT cybersecurity risk assessments. Both of these activities are best practices. Lead agency officials noted the difficulty of assessing program effectiveness when relying on voluntary information from industry entities. Nevertheless, without attempts to measure the effectiveness and assess the risks of IoT and OT, the success of risk mitigation initiatives is unknown.
The Internet of Things Cybersecurity Enhancement Act of 2020 generally prohibits agencies from obtaining or using an IoT device after December 4, 2022, if that device is found to be non-compliant with standards developed by the NIST. As required by law, in June 2021, NIST released a draft guidance document that, among other things, provides guidance for agencies, companies, and industry to receive reported vulnerabilities and for organizations to report vulnerabilities. found. The law also requires the Office of Management and Budget (OMB) to establish a standardized process for federal agencies to lift the ban on purchasing or using non-compliant IoT devices if the waiver criteria detailed in the law are filled.
As of November 22, 2022, the OMB has not yet developed the mandatory process to lift the ban on purchasing or using non-compliant IoT devices. OMB officials noted that the waiver process requires coordination and data collection with other entities. According to the OMB, it is targeting November 2022 for the release of guidance on the waiver process. Given the restrictions imposed by law on agency use of non-compliant IoT devices as of December 2022, the lack of a uniform waiver process could lead to a series of inconsistent actions between agencies.
Why GAO Did This Study
Cyber threats to IoT and OT critical infrastructure represent a significant national security challenge. Recent incidents, such as ransomware attacks targeting healthcare and essential services during the COVID-19 pandemic, illustrate the cyber threats facing the country’s critical infrastructure. Congress included provisions in the IoT Cybersecurity Improvement Act of 2020 for GAO to be accountable for IoT and OT cybersecurity efforts.
This report (1) describes overall federal IoT and OT cybersecurity initiatives; (2) assesses the actions of selected federal agencies with primary sector responsibility to improve IoT and OT cybersecurity; and (3) identifies key directions for addressing IoT cybersecurity and determines the status of the OMB process for lifting cybersecurity requirements for IoT devices. To describe the overall initiatives, GAO analyzed relevant guidance and related documentation from several federal agencies.
To assess the lead agency’s actions, GAO first identified the six critical infrastructure sectors considered to pose the greatest risk of cyber compromise. Of these six, the GAO then selected three sectors for review that made extensive use of IoT and OT devices and systems. The three sectors were energy, healthcare and public health, and transportation systems. For each, GAO analyzed documentation, interviewed industry officials, and compared the lead agency’s actions to federal requirements.
The GAO also analyzed the documentation, interviewed officials from the selected sectors, and compared the cybersecurity efforts of these sectors to federal requirements. The GAO also asked OMB officials about the status of the mandatory waiver process.
#Critical #Infrastructure #Actions #Needed #Secure #InternetConnected #Devices