Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

US Agencies Told to Assess IoT/OT Security Risks to Boost Critical Infrastructure Protection

The US Government Accountability Office (GAO) has urged several federal agencies to conduct cybersecurity-related assessments in an effort to improve the protection of certain critical infrastructure sectors.

The US Government Accountability Office (GAO) has urged several federal agencies to conduct cybersecurity-related assessments in an effort to improve the protection of certain critical infrastructure sectors.

The GAO pointed out that the DHS, CISA and NIST have issued guidance, alerts, advisories, and other resources in an effort to help federal and private entities manage the cybersecurity risks associated with internet-of-things (IoT) and operational technology (OT) systems.

While steps have been taken to protect critical infrastructure against cyberattacks, GAO believes more should be done by certain agencies.

The US Energy Department has initiatives focusing on OT cybersecurity monitoring technologies and cybersecurity for OT environments. The Department of Health and Human Services provides pre-market and post-market cybersecurity management guidance for medical device manufacturers. The DHS and the Transportation Department’s initiatives include a surface transportation cybersecurity toolkit and a directive on enhancing rail cybersecurity.

These agencies have a leading role in protecting the energy, healthcare, and transportation critical infrastructure sectors against cyberattacks, and the aforementioned initiatives show their commitment to achieving their goals.

[ Read: Increasing Number of Threat Groups Targeting OT Systems in North America ]

However, the GAO is displeased with the fact that none of the three agencies have developed metrics to assess the effectiveness of these initiatives. In addition, they have not conducted IoT and OT cybersecurity risk assessments for the sector as a whole, which prevents them from knowing what other protections might be needed.

“Lead agency officials noted difficulty assessing program effectiveness when relying on voluntary information from sector entities. Nevertheless, without attempts to measure effectiveness and assess risks of IoT and OT, the success of initiatives intended to mitigate risks is unknown,” the GAO said.

The GAO has made a series of eight recommendations to the four agencies in charge of the energy, healthcare, and transportation sectors, focusing on the needs to establish and use metrics for assessing the effectiveness of IoT/OT cybersecurity efforts, and evaluating cybersecurity risks.

“The Departments of Homeland Security and Transportation concurred with the recommendations while Energy said it would not respond to the recommendations until after further coordination with other agencies. Health and Human Services neither agreed nor disagreed with the recommendations but noted planned actions. Specifically, the department said it planned to update its sector-specific plan but asserted that it cannot compel adoption of the plan in the private sector,” the GAO reported.

The agency pointed out that the IoT Cybersecurity Improvement Act of 2020 prohibits government organizations from buying or using IoT devices that are not compliant with NIST security standards after December 4, 2022. However, the Office of Management and Budget (OMB) had failed to develop a standardized process for waiving this prohibition by November 22, when GAO finished up its report. The GAO is concerned that this could lead to inconsistent actions being taken across agencies.

Related: US Offshore Oil and Gas Infrastructure at Significant Risk of Cyberattacks

Related: Over 12,000 Cyber Incidents at DoD Since 2015, But Incident Management Still Lacking

Related: Electricity Distribution Systems at Increasing Risk of Cyberattacks, GAO Warns

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

ICS/OT

Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Risk Management

A threat-based approach to security often focuses on a checklist to meet industry requirements but overlooked the key component of security: reducing risk.

Management & Strategy

Microsoft making a multiyear, multibillion dollar investment in the artificial intelligence startup OpenAI, maker of ChatGPT and other tools.

Risk Management

CISA has published a report detailing the cybersecurity risks to the K-12 education system and recommendations on how to secure it.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.