US Agencies Told to Assess IoT/OT Security Risks to Boost Critical Infrastructure Protection

The US Government Accountability Office (GAO) has urged several federal agencies to conduct cybersecurity-related assessments in an effort to improve the protection of certain critical infrastructure sectors.

The GAO pointed out that the DHS, CISA and NIST have issued guidance, alerts, advisories, and other resources in an effort to help federal and private entities manage the cybersecurity risks associated with internet-of-things (IoT) and operational technology (OT) systems.

While steps have been taken to protect critical infrastructure against cyberattacks, GAO believes more should be done by certain agencies.

The US Energy Department has initiatives focusing on OT cybersecurity monitoring technologies and cybersecurity for OT environments. The Department of Health and Human Services provides pre-market and post-market cybersecurity management guidance for medical device manufacturers. The DHS and the Transportation Department’s initiatives include a surface transportation cybersecurity toolkit and a directive on enhancing rail cybersecurity.

These agencies have a leading role in protecting the energy, healthcare, and transportation critical infrastructure sectors against cyberattacks, and the aforementioned initiatives show their commitment to achieving their goals.

[ Read: Increasing Number of Threat Groups Targeting OT Systems in North America ]

However, the GAO is displeased with the fact that none of the three agencies have developed metrics to assess the effectiveness of these initiatives. In addition, they have not conducted IoT and OT cybersecurity risk assessments for the sector as a whole, which prevents them from knowing what other protections might be needed.

“Lead agency officials noted difficulty assessing program effectiveness when relying on voluntary information from sector entities. Nevertheless, without attempts to measure effectiveness and assess risks of IoT and OT, the success of initiatives intended to mitigate risks is unknown,” the GAO said.

The GAO has made a series of eight recommendations to the four agencies in charge of the energy, healthcare, and transportation sectors, focusing on the needs to establish and use metrics for assessing the effectiveness of IoT/OT cybersecurity efforts, and evaluating cybersecurity risks.

“The Departments of Homeland Security and Transportation concurred with the recommendations while Energy said it would not respond to the recommendations until after further coordination with other agencies. Health and Human Services neither agreed nor disagreed with the recommendations but noted planned actions. Specifically, the department said it planned to update its sector-specific plan but asserted that it cannot compel adoption of the plan in the private sector,” the GAO reported.

The agency pointed out that the IoT Cybersecurity Improvement Act of 2020 prohibits government organizations from buying or using IoT devices that are not compliant with NIST security standards after December 4, 2022. However, the Office of Management and Budget (OMB) had failed to develop a standardized process for waiving this prohibition by November 22, when GAO finished up its report. The GAO is concerned that this could lead to inconsistent actions being taken across agencies.

Related: US Offshore Oil and Gas Infrastructure at Significant Risk of Cyberattacks

Related: Over 12,000 Cyber Incidents at DoD Since 2015, But Incident Management Still Lacking

Related: Electricity Distribution Systems at Increasing Risk of Cyberattacks, GAO Warns