GAO report identifies need to better secure IoT and OT devices across critical infrastructure
The U.S. Government Accountability Office (GAO) released on Thursday a report on the agency’s findings of the actions needed to improve the security of Internet-connected devices across the nation’s critical infrastructure sectors. The agency took into account overall federal IoT and OT cybersecurity initiatives, assesses actions of selected federal agencies with a lead sector responsibility for enhancing IoT and OT cybersecurity, identifies leading guidance for addressing IoT cybersecurity, and determines the status of OMB’s process for waiving cybersecurity requirements for IoT devices.
To describe overall initiatives, GAO analyzed pertinent guidance and related documentation from several federal agencies, while to assess lead agency actions, GAO first identified the six critical infrastructure sectors considered to have the greatest risk of cyber compromise. From these six, GAO then selected for review three sectors that had extensive use of IoT and OT devices and systems. The three sectors were energy, healthcare and public health, and transportation systems. For each of these, GAO analyzed documentation, interviewed sector officials, and compared lead agency actions to federal requirements.
GAO also analyzed documentation, interviewed officials from the selected sectors, and compared those sectors’ cybersecurity efforts to federal requirements. Additionally, GAO also interviewed officials from the Office of Management and Budget (OMB) to assess the status of the mandated waiver process.
The report also identified that none of the selected SRMAs (Sector Risk Management Agencies) have conducted sector-wide risk assessments specific to IoT and OT devices. Effective risk management of IoT and OT environments is essential to ensuring sector cybersecurity. Until SRMAs conduct sector-wide risk assessments that include IoT and OT, mitigation action priorities may not be focused on the risks with the most significant estimated adverse impact and frequency.
“While the three selected sectors’ SRMAs reported various IoT and OT cybersecurity efforts, none of the SRMAs have evaluated the effectiveness of these. Further, the SRMAs have not conducted cybersecurity risk assessments specific to their sectors’ IoT and OT environments,” the GAO reported. “Until the SMRAs establish IoT and OT-specific metrics, they will be unable to fully measure the effectiveness of their efforts to improve the cybersecurity of critical infrastructure. Establishing metrics, as part of sector-specific plans, will provide a basis for SRMAs to establish accountability, document actual performance, promote effective management, and provide a feedback mechanism to inform decision-making,” it added.
GAO additionally recognizes the voluntary character of the relationship between the department and the critical infrastructure sector. However, establishing IoT and OT-specific metrics will provide a basis for the department to establish accountability, document actual performance, promote effective management, and provide a feedback mechanism to inform decision-making.
The GAO further noted that the OMB had stated that the agency is targeting November 2022 for the release of guidance on the waiver process. “As of November 22, 2022, OMB had not yet developed the mandated process for waiving the prohibition on procuring or using non-compliant IoT devices. OMB officials noted that the waiver process requires coordination and data gathering with other entities,” the report added.
GAO said in the report that the OMB said it was targeting November 2022 for the release of guidance on the waiver process. “Given the act’s restrictions on agency use of non-compliant IoT devices beginning in December 2022, the lack of a uniform waiver process could result in a range of inconsistent actions across agencies,” it added.
The GAO report takes into account that the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) has issued guidance and provided resources to help federal agencies and private entities manage the cybersecurity risks associated with IoT and OT. Specifically, CISA has published guidance, initiated programs, issued alerts and advisories on vulnerabilities affecting IoT and OT devices, and established working groups on OT. NIST has published several guidance documents on IoT and OT, maintained a center of cybersecurity excellence, and established numerous working groups.
Additionally, the Federal Acquisition Regulatory Council is considering updates to the Federal Acquisition Regulation to better manage IoT and OT cybersecurity risks. Selected federal agencies with a lead role have reported various cybersecurity initiatives to help protect three critical infrastructure sectors with extensive use of IoT or OT devices and systems.
Examples of IoT or OT initiatives in the energy sector that the GAO report cited include considerations for OT Cybersecurity Monitoring Technologies guidance providing suggested evaluation considerations for technologies to monitor OT cybersecurity of systems that, for example, distribute electricity through the grid. “Cybersecurity for the Operational Technology Environment methodology aims to enhance energy sector threat detection of anomalous behavior in OT networks, such as electricity distribution networks,” the report added.
In the case of the healthcare sector, the GAO covered the pre-market guidance for the management of cybersecurity that identifies issues related to cybersecurity for manufacturers to consider in the design and development of their medical devices, such as diagnostic equipment. The report added that the post-market management of cybersecurity in medical devices provides recommendations for managing cybersecurity vulnerabilities for marketed and distributed medical devices, such as infusion pumps.
Moving over to the transportation sector, the report covered the surface transportation cybersecurity toolkit designed to provide informative cyber risk management tools and resources for control systems that, for example, function on the mechanics of the vessel. “Department of Homeland Security’s Transportation Security Administration’s Enhancing Rail Cybersecurity Directive requires actions, such as conducting a cybersecurity vulnerability assessment and developing of cybersecurity incident response plans for higher risk railroads,” it added.
However, none of the selected lead agencies had developed metrics to assess the effectiveness of their efforts. Further, the agencies had not conducted IoT and OT cybersecurity risk assessments. Both of these activities are best practices. Lead agency officials noted difficulty assessing program effectiveness when relying on voluntary information from sector entities. Nevertheless, without attempts to measure the effectiveness and assess the risks of IoT and OT, the success of initiatives intended to mitigate risks is unknown.
The Internet of Things Cybersecurity Improvement Act of 2020 generally prohibits agencies from procuring or using an IoT device after December 4, 2022, if that device is considered non-compliant with NIST-developed standards. According to the act, in June 2021 NIST issued a draft guidance document that, among other things, provides information for agencies, companies, and industries to receive reported vulnerabilities and for organizations to report found vulnerabilities. The act also requires the OMB to establish a standardized process for federal agencies to waive the prohibition on procuring or using non-compliant IoT devices if waiver criteria detailed in the act are met.
The GAO made a total of nine recommendations, including two each to Energy, HHS, DHS, and DOT, and one to OMB.
To the electric sector, the GAO suggests that the secretary of Energy, as SRMA for the energy sector, should direct the director of the Office of Cybersecurity, Energy Security, and Emergency Response (CESER) to use the National Plan to develop a sector-specific plan that includes metrics for measuring the effectiveness of their efforts to enhance the cybersecurity of their sector’s IoT and OT environments. Additionally, the secretary of Energy, as SRMA for the energy sector, should direct the director of the CESER to include IoT and OT devices as part of the risk assessments of their sector’s cyber environment.
In the case of the healthcare sector, the GAO recommended that the secretary of Health and Human Services, as SRMA for the healthcare and public health sector, should direct the assistant secretary for preparedness and response to use the National Plan to develop a sector-specific plan that includes metrics for measuring the effectiveness of their efforts to enhance the cybersecurity of their sector’s IoT and OT environments. Additionally, the secretary of Health and Human Services, as SRMA for the healthcare and public health sector, should direct the assistant secretary for preparedness and response to include IoT and OT devices as part of the risk assessments of their sector’s cyber environment.
Coming to the transportation sector, the GAO recommends that the secretary of Homeland Security should direct the administrator of the Transportation Security Administration (TSA) and the commandant of the U.S. Coast Guard to jointly work with the Department of Transportation’s (DOT) Office of Intelligence, Security and Emergency Response, as co-SRMAs for the transportation systems sector, to use the National Plan to develop a sector-specific plan that includes metrics for measuring the effectiveness of their efforts to enhance the cybersecurity of their sector’s IoT and OT environments.
Furthermore, the secretary of Homeland Security should direct the administrator of the TSA and the Commandant of the U.S. Coast Guard to jointly work with the DOT’s Office of Intelligence, Security and Emergency Response, as co-SRMAs for the transportation systems sector, to include IoT and OT devices as part of the risk assessments of their sector’s cyber environment.
The GAO report also called upon the secretary of transportation to direct the director of the Office of Intelligence, Security and Emergency Response to jointly work with the Administrator of DHS’s TSA and the Commandant of the U.S. Coast Guard, as co-SRMAs for the transportation systems sector, to use the National Plan to develop a sector-specific plan that includes metrics for measuring the effectiveness of their efforts to enhance the cybersecurity of their sector’s IoT and OT environments.
The report also recommends that the secretary of Transportation should direct the director of the Office of Intelligence, Security and Emergency Response to jointly work with the administrator of DHS’s TSA and the Commandant of the U.S. Coast Guard, as co-SRMAs for the transportation systems sector, to include IoT and OT devices as part of the risk assessments of their sector’s cyber environment. Furthermore, it calls upon the OMB director to, as required by the Internet of Things Cybersecurity Improvement Act of 2020, expeditiously establish a standardized process for the Chief Information Officer of each covered agency to follow in determining whether the IoT cybersecurity waiver may be granted.
Last month, the CISA published voluntary and not comprehensive cross-sector cybersecurity performance goals (CPGs) to help establish a standard set of fundamental cybersecurity practices for the critical infrastructure sector. These benchmark goals will benefit small and medium-sized organizations as they kick-start their cybersecurity efforts.
A complimentary guide to the who`s who in industrial cybersecurity tech & solutions
Free DownloadRelated
