US GAO report identifies need to better secure IoT, OT devices across critical infrastructure

The nation’s 16 critical infrastructure sectors rely on internet-connected devices and systems to deliver essential services, such as electricity and health care. These sectors face increasing cybersecurity threats an issue on our high risk list.

Federal agencies that have leadership roles in 3 sectors US GAO reviewed have taken some steps to manage the cybersecurity risks posed by internet-connected devices and systems. But they’ve not assessed risks to the sectors as a whole. Without a holistic assessment, the agencies can’t know what additional cybersecurity protections might be needed.

What GAO found

The nation’s critical infrastructure sectors rely on electronic systems, including Internet of Things (IoT) and operational technology (OT) devices and systems. IoT generally refers to the technologies and devices that allow for the network connection and interaction of a wide array of “things,” throughout such places as buildings, transportation infrastructure, or homes. OT are programmable systems or devices that interact with the physical environment, such as building automation systems that control machines to regulate and monitor temperature.

To help federal agencies and private entities manage the cybersecurity risks associated with IoT and OT, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) have issued guidance and provided resources. Specifically, CISA has published guidance, initiated programs, issued alerts and advisories on vulnerabilities affecting IoT and OT devices, and established working groups on OT. NIST has published several guidance documents on IoT and OT, maintained a centre of cybersecurity excellence, and established numerous working groups. In addition, the Federal Acquisition Regulatory Council is considering updates to the Federal Acquisition Regulation to better manage IoT and OT cybersecurity risks.

Selected federal agencies with a lead role have reported various cybersecurity initiatives to help protect three critical infrastructure sectors with extensive use of IoT or OT devices and systems.

Sector lead agencies’ Internet of Things (IoT) or operational technology (OT) cybersecurity initiatives

Sector (Lead Federal Agency)Examples of IoT or OT Initiatives
Energy (Department of Energy)Considerations for OT cybersecurity monitoring technologies guidance provides suggested evaluation considerations for technologies to monitor OT cybersecurity of systems that, for example, distribute electricity through the grid. 
Cybersecurity for the operational technology environment methodology aims to enhance energy sector threat detection of anomalous behavior in OT networks, such as electricity distribution networks.
Healthcare and public health (Department of Health and Human Services)Pre-market guidance for management of cybersecurity identifies issues related to cybersecurity for manufacturers to consider in the design and development of their medical devices, such as diagnostic equipment. 
Post-market management of cybersecurity in medical devices provides recommendations for managing cybersecurity vulnerabilities for marketed and distributed medical devices, such as infusion pumps.
Transportation systems (Departments of Homeland Security and Transportation)Surface transportation cybersecurity Toolkit is designed to provide informative cyber risk management tools and resources for control systems that, for example, function on the mechanics of the vessel. 
Department of Homeland Security’s Transportation security administration’s enhancing rail cybersecurity Directive requires actions, such as conducting a cybersecurity vulnerability assessment and developing of cybersecurity incident response plans for higher risk railroads.

However, none of the selected lead agencies had developed metrics to assess the effectiveness of their efforts. Further, the agencies had not conducted IoT and OT cybersecurity risk assessments. Both of these activities are best practices. Lead agency officials noted difficulty assessing program effectiveness when relying on voluntary information from sector entities. Nevertheless, without attempts to measure effectiveness and assess risks of IoT and OT, the success of initiatives intended to mitigate risks is unknown.

The Internet of Things Cybersecurity Improvement Act of 2020 generally prohibits agencies from procuring or using an IoT device after December 4, 2022, if that device is considered non-compliant with NIST-developed standards. Pursuant to the act, in June 2021 NIST issued a draft guidance document that, among other things, provides information for agencies, companies and industry to receive reported vulnerabilities and for organisations to report found vulnerabilities. The act also requires the Office of Management and Budget (OMB) to establish a standardised process for federal agencies to waive the prohibition on procuring or using non-compliant IoT devices if waiver criteria detailed in the act are met.

As of November 22, 2022, OMB had not yet developed the mandated process for waiving the prohibition on procuring or using non-compliant IoT devices. OMB officials noted that the waiver process requires coordination and data gathering with other entities. According to OMB, it is targeting November 2022 for the release of guidance on the waiver process. Given the act’s restrictions on agency use of non-compliant IoT devices beginning in December 2022, the lack of a uniform waiver process could result in a range of inconsistent actions across agencies.

Why GAO did this study

Cyber threats to critical infrastructure IoT and OT represent a significant national security challenge. Recent incidents such as the ransomware attacks targeting health care and essential services during the COVID-19 pandemic illustrate the cyber threats facing the nation’s critical infrastructure. Congress included provisions in the IoT Cybersecurity Improvement Act of 2020 for GAO to report on IoT and OT cybersecurity efforts.

The report (1) describes overall federal IoT and OT cybersecurity initiatives; (2) assesses actions of selected federal agencies with a lead sector responsibility for enhancing IoT and OT cybersecurity; and (3) identifies leading guidance for addressing IoT cybersecurity and determines the status of OMB’s process for waiving cybersecurity requirements for IoT devices. To describe overall initiatives, GAO analysed pertinent guidance and related documentation from several federal agencies.

To assess lead agency actions, GAO first identified the six critical infrastructure sectors considered to have the greatest risk of cyber compromise. From these six, GAO then selected for review three sectors that had extensive use of IoT and OT devices and systems. The three sectors were energy, healthcare and public health, and transportation systems. For each of these, GAO analysed documentation, interviewed sector officials, and compared lead agency actions to federal requirements.

GAO also analysed documentation, interviewed officials from the selected sectors, and compared those sector’s cybersecurity efforts to federal requirements. GAO also interviewed OMB officials on the status of the mandated waiver process.

Recommendations

GAO is making eight recommendations to the lead agencies of the reviewed sectors – the Departments of Energy, Health and Human Services, Homeland Security, and Transportation. GAO is recommending that each department (1) establish and use metrics to assess the effectiveness of sector IoT and OT cybersecurity efforts and (2) evaluate sector IoT and OT cybersecurity risks. GAO is also making one recommendation to OMB to expeditiously establish the required IoT cybersecurity waiver process.

The Departments of Homeland Security and Transportation concurred with the recommendations while Energy said it would not respond to the recommendations until after further coordination with other agencies. Health and Human Services neither agreed nor disagreed with the recommendations but noted planned actions. Specifically, the department says it plans to update its sector-specific plan but asserted that it cannot compel adoption of the plan in the private sector. GAO recognises the voluntary character of the relationship between the department and the critical infrastructure sector. However, establishing IoT and OT specific metrics will provide a basis for the department to establish accountability, document actual performance, promote effective management, and provide a feedback mechanism to inform decision-making.

OMB stated that the agency is targeting November 2022 for release of guidance on the waiver process. As of November 22, 2022, OMB had not yet issued this guidance.

Recommendations for executive action

Agency AffectedRecommendationStatus
Department of EnergyThe Secretary of Energy, as SRMA for the energy sector, should direct the Director of the Office of Cybersecurity, Energy Security, and Emergency Response to use the National Plan to develop a sector-specific plan that includes metrics for measuring the effectiveness of their efforts to enhance the cybersecurity of their sector’s IoT and OT environments. (Recommendation 1)OpenWhen we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of EnergyThe Secretary of Energy, as SRMA for the energy sector, should direct the Director of the Office of Cybersecurity, Energy Security, and Emergency Response to include IoT and OT devices as part of the risk assessments of their sector’s cyber environment. (Recommendation 2)OpenWhen we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Health and Human ServicesThe Secretary of Health and Human Services, as SRMA for the healthcare and public health sector, should direct the Assistant Secretary for Preparedness and Response to use the National Plan to develop a sector-specific plan that includes metrics for measuring the effectiveness of their efforts to enhance the cybersecurity of their sector’s IoT and OT environments. (Recommendation 3)OpenWhen we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Health and Human ServicesThe Secretary of Health and Human Services, as SRMA for the healthcare and public health sector, should direct the Assistant Secretary for Preparedness and Response to include IoT and OT devices as part of the risk assessments of their sector’s cyber environment. (Recommendation 4)OpenWhen we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Homeland SecurityThe Secretary of Homeland Security should direct the Administrator of the Transportation Security Administration and the Commandant of the U.S. Coast Guard to jointly work with the Department of Transportation’s Office of Intelligence, Security and Emergency Response, as co-SRMAs for the transportation systems sector, to use the National Plan to develop a sector-specific plan that includes metrics for measuring the effectiveness of their efforts to enhance the cybersecurity of their sector’s IoT and OT environments. (Recommendation 5)OpenWhen we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Homeland SecurityThe Secretary of Homeland Security should direct the Administrator of the Transportation Security Administration and the Commandant of the U.S Coast Guard to jointly work with the Department of Transportation’s Office of Intelligence, Security and Emergency Response, as co-SRMAs for the transportation systems sector, to include IoT and OT devices as part of the risk assessments of their sector’s cyber environment. (Recommendation 6)OpenWhen we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of TransportationThe Secretary of Transportation should direct the Director, Office of Intelligence, Security and Emergency Response to jointly work with the Administrator of DHS’s Transportation Security Administration and the Commandant of the U.S. Coast Guard, as co-SRMAs for the transportation systems sector, to use the National Plan to develop a sector-specific plan that includes metrics for measuring the effectiveness of their efforts to enhance the cybersecurity of their sector’s IoT and OT environments. (Recommendation 7)OpenWhen we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of TransportationThe Secretary of Transportation should direct the Director, Office of Intelligence, Security and Emergency Response to jointly work with the Administrator of DHS’s Transportation Security Administration and the Commandant of the U.S. Coast Guard, as co-SRMAs for the transportation systems sector, to include IoT and OT devices as part of the risk assessments of their sector’s cyber environment. (Recommendation 8)OpenWhen we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Office of Management and BudgetThe Director of OMB should, as required by the Internet of Things Cybersecurity Improvement Act of 2020, expeditiously establish a standardised process for the Chief Information Officer of each covered agency to follow in determining whether the IoT cybersecurity waiver may be granted. (Recommendation 9)OpenWhen we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Comment on this article below or via Twitter: @IoTNow_OR @jcIoTnow

RECENT ARTICLES

Aeris to acquire IoT business from Ericsson

Posted on: December 8, 2022

Ericsson and Aeris Communications, a provider of Internet of Things (IoT) solutions based in San Jose, California, have signed an agreement for the transfer of Ericsson’s IoT Accelerator and Connected Vehicle Cloud businesses.

Read more

Telenor IoT passes milestone of 20mn SIM cards

Posted on: December 8, 2022

Telenor, the global IoT provider and telecom operator, has experienced rapid growth over the last years and ranks among the top 3 IoT operators in Europe and among the top IoT operators in the world. The positive development is due to an accelerated pace of new customers combined with a successful growth of existing customers’

Read more
FEATURED IoT STORIES

The IoT Adoption Boom – Everything You Need to Know

Posted on: September 28, 2022

In an age when we seem to go through technology boom after technology boom, it’s hard to imagine one sticking out. However, IoT adoption, or the Internet of Things adoption, is leading the charge to dominate the next decade’s discussion around business IT. Below, we’ll discuss the current boom, what’s driving it, where it’s going,

Read more

Talking Heads: The M2M Doctor is in the House

Posted on: December 26, 2013

Mobile health is M2M at its most rewarding. So says, Dan MacDuffie CEO of Wyless (left). And he should know, his managed services company has achieved 50% yearon- year growth recently and a growing portion of that is in mHealth and Wellness services. He’s certain we’re standing on the threshold of a new generation of health services that cut delivery costs, extend the reach

Read more

Talking Heads: mHealth gains ground as one-stop shops and M2M with ‘wired safety net’ bring efficient patient monitoring

Posted on: December 23, 2013

For years analysts have touted mobile healthcare as a huge opportunity for those offering machine-to-machine communication (M2M) services. Truth be told, the progress so far has been patchy, at best. So M2M Now asked Alexander Bufalino, SEVP Global Marketing at Telit, to describe the hurdles in the way of M2M mHealth, how they are now being overcome and what

Read more

Unlocking the total value of M2M

Posted on: December 19, 2013

Do you ever wonder why people and organisations invest in machine-to-machine communications (M2M) and the Internet of Things (IoT), asks Fred Yentz? Reasons may differ somewhat across industry segments but in most cases they fall in one or more of three categories: To make money, to save money or to be compliant. ILS Technology is squarely focused on helping

Read more

Paving the way to the Internet of Things

Posted on: December 17, 2013

Combining the ARM computing engine with location-awareness and wireless connectivity It’s set to be the Perfect Storm: The rapid growth of high-speed cellular networks and the introduction of IP version 6 which has enough IP addresses for every grain of sand on Earth. Add to this mix the proliferation of the ARM embedded computing architecture, now the de facto global

Read more

What’s the ‘real deal’ on the Internet of Things?

Posted on: December 16, 2013

The ‘Internet of Things’ buzzword appears to have picked up steam during the past several months as large players such as GE and Cisco have touted their stories on the growing number of connected devices. But, as Alex Brisbourne of KORE asks, how different, if at all, is the Internet of Things when compared with other connected device markets,

Read more

M2M Now Magazine December 2013 Edition

Posted on: December 5, 2013

M2M Now magazine explores the evolving opportunities and challenges facing CSPs across this sector. Our exclusive interviews pass on some key lessons learned by those who have taken the first steps in next gen Machine to Machine (M2M) services. In the latest issue: TALKING HEADS: Alexander Bufalino of Telit tells how one-stop shops and M2M with a ‘wired

Read more