Federal agencies with a lead role for critical infrastructure cybersecurity have not conducted risk assessments for Operational Technology (OT) and Internet of Things (IoT) systems and devices, the government watchdog says.
Critical infrastructure sectors rely on electronic systems including IoT and OT devices and systems to deliver essential services, such as electricity and healthcare. But these sectors face increasing cybersecurity threats. In 2021, the Federal Bureau of Investigation’s Internet Crime Complaint Center received 649 complaints that indicated organizations belonging to a critical infrastructure sector were victims of a ransomware attack. Of the 16 critical infrastructure sectors, the center indicated 14 sectors had at least one member that reported falling victim to a ransomware attack in 2021.
Recent events highlight the significant IoT and OT cyber threats facing the nation and the range of consequences that these attacks pose. In June 2022, the Department of Justice reported that a Russian botnet targeted a broad range of IoT and OT devices. These devices included time clocks, routers, audio/video streaming devices, smart garage door openers, and ICSs, which are connected to and can communicate over the internet. Millions of devices were compromised, and victims varied from large entities to individuals. In July 2022, a joint agency alert stated that a North Korean ransomware attack targeted the healthcare and public health sector organizations. Specifically, the alert identified electronic health records services, diagnostics services, imaging services, and intranet services as targets.
To help federal agencies and private entities manage the cybersecurity risks associated with IoT and OT, the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) have issued guidance and provided resources. Specifically, CISA has published guidance, initiated programs, issued alerts and advisories on vulnerabilities affecting IoT and OT devices, and established working groups on OT. NIST has published several guidance documents on IoT and OT, maintained a center of cybersecurity excellence, and established numerous working groups. In addition, the Federal Acquisition Regulatory Council is considering updates to the Federal Acquisition Regulation to better manage IoT and OT cybersecurity risks.
The Government Accountability Office (GAO) has found that selected federal agencies with a lead role have reported various cybersecurity initiatives to help protect three critical infrastructure sectors – energy, healthcare and transportation – with extensive use of IoT or OT devices and systems. For example, pre-market guidance for the healthcare sector identifies issues related to cybersecurity for manufacturers to consider in the design and development of their medical devices, such as diagnostic equipment. Meanwhile, the Transportation Security Administration’s (TSA) Surface Transportation Cybersecurity Toolkit provides informative cyber risk management tools and resources for control systems that, for example, function on the mechanics of the vessel.
Despite these and numerous other activities, GAO has found that none of the lead agencies it assessed had developed metrics to assess the effectiveness of their IoT and OT cybersecurity efforts. The lead agency officials told GAO that it was difficult to assess program effectiveness when relying on voluntary information from sector entities. According to CISA officials, an updated National Plan, expected by the first quarter of 2023, will encourage each sector to develop sector-specific plans that may include additional sector-specific effectiveness and programmatic measures. CISA officials estimated that these updated sector-specific plans will follow the updated National Plan.
The watchdog also determined that the agencies had not conducted IoT and OT cybersecurity risk assessments. GAO found that although industry officials reported cybersecurity risks that may include IoT and OT, the risks were similar throughout the sectors and were often grouped with general threats and vulnerabilities to traditional IT, such as ransomware and phishing.
Transportation officials pointed out to GAO that the 2015 Transportation Systems Sector-Specific Plan identified sector risks that remain valid today. However, the watchdog responded that Department of Transportation officials had themselves stated they, in coordination with DHS, have not collected information explicitly related to IoT and OT devices used across the sector from the private sector owners and operators that control the vast majority of sector critical infrastructure. GAO added that officials had also stated the department is not fully aware of how OT is being used in the sector. Officials explained that there have not been any specific efforts to determine IoT and OT usage sector-wide, because cybersecurity is not narrowly focused on one technology.
As these findings indicate, IoT and OT devices are often generally considered to be a component of IT overall, and hence are not tracked separately. However, according to NIST guidance, part of understanding IoT device cybersecurity requirements involves first understanding IoT device uses and benefits, and then understanding the device’s impact to system risk assessments. NIST guidance says it is important that organizations understand their use of IoT because many of these devices affect cybersecurity and privacy risks differently than conventional IT devices.
It is worth noting that the Internet of Things Cybersecurity Improvement Act of 2020 generally prohibits agencies from procuring or using an IoT device after December 4, 2022, if that device is considered non-compliant with NIST-developed standards. Pursuant to the act, in June 2021 NIST issued a draft guidance document that, among other things, provides information for agencies, companies and industry to receive reported vulnerabilities and for organizations to report found vulnerabilities. The act also requires the Office of Management and Budget (OMB) to establish a standardized process for federal agencies to waive the prohibition on procuring or using non-compliant IoT devices if waiver criteria detailed in the act are met. However, GAO found that as of November 22, 2022, OMB had not yet developed the mandated process for waiving the prohibition on procuring or using non-compliant IoT devices. OMB officials told the watchdog that the waiver process requires coordination and data gathering with other entities. Given the act’s restrictions on agency use of non-compliant IoT devices beginning in December 2022, GAO said the lack of a timely uniform waiver process could result in a range of inconsistent actions across agencies.
To address the shortcomings, GAO is making eight recommendations to the lead agencies of the reviewed sectors—the Departments of Energy, Health and Human Services, Homeland Security, and Transportation. GAO is recommending that each department establish and use metrics to assess the effectiveness of sector IoT and OT cybersecurity efforts and evaluate sector IoT and OT cybersecurity risks. GAO is also making one recommendation to OMB to expeditiously establish the required IoT cybersecurity waiver process.
The Departments of Homeland Security and Transportation concurred with the recommendations while Energy said it would not respond to the recommendations until after further coordination with other agencies. Health and Human Services neither agreed nor disagreed with the recommendations but noted planned actions. Specifically, the department said it planned to update its sector-specific plan but asserted that it cannot compel adoption of the plan in the private sector.
DHS said that TSA, in coordination with the U.S. Coast Guard and the Department of Transportation, is developing a draft sector-specific plan that is to include metrics for measuring effectiveness of efforts to enhance the cybersecurity of the sector’s IoT and OT environments. It also stated that TSA had incorporated cybersecurity issues including OT and IoT in its sector risk assessment and noted that it would continue efforts to include IoT and OT devices in risk assessments. DHS estimated that it will complete these efforts by June 28, 2024.
Federal agencies have not implemented most of GAO’s earlier recommendations related to the challenge of protecting critical infrastructure. Of the over 90 recommendations made in the watchdog’s public reports since 2010, over 50 had not been implemented as of June 2022.