What the GAO found
The country’s critical infrastructure sectors rely on electronic systems, including Internet of Things (IoT) and operational technology (OT) devices and systems. IoT generally refers to the technology and devices that enable large numbers of “things” in places such as buildings, transportation infrastructure, or homes to be networked and interconnected. OT are programmable systems or devices that interact with the physical environment, such as building automation systems that control machines to regulate and monitor temperature.
Image: Overview of Connected IT, Internet of Things (IoT) and Operational Technologies
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) have published guidance and provided resources to help federal agencies and private entities manage IoT and OT-related cybersecurity risks. In particular, CISA has published guidelines, launched programs, issued alerts and recommendations on vulnerabilities affecting IoT and OT devices, and created OT working groups. NIST has published several guidance documents on IoT and OT, maintains a cybersecurity center of excellence, and created numerous working groups. In addition, the Federal Acquisition Regulation Board is considering updates to the Federal Acquisition Regulation to better manage IoT and OT cybersecurity risks.
Leading federal agencies have announced various cybersecurity initiatives to help protect three critical infrastructure sectors through the widespread use of IoT or OT devices and systems.
Title: Industry Leading Agencies’ Internet of Things (IoT) or Operational Technology (OT) Cybersecurity Initiatives
|
Sector (Lead Federal Agency) |
Examples of IoT or OT Initiatives |
|---|---|
|
Energy (Department of Energy) |
Considerations for OT Cybersecurity Monitoring Technologies the guidance provides, for example, proposed evaluation considerations for technologies to monitor the OT cybersecurity of systems that distribute electricity through the grid.
Cyber Security for the Operational Technology Environment the methodology aims to enhance energy sector threat detection of anomalous behavior in OT networks such as electricity distribution networks. |
|
Health and Public Health (Department of Health and Human Services) |
Pre-Market Guidance for Cyber Security Management identifies cybersecurity issues for manufacturers to consider when designing and developing their medical devices, such as diagnostic equipment.
Postmarket Management of Cybersecurity in Medical Devices provides recommendations for managing cybersecurity vulnerabilities for marketed and distributed medical devices such as infusion pumps. |
|
Transportation Systems (Departments of Homeland Security and Transportation) |
Surface Transportation Cybersecurity Toolkit designed to provide informative cyber risk management tools and resources for control systems operating in ship mechanics, for example.
Department of Homeland Security Transportation Security Administration Railroad Cybersecurity Improvement Directive requires actions such as conducting cybersecurity vulnerability assessments and developing cybersecurity incident response plans for high-risk railways. |
Source: GAO analysis of agency documents │ GAO-23-105327
However, none of the selected lead agencies have developed metrics to measure the effectiveness of their efforts. In addition, the agencies have not conducted IoT and OT cybersecurity risk assessments. Both of these activities are best practices. Officials from the lead agency noted that they had difficulty evaluating the effectiveness of the program when relying on voluntary data from sector agencies. Nevertheless, without attempts to measure the effectiveness of IoT and OT and assess the risks, the success of initiatives intended to mitigate risks is unknown.
The Internet of Things Cybersecurity Improvement Act of 2020 generally prohibits agencies from purchasing or using an IoT device after December 4, 2022, unless the device meets standards developed by NIST. In accordance with the Act, in June 2021, NIST developed a draft guidance document that, among other things, provides information for agencies, companies, and industry to receive reported vulnerabilities and to ensure that organizations report discovered vulnerabilities. The act also requires the Office of Management and Budget (OMB) to create a standardized process for federal agencies to waive the ban on the purchase or use of non-compliant IoT devices if the waiver criteria detailed in the act are met.
As of November 22, 2022, OMB has not yet developed a mandated process for waiving the ban on the purchase or use of non-compliant IoT devices. OMB officials noted that the waiver process requires coordination and data collection with other agencies. According to OMB, it is targeting November 2022 to issue guidance on the waiver process. Given the Act’s restrictions on agency use of noncompliant IoT devices beginning in December 2022, the lack of a uniform opt-out process could result in a range of inconsistent actions among agencies.
Why did the GAO do this study?
Cyber threats to critical infrastructure IoT and OT are a significant national security concern. Recent incidents such as ransomware attacks targeting healthcare and essential services during the COVID-19 pandemic demonstrate the cyber threats facing the nation’s critical infrastructure. Congress included provisions in the IoT Cybersecurity Improvement Act of 2020 to require GAO to report on IoT and OT cybersecurity efforts.
This report describes (1) overall federal IoT and OT cybersecurity initiatives; (2) evaluates the actions of selected federal agencies with lead sector responsibilities to enhance IoT and OT cybersecurity; and (3) establishes lead guidance for addressing IoT cybersecurity and determines the status of OMB’s process for waiving cybersecurity requirements for IoT devices. To describe common initiatives, GAO analyzed relevant guidance and related documents from several federal agencies.
To assess the lead agency’s actions, GAO first identified six critical infrastructure sectors deemed to be at greatest risk of cyber compromise. From these six, GAO then selected three sectors for review that make extensive use of IoT and OT devices and systems. The three sectors were energy, health and public health, and transportation systems. For each of these, GAO analyzed documents, met with sector officials, and compared the lead agency’s actions with federal requirements.
GAO also analyzed documents, interviewed officials from selected sectors, and compared the sector’s cybersecurity efforts to federal requirements. GAO also interviewed OMB officials regarding the status of the mandatory waiver process.