Our country’s critical infrastructure includes sectors that provide essential services such as electricity, healthcare and transportation. These sectors increasingly rely on Internet-connected technologies to support their missions and operations, such as the Internet of Things. However, the use of this technology also leaves critical infrastructure vulnerable to cyberattacks – such as the May 2021 ransomware cyberattack on the American oil pipeline system that caused regional gas shortages.
The federal government plays an important role in protecting this infrastructure from cyberattacks. Today’s WatchBlog post looks at our latest report on the cybersecurity of internet-connected devices and federal efforts to secure those devices.
Where are the potential weaknesses?
The use of the Internet of Things (IoT) and operational technology (OT) creates access points that can leave critical infrastructure vulnerable to cyberattacks.
- Some examples of IoT in critical infrastructure include building access control and badge readers, fuel usage or route monitoring, or apps that advise passengers when the next bus or train is coming. In healthcare, connected medical devices such as pacemakers and MRIs are also part of the IoT.
- OT can be found in a variety of environments, such as power generating stations and as part of power grids, production lines of medical device and pharmaceutical manufacturers, ship-to-shore cranes, and train speed control devices.
Description of Critical Infrastructure Sector Use of Internet-Connected Devices
IoT and OT devices and systems that support our nation’s critical infrastructure are inherently at risk. Risks include growing and emerging threats from around the world, new and more destructive attacks, and unwitting or unwitting employee insider threats.
Cyber threats to IoT and OT can include targeted attacks, environmental disruption, and human/machine error. These events may harm the national and economic security interests of the United States.
For example, in July 2022, federal agencies leading cybersecurity, law enforcement, and homeland security efforts warned healthcare institutions (such as hospitals) to shut down devices that use the IoT. This was in response to the threat of North Korean cyber attackers attempting to use the IoT (among other access points) to gain access to medical IT systems and hold medical data and information for ransom.
Federal efforts to reduce IoT and OT cybersecurity risks
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Science and Technology (NIST) have provided guidance and resources to help federal agencies and private entities manage cyber risks associated with Internet-connected devices. In addition, each critical infrastructure sector has a lead agency responsible for assisting and protecting one or more of the nation’s 16 critical infrastructures, including supporting their designated sector’s security and resilience programs and related activities. For example, the health care sector’s cybersecurity efforts are led by the Department of Health and Human Services.
For our December report, we caught up with agencies to find out how they measure the effectiveness of their efforts. We found that they did not conduct risk assessments of their use of IoT and OT. Without conducting industry-wide risk assessments, organizations will not know what additional security protections may be needed to address growing and evolving threats. We advised them to conduct risk assessments including IoT and OT.
The agencies responsible for leading our country’s critical infrastructure sectors told us that the relationship between the private sector and government is voluntary. This, they say, makes it difficult to gather insights and measure their progress toward their cybersecurity goals. However, we believe that more can be achieved by these agencies, and we have recommended that these agencies address these gaps in their cybersecurity plans.
Learn more about our work on cybersecurity risks in IoT and OP and federal efforts to address them by viewing our full report.