GAO warns government agencies: focus on IoT and OT within critical infrastructure

The US Government Accounting Office (GAO) continues to highlight shortcomings in the cybersecurity posture of government entities responsible for the protection of United States infrastructure when it comes to internet of things (IoT) and operational technology (OT) devices and systems. In a recent report, the GAO shone a light on the Departments of Energy, Health and Human Services, Homeland Security, and Transportation. How each of these entities reacted and responded to its recommendations was telling.

In its forward to Critical Infrastructure: Actions Needed to Better Secure Internet-Connected Devices, the GAO noted that the Departments of Homeland Security and Transportation concurred with the GAO recommendations, Energy deferred a response until “further coordination with other agencies,” and Health and Human Services punted, saying it “neither agreed nor disagreed with the recommendations but noted planned actions,” adding that it doesn’t have the ability to compel the private sector to adopt any cybersecurity plan.

GAO cybersecurity recommendations haven’t been implemented

The GAO highlighted its previous efforts, stating that the federal agencies continue to have “not implemented most of our recommendations related to the challenge of protecting critical infrastructure.” The GAO said that of the more than 90 recommendations made in its public reports since 2010, more than 50 had not been implemented as of June 2022. “We have also designated 14 as priority recommendations, and as of June 2022, 10 had not been implemented. Until our recommendations are fully implemented, federal agencies may be limited in their ability to ensure the critical infrastructures are protected from potentially harmful cybersecurity threats.”

All government is now operating under the mandate that any procurement or use of an IoT device must comply with NIST-developed standards. The Office of Management and Budget (OMB) holds the responsibility to craft a “standardized process for federal agencies to waive the prohibition on procuring non-compliant IoT devices if waiver criteria” are met as detailed in the Internet of Things Cybersecurity Improvement Act of 2020.

That criterion is not complex. The CISO at a given agency determines that national security concerns require a waiver, the procurement of the non-compliant device is for research purposes, or the device is secured through other means. As noted above, the OMB is responsible for sharing with each agency CIO the means by which they may apply for a waiver. Government agencies are waiting for the OMB, which should have had the process in place prior to the December 4 mandated date for implementation. The GAO notes that this lack of a process “could result in a range of inconsistent actions across agencies.”

Key government entities seem to be flying blind on critical infrastructure security

Delving deeper into the 80-page report, one is left with the distinct impression that key entities charged with protecting government infrastructure are flying blind. When surveyed, 56 of the 90 government agencies noted that they were using IoT or OT devices in their infrastructure, including the four departments discussed in the report. While some departments are invested in improving their status quo, the fact that both Energy and Health and Human Services aren’t more proactively embracing the recommendations is troubling, especially given the plethora of connected devices within the ecosystem of both sectors.

Eight GAO recommendations to the identified agencies focused on establishing a means to measure the “effectiveness of their efforts to enhance cybersecurity of their sector’s IoT/OT environments.” The ninth recommendation was a zinger directed at the director of the OMB to get their collective act together and “expeditiously establish a standardized process for the CIO of each covered agency to follow in determining whether the IoT cybersecurity waiver may be granted.”

GAO report flags resources for CISOs and CIOs

CIOs and CISOs have resources available, many of which are described in detail within the GAO report, via NIST and CISA to assist with their understanding and secure deployment of IoT or OT systems and devices. In addition, both NIST and CISA guidance are available to industry, those creating the devices and software used in the systems, on how to ensure their devices are compliant with the desired NIST standards.

To be clear, many in industry are researching the tangential effects which IoT/OT have on information security posture. At the recent Acronis Cyberfit Summit, Acronis CEO Patrick Pulvermueller observed that his company was heavily engaged in researching how to protect the plethora of IoT devices that are being used within the company’s infrastructure and in the provision of goods and services. He said Acronis understands that its own source code is a target, given its prominence in the systems of providers and their clients. For that reason, any updates to source code require sign-off by seven separate individuals.

A significant national security challenge

That said, the report also highlights how private sector entities have observed that the ease with which they are able to engage at the granular level is challenging, with much of the information concerning threats being shared at the information level and not as actionable intelligence. Public-private sharing continues to be an ongoing challenge.

The report concludes that Federal Acquisition Regulatory Council officials are considering a rewrite of the FAR (Federal Acquisition Regulations) which will affect cybersecurity, including those associated with IoT and OT.

The GAO starkly states why the government agencies must move forward in an expeditious manner: “Increasing cyber threats to critical infrastructure and their IoT and OT devices and systems represent a significant national security challenge.”