A new report from the Government Accountability Office (GAO) is calling on Federal agencies to better protect critical infrastructure sectors by conducting Internet of Things (IoT) and operational technology (OT) risk assessments, as well as developing better metrics to assess their existing IoT and OT efforts.
The government watchdog agency analyzed government agencies with leadership in three critical infrastructure sectors: energy, healthcare and public health, and transportation systems. While the agencies have taken some initiatives to manage the cybersecurity risks posed by IoT and OT devices and systems, GAO said they’ve not assessed risks to the sectors as a whole.
“Without a holistic assessment, the agencies can’t know what additional cybersecurity protections might be needed,” GAO said.
The selected lead agencies included the Departments of Energy, Health and Human Services, Homeland Security, and Transportation.
“None of the selected lead agencies had developed metrics to assess the effectiveness of their efforts,” the agency added. “Further, the agencies had not conducted IoT and OT cybersecurity risk assessments. Both of these activities are best practices.”
GAO also flagged that the Internet of Things Cybersecurity Improvement Act of 2020 generally prohibits agencies from procuring or using an IoT device after Dec. 4, 2022, if that device is considered “non-compliant” with standards developed by the National Institute of Standards and Technology (NIST).
The act requires the Office of Management and Budget (OMB) to establish a standardized process for agencies “to waive the prohibition on procuring or using non-compliant IoT devices if waiver criteria detailed in the act are met.” However, as of November 2022, OMB had yet to develop the mandated process for waiving the prohibition.
“Given the act’s restrictions on agency use of non-compliant IoT devices beginning in December 2022, the lack of a uniform waiver process could result in a range of inconsistent actions across agencies,” GAO said.
GAO made eight recommendations, including for OMB to quickly establish the required IoT cybersecurity waiver process. Additionally, GAO is recommending the other lead agencies establish and use metrics to assess the effectiveness of sector IoT and OT cybersecurity efforts, as well as evaluate sector IoT and OT cybersecurity risks.
“The Departments of Homeland Security and Transportation concurred with the recommendations while Energy said it would not respond to the recommendations until after further coordination with other agencies,” GAO said. “Health and Human Services neither agreed nor disagreed with the recommendations but noted planned actions. Specifically, the department said it planned to update its sector-specific plan but asserted that it cannot compel adoption of the plan in the private sector.”
Further, OMB noted that it was targeting November 2022 for releasing guidance on the waiver process, but GAO said as of Nov. 22, 2022, OMB had not yet issued this guidance.