Updated on 2022-12-05: GAO report on IoT/OT security
A GAO report published last week found that US government departments have paid little to no attention to the types and security of their internet-connected devices. What else is new? The report has several recommendations for the Department of Energy, the Department of Homeland Security, and the Department of Health and Human Services. Read more: Critical Infrastructure: Actions Needed to Better Secure Internet-Connected Devices
Overview: GAO: US Government Agencies Need to Improve Critical Infrastructure Cybersecurity
The US Government Accountability Office (GAO) is calling on lead agencies for certain critical infrastructure (CI) sectors to “establish and use metrics to assess the effectiveness of sector IoT and OT cybersecurity efforts and evaluate sector IoT and OT cybersecurity risks.” In addition to the assessing and evaluating risks, GAO has made agency-specific recommendations to the Departments of Energy; Health and Human Services; Homeland Security; and Transportation.
- GAO almost lost me in the Executive Summary when they used one of the dreaded null value words, “holistic” -“heuristic” is the other one. But they did point out that as of 4 December 2022, Government agencies can’t buy IoT devices that don’t meet NIST standards that most don’t meet, and that OMB had failed to define a waiver process. Even some of the most impactful government procurement restrictions (like requiring FIPS 140-1 compliance in all procurement of cryptography) require at least a temporary waiver in order to get going and have actual effect on markets. On 2 December OMB issued waiver guidance [www.whitehouse.gov: Fiscal Year 2023 Guidance on Federal Information Security and Privacy Management Requirements (PDF)] that requires CIOs to justify not meeting the new regulations. OMB did not require waivers be reviewed or contain any “sunset” provision, so the long-term forecast is for blizzards of waivers and little increase in IoT device security.
- Developing metrics to measure the effectiveness of OT/IoT cyber security can be complicated by their isolation. Currently, federal agencies secure systems using a risk-based approach, driven from the NIST Risk Management Framework, which includes OT and IT systems. Odds are your OT administrators are not familiar with your security framework but are actually aware of an OT framework such as the Purdue model. Take the time to work with them to crosswalk the two before proposing changes so you can come from a common understanding. You are likely already on the same page about the end goals, you just need to align the details and document how you’re getting there, which could help you develop metrics and measurements of your success.
- Worthy but difficult goals. With much of IT, we can outsource to large providers. No one needs to secure their own mail server anymore, for example. With all the OT that makes critical infrastructure so critical, there’s no easy way to consolidate defensive efforts.
- Creation of a common set of metrics, across all industry sectors, is a good thing. When it comes to measuring cybersecurity best practices, each sector has more in common than not.
Read more in