www.gao.gov Open in urlscan Pro
2406:da00:ff00::3406:80d6  Public Scan

Form analysis
2 forms found in the DOM

POST /products/gao-23-105327

<form action="/products/gao-23-105327" method="post" id="search-block-auto-form" accept-charset="UTF-8">
  <div class="js-form-item form-item js-form-type-textfield form-type-textfield js-form-item-search form-item-search form-no-label">
    <input placeholder="Search GAO.gov" title="Search GAO.gov" class="form-control form-text" data-drupal-selector="edit-search" type="text" id="edit-search" name="search" value="" size="60" maxlength="128" aria-label="Submit Search Button">
  </div>
  <button id="edit-submit-site-wide-search" class="btn btn-primary button js-form-submit form-submit" data-drupal-selector="edit-submit" type="submit" name="op" value="Search" aria-label="Submit Search Button">
    <span class="fas fa-search"></span>
  </button>
  <input autocomplete="off" data-drupal-selector="form-rhqq7txn9mt0xgpoe0mppxbawq6dnc9ontvxmqhdeu8" type="hidden" name="form_build_id" value="form-rhqQ7tXn9Mt0XgPOE0mPPxbawq6Dnc9onTvXmQhdEu8">
  <input data-drupal-selector="edit-search-block-auto-form" type="hidden" name="form_id" value="search_block_auto_form">
</form>

GET https://public.govdelivery.com/accounts/USGAO/subscribers/qualify

<form method="get" action="https://public.govdelivery.com/accounts/USGAO/subscribers/qualify" class="signup">
  <input type="email" name="email" class="email" onfocus="this.placeholder=''" aria-label="Enter Your Email Address" onblur="this.placeholder=' Enter Your Email Address'" placeholder=" Enter Your Email Address">
  <input type="submit" value="Subscribe" class="submit subscribe">
</form>

Text Content

Skip to main content
U.S. Government Accountability Office
 * For Congress
 * Press Center
 * Careers
 * Blog

 * GAO on Facebook(Exit GAO website)
 * GAO on Twitter(Exit GAO website)
 * GAO on LinkedIn(Exit GAO website)

U.S. Government Accountability Office


MAIN NAVIGATION

 * Reports & Testimonies
   * Recommendations Database
   * Action Tracker
   * Month in Review
   * Order Copies
   * Restricted Reports
 * View Topics
 * View Agencies
 * Bid Protests & Appropriations Law
   * Bid Protests
   * Appropriations Law
   * Federal Vacancies Reform Act
   * Other Legal
 * About
   * What GAO Does
   * U.S. Comptroller General
   * Careers
   * Contact Us

Search



BREADCRUMB

 1. Home
 2. Reports & Testimonies
 3. Critical Infrastructure: Actions Needed to Better Secure Internet-Connected
    Devices





CRITICAL INFRASTRUCTURE: ACTIONS NEEDED TO BETTER SECURE INTERNET-CONNECTED
DEVICES

GAO-23-105327 Published: Dec 01, 2022. Publicly Released: Dec 01, 2022.
 * 
 * 
 * 
 * 

Jump To:
Jump To
 * Highlights
 * Recommendations
 * Full Report
 * GAO Contacts


Fast Facts

The nation's 16 critical infrastructure sectors rely on internet-connected
devices and systems to deliver essential services, such as electricity and
health care. These sectors face increasing cybersecurity threats—an issue on our
High Risk list.

Federal agencies that have leadership roles in 3 sectors we reviewed have taken
some steps to manage the cybersecurity risks posed by internet-connected devices
and systems. But they've not assessed risks to the sectors as a whole. Without a
holistic assessment, the agencies can't know what additional cybersecurity
protections might be needed.

Our recommendations address this and more.



Skip to Highlights
Highlights


WHAT GAO FOUND

The nation's critical infrastructure sectors rely on electronic systems,
including Internet of Things (IoT) and operational technology (OT) devices and
systems. IoT generally refers to the technologies and devices that allow for the
network connection and interaction of a wide array of “things,” throughout such
places as buildings, transportation infrastructure, or homes. OT are
programmable systems or devices that interact with the physical environment,
such as building automation systems that control machines to regulate and
monitor temperature.

Figure: Overview of Connected IT, Internet of Things (IoT), and Operational
Technology



To help federal agencies and private entities manage the cybersecurity risks
associated with IoT and OT, the Department of Homeland Security's Cybersecurity
and Infrastructure Security Agency (CISA) and the National Institute of
Standards and Technology (NIST) have issued guidance and provided resources.
Specifically, CISA has published guidance, initiated programs, issued alerts and
advisories on vulnerabilities affecting IoT and OT devices, and established
working groups on OT. NIST has published several guidance documents on IoT and
OT, maintained a center of cybersecurity excellence, and established numerous
working groups. In addition, the Federal Acquisition Regulatory Council is
considering updates to the Federal Acquisition Regulation to better manage IoT
and OT cybersecurity risks.

Selected federal agencies with a lead role have reported various cybersecurity
initiatives to help protect three critical infrastructure sectors with extensive
use of IoT or OT devices and systems.

Title: Sector Lead Agencies' Internet of Things (IoT) or Operational Technology
(OT) Cybersecurity Initiatives

Sector (Lead Federal Agency)

Examples of IoT or OT Initiatives

Energy (Department of Energy)

Considerations for OT Cybersecurity Monitoring Technologies guidance provides
suggested evaluation considerations for technologies to monitor OT cybersecurity
of systems that, for example, distribute electricity through the grid.

 

Cybersecurity for the Operational Technology Environment methodology aims to
enhance energy sector threat detection of anomalous behavior in OT networks,
such as electricity distribution networks.

Healthcare and public health (Department of Health and Human Services)

Pre-market Guidance for Management of Cybersecurity identifies issues related to
cybersecurity for manufacturers to consider in the design and development of
their medical devices, such as diagnostic equipment.

 

Post-market Management of Cybersecurity in Medical Devices provides
recommendations for managing cybersecurity vulnerabilities for marketed and
distributed medical devices, such as infusion pumps.

Transportation systems (Departments of Homeland Security and Transportation)

Surface Transportation Cybersecurity Toolkit is designed to provide informative
cyber risk management tools and resources for control systems that, for example,
function on the mechanics of the vessel.

 

Department of Homeland Security's Transportation Security Administration's
Enhancing Rail Cybersecurity Directive requires actions, such as conducting a
cybersecurity vulnerability assessment and developing of cybersecurity incident
response plans for higher risk railroads.

Source: GAO analysis of agency documentation │ GAO-23-105327

However, none of the selected lead agencies had developed metrics to assess the
effectiveness of their efforts. Further, the agencies had not conducted IoT and
OT cybersecurity risk assessments. Both of these activities are best practices.
Lead agency officials noted difficulty assessing program effectiveness when
relying on voluntary information from sector entities. Nevertheless, without
attempts to measure effectiveness and assess risks of IoT and OT, the success of
initiatives intended to mitigate risks is unknown.

The Internet of Things Cybersecurity Improvement Act of 2020 generally prohibits
agencies from procuring or using an IoT device after December 4, 2022, if that
device is considered non-compliant with NIST-developed standards. Pursuant to
the act, in June 2021 NIST issued a draft guidance document that, among other
things, provides information for agencies, companies and industry to receive
reported vulnerabilities and for organizations to report found vulnerabilities.
The act also requires the Office of Management and Budget (OMB) to establish a
standardized process for federal agencies to waive the prohibition on procuring
or using non-compliant IoT devices if waiver criteria detailed in the act are
met.

As of November 22, 2022, OMB had not yet developed the mandated process for
waiving the prohibition on procuring or using non-compliant IoT devices. OMB
officials noted that the waiver process requires coordination and data gathering
with other entities. According to OMB, it is targeting November 2022 for the
release of guidance on the waiver process. Given the act's restrictions on
agency use of non-compliant IoT devices beginning in December 2022, the lack of
a uniform waiver process could result in a range of inconsistent actions across
agencies.


WHY GAO DID THIS STUDY

Cyber threats to critical infrastructure IoT and OT represent a significant
national security challenge. Recent incidents—such as the ransomware attacks
targeting health care and essential services during the COVID-19
pandemic—illustrate the cyber threats facing the nation's critical
infrastructure. Congress included provisions in the IoT Cybersecurity
Improvement Act of 2020 for GAO to report on IoT and OT cybersecurity efforts.

This report (1) describes overall federal IoT and OT cybersecurity initiatives;
(2) assesses actions of selected federal agencies with a lead sector
responsibility for enhancing IoT and OT cybersecurity; and (3) identifies
leading guidance for addressing IoT cybersecurity and determines the status of
OMB's process for waiving cybersecurity requirements for IoT devices. To
describe overall initiatives, GAO analyzed pertinent guidance and related
documentation from several federal agencies.

To assess lead agency actions, GAO first identified the six critical
infrastructure sectors considered to have the greatest risk of cyber compromise.
From these six, GAO then selected for review three sectors that had extensive
use of IoT and OT devices and systems. The three sectors were energy, healthcare
and public health, and transportation systems. For each of these, GAO analyzed
documentation, interviewed sector officials, and compared lead agency actions to
federal requirements.

GAO also analyzed documentation, interviewed officials from the selected
sectors, and compared those sector's cybersecurity efforts to federal
requirements. GAO also interviewed OMB officials on the status of the mandated
waiver process.

Skip to Recommendations


RECOMMENDATIONS

GAO is making eight recommendations to the lead agencies of the reviewed
sectors—the Departments of Energy, Health and Human Services, Homeland Security,
and Transportation. GAO is recommending that each department (1) establish and
use metrics to assess the effectiveness of sector IoT and OT cybersecurity
efforts and (2) evaluate sector IoT and OT cybersecurity risks. GAO is also
making one recommendation to OMB to expeditiously establish the required IoT
cybersecurity waiver process.

The Departments of Homeland Security and Transportation concurred with the
recommendations while Energy said it would not respond to the recommendations
until after further coordination with other agencies. Health and Human Services
neither agreed nor disagreed with the recommendations but noted planned actions.
Specifically, the department said it planned to update its sector-specific plan
but asserted that it cannot compel adoption of the plan in the private sector.
GAO recognizes the voluntary character of the relationship between the
department and the critical infrastructure sector. However, establishing IoT and
OT specific metrics will provide a basis for the department to establish
accountability, document actual performance, promote effective management, and
provide a feedback mechanism to inform decision-making.

OMB stated that the agency is targeting November 2022 for release of guidance on
the waiver process. As of November 22, 2022, OMB had not yet issued this
guidance.




RECOMMENDATIONS FOR EXECUTIVE ACTION

Agency Affected Recommendation Status Department of Energy The Secretary of
Energy, as SRMA for the energy sector, should direct the Director of the Office
of Cybersecurity, Energy Security, and Emergency Response to use the National
Plan to develop a sector-specific plan that includes metrics for measuring the
effectiveness of their efforts to enhance the cybersecurity of their sector's
IoT and OT environments. (Recommendation 1)
Open Open



Actions to satisfy the intent of the recommendation have not been taken or are
being planned.



When we confirm what actions the agency has taken in response to this
recommendation, we will provide updated information.
Department of Energy The Secretary of Energy, as SRMA for the energy sector,
should direct the Director of the Office of Cybersecurity, Energy Security, and
Emergency Response to include IoT and OT devices as part of the risk assessments
of their sector's cyber environment. (Recommendation 2)
Open Open



Actions to satisfy the intent of the recommendation have not been taken or are
being planned.



When we confirm what actions the agency has taken in response to this
recommendation, we will provide updated information.
Department of Health and Human Services The Secretary of Health and Human
Services, as SRMA for the healthcare and public health sector, should direct the
Assistant Secretary for Preparedness and Response to use the National Plan to
develop a sector-specific plan that includes metrics for measuring the
effectiveness of their efforts to enhance the cybersecurity of their sector's
IoT and OT environments. (Recommendation 3)
Open Open



Actions to satisfy the intent of the recommendation have not been taken or are
being planned.



When we confirm what actions the agency has taken in response to this
recommendation, we will provide updated information.
Department of Health and Human Services The Secretary of Health and Human
Services, as SRMA for the healthcare and public health sector, should direct the
Assistant Secretary for Preparedness and Response to include IoT and OT devices
as part of the risk assessments of their sector's cyber environment.
(Recommendation 4)
Open Open



Actions to satisfy the intent of the recommendation have not been taken or are
being planned.



When we confirm what actions the agency has taken in response to this
recommendation, we will provide updated information.
Department of Homeland Security The Secretary of Homeland Security should direct
the Administrator of the Transportation Security Administration and the
Commandant of the U.S. Coast Guard to jointly work with the Department of
Transportation's Office of Intelligence, Security and Emergency Response, as
co-SRMAs for the transportation systems sector, to use the National Plan to
develop a sector-specific plan that includes metrics for measuring the
effectiveness of their efforts to enhance the cybersecurity of their sector's
IoT and OT environments. (Recommendation 5)
Open Open



Actions to satisfy the intent of the recommendation have not been taken or are
being planned.



When we confirm what actions the agency has taken in response to this
recommendation, we will provide updated information.
Department of Homeland Security The Secretary of Homeland Security should direct
the Administrator of the Transportation Security Administration and the
Commandant of the U.S Coast Guard to jointly work with the Department of
Transportation's Office of Intelligence, Security and Emergency Response, as
co-SRMAs for the transportation systems sector, to include IoT and OT devices as
part of the risk assessments of their sector's cyber environment.
(Recommendation 6)
Open Open



Actions to satisfy the intent of the recommendation have not been taken or are
being planned.



When we confirm what actions the agency has taken in response to this
recommendation, we will provide updated information.
Department of Transportation The Secretary of Transportation should direct the
Director, Office of Intelligence, Security and Emergency Response to jointly
work with the Administrator of DHS's Transportation Security Administration and
the Commandant of the U.S. Coast Guard, as co-SRMAs for the transportation
systems sector, to use the National Plan to develop a sector-specific plan that
includes metrics for measuring the effectiveness of their efforts to enhance the
cybersecurity of their sector's IoT and OT environments. (Recommendation 7)
Open Open



Actions to satisfy the intent of the recommendation have not been taken or are
being planned.



When we confirm what actions the agency has taken in response to this
recommendation, we will provide updated information.
Department of Transportation The Secretary of Transportation should direct the
Director, Office of Intelligence, Security and Emergency Response to jointly
work with the Administrator of DHS's Transportation Security Administration and
the Commandant of the U.S. Coast Guard, as co-SRMAs for the transportation
systems sector, to include IoT and OT devices as part of the risk assessments of
their sector's cyber environment. (Recommendation 8)
Open Open



Actions to satisfy the intent of the recommendation have not been taken or are
being planned.



When we confirm what actions the agency has taken in response to this
recommendation, we will provide updated information.
Office of Management and Budget The Director of OMB should, as required by the
Internet of Things Cybersecurity Improvement Act of 2020, expeditiously
establish a standardized process for the Chief Information Officer of each
covered agency to follow in determining whether the IoT cybersecurity waiver may
be granted. (Recommendation 9)
Open Open



Actions to satisfy the intent of the recommendation have not been taken or are
being planned.



When we confirm what actions the agency has taken in response to this
recommendation, we will provide updated information.

See All 9 Recommendations


FULL REPORT

Highlights Page (2 pages)
Full Report (80 pages)
Accessible PDF (89 pages)
GAO Contacts
David (Dave) Hinchman
Acting Director
HinchmanD@gao.gov
(214) 777-5719
Office of Public Affairs
Chuck Young
Managing Director
youngc1@gao.gov
(202) 512-4800
Topics
Information Security
CybersecurityCritical infrastructureFederal agenciesInternetHomeland
securityCritical infrastructure vulnerabilitiesHealth careMedical
devicesTransportationHealth care standards


RECEIVE GAO UPDATES

Stay informed as we add new reports & testimonies.


U.S. Government Accountability Office
(Exit GAO website) (Exit GAO website) (Exit GAO website) (Exit GAO website)
(Exit GAO website) (Exit GAO website) (Exit GAO website)
v


FOOTER MENU

 * Column 1
   * Press Center
   * Contact Us
   * Inspector General
   * Restricted Reports
 * Column 2
   * Copyright & Terms of Use
   * Privacy Policy
   * Accessibility
   * Sitemap
 * Column 3
   * FOIA Requests
   * Scam Alerts
   * No FEAR Act Data
   * Health Care Advisory Committees

 
To Top