Our nation’s captious infrastructure includes sectors that supply indispensable services, specified arsenic electricity, wellness care, and transportation. These sectors progressively trust connected internet-connected technologies to enactment their ngo and operation, specified arsenic the Internet of Things. However, this exertion usage besides makes captious infrastructure susceptible to cyberattacks—for example, the May 2021 ransomware cyberattack connected an American lipid pipeline strategy that led to determination state shortages.
The national authorities plays an important relation successful protecting this infrastructure from cyberattacks. Today’s WatchBlog station looks astatine the cybersecurity of internet-connected devices and our caller report connected national efforts to unafraid these devices.
Where are the imaginable vulnerabilities?
The usage of Internet of Things (IoT) and operational exertion (OT) creates points of introduction that tin permission captious infrastructure susceptible to cyberattacks.
- Some examples of IoT successful captious infrastructure see gathering entree controls and badge readers, substance usage oregon way monitoring, oregon applications similar those advising passengers erstwhile the adjacent autobus oregon bid is arriving. In wellness care, connected aesculapian devices, similar pacemakers and MRIs, are besides portion of the IoT.
- OT tin beryllium recovered successful arsenic varied environments arsenic energy generating stations and arsenic portion of the vigor grids, connected the accumulation lines of aesculapian instrumentality and pharmaceutical manufacturers, successful ship-to-shore cranes, and successful devices to power the velocity of trains.
Depiction of Critical Infrastructure Sector Uses of Internet-Connected Devices
IoT and OT devices and systems that enactment our nation’s captious infrastructure are inherently astatine risk. The risks see escalating and emerging threats from astir the globe, caller and much destructive attacks, and insider threats from witting oregon unwitting employees.
Cyber threats to IoT and OT tin see purposeful attacks, biology disruptions, and human/machine errors. These incidents whitethorn effect successful harm to the United States’ nationalist and economical information interests.
For example, successful July 2022, national agencies that pb cybersecurity, instrumentality enforcement, and homeland information efforts warned wellness attraction entities (like hospitals) to lockdown devices that usage IoT. This was successful effect to the menace from North Korean cyber attackers that sought to usage IoT (among different introduction points) to summation entree to aesculapian IT systems and holding aesculapian accusation and information for ransom.
Federal efforts to mitigate IoT and OT cybersecurity risks
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Science and Technology (NIST) person issued guidance and provided resources to assistance national agencies and backstage entities negociate cyber risks associated with internet-connected devices. In addition, each captious infrastructure assemblage has a pb bureau liable for assisting and protecting 1 oregon much of the nation’s 16 captious infrastructures, including supporting the information and resilience programs and associated activities of their designated sector. For example, the wellness attraction sector’s cybersecurity efforts are led by the Department of Health and Human Services.
For our December report, we met with agencies to spot however they are assessing the effectiveness of their efforts. We recovered that they had not conducted hazard assessments astir their usage of IoT and OT. Without conducting assemblage wide hazard assessments, organizations volition not cognize what further information protections could beryllium needed to code increasing and evolving threats. We recommended that they behaviour hazard assessments that see IoT and OT.
The agencies liable for providing enactment to our nation’s captious infrastructure sectors told america that the narration betwixt the backstage assemblage and authorities is voluntary. This, they said, makes it challenging to cod penetration and measurement their advancement toward cybersecurity goals. But we deliberation much could beryllium achieved by these agencies and we recommended that these agencies code these gaps successful their cybersecurity planning.
Find retired much astir our enactment connected cybersecurity risks successful IoT and OP, and national efforts to code them by checking retired our afloat report.
- Comments connected GAO’s WatchBlog? Contact blog@gao.gov.
/cdn.vox-cdn.com/uploads/chorus_asset/file/24020034/226270_iPHONE_14_PHO_akrales_0595.jpg)
English (US)