"GAO Calls for Action to Improve Critical Infrastructure IoT and OT Cybersecurity"

According to the Government Accountability Office (GAO), federal agencies in charge of critical infrastructure cybersecurity have not conducted risk assessments for Operational Technology (OT) and Internet of Things (IoT) systems and devices. Electronic systems, including IoT and OT devices and systems, are used in critical infrastructure sectors to deliver essential services such as electricity and healthcare. However, these industries are facing an increase in cybersecurity threats. In 2021, the FBI's Internet Crime Complaint Center (IC3) received 649 complaints indicating that organizations in the critical infrastructure sector had been victims of a ransomware attack. The center showed that 14 of the 16 critical infrastructure sectors had at least one member who reported being a victim of a ransomware attack in 2021. Recent events have underscored the nation's significant IoT and OT cyber threats, as well as the wide range of consequences that these attacks pose. For example, the Department of Justice (DoJ) reported in June 2022 that a Russian botnet was targeting various IoT and OT devices, including time clocks, routers, audio/video streaming devices, smart garage door openers, Industrial Control Systems ICSs, and more. Millions of devices were hacked, and victims ranged from individuals to large corporations. A joint agency alert issued in July 2022 stated that a North Korean ransomware attack targeted healthcare and public health sector organizations, specifically hitting electronic health records services, diagnostics services, imaging services, and intranet services. The Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) have issued guidance and provided resources to help federal agencies and private entities in managing the cybersecurity risks associated with IoT and OT. CISA published guidance, launched programs, issued alerts and advisories on vulnerabilities affecting IoT and OT devices, and formed OT working groups. Furthermore, the Federal Acquisition Regulatory Council is considering revisions to the Federal Acquisition Regulation (FAR) in order to better manage IoT and OT cybersecurity risks. This article continues to discuss key points from GAO's report on critical infrastructure cybersecurity and the need to better secure Internet-connected devices. 

HSToday reports "GAO Calls for Action to Improve Critical Infrastructure IoT and OT Cybersecurity"