Important Infrastructure: Actions Essential to Greater Protected Web-Related Units

What GAO Identified

The nation’s important infrastructure sectors count on digital techniques, like Net of Items (IoT) and operational technology (OT) equipment and programs. IoT generally refers to the systems and devices that allow for the community connection and conversation of a wide array of “things,” all through these types of destinations as buildings, transportation infrastructure, or houses. OT are programmable programs or devices that interact with the actual physical surroundings, this kind of as building automation programs that control devices to control and keep track of temperature.

Figure: Overview of Connected IT, Internet of Issues (IoT), and Operational Technology

Figure: Overview of Connected IT, Internet of Things (IoT), and Operational Technology

To assist federal companies and private entities take care of the cybersecurity threats related with IoT and OT, the Department of Homeland Security’s Cybersecurity and Infrastructure Protection Agency (CISA) and the National Institute of Expectations and Technological know-how (NIST) have issued advice and provided means. Especially, CISA has printed direction, initiated programs, issued alerts and advisories on vulnerabilities affecting IoT and OT devices, and established operating teams on OT. NIST has printed many direction paperwork on IoT and OT, preserved a centre of cybersecurity excellence, and recognized numerous doing work teams. In addition, the Federal Acquisition Regulatory Council is considering updates to the Federal Acquisition Regulation to better deal with IoT and OT cybersecurity challenges.

Picked federal businesses with a lead function have described several cybersecurity initiatives to assist safeguard 3 critical infrastructure sectors with intensive use of IoT or OT devices and devices.

Title: Sector Direct Agencies’ Net of Issues (IoT) or Operational Engineering (OT) Cybersecurity Initiatives

Sector (Guide Federal Agency)

Illustrations of IoT or OT Initiatives

Vitality (Office of Strength)

Criteria for OT Cybersecurity Checking Systems guidance provides suggested evaluation things to consider for systems to observe OT cybersecurity of methods that, for instance, distribute electrical power through the grid.


Cybersecurity for the Operational Technological know-how Atmosphere methodology aims to enhance strength sector risk detection of anomalous conduct in OT networks, such as energy distribution networks.

Healthcare and general public health and fitness (Office of Health and Human Providers)

Pre-market Guidance for Management of Cybersecurity identifies challenges linked to cybersecurity for brands to contemplate in the design and style and improvement of their health-related units, this kind of as diagnostic tools.


Put up-market place Administration of Cybersecurity in Healthcare Products supplies suggestions for running cybersecurity vulnerabilities for promoted and dispersed professional medical equipment, such as infusion pumps.

Transportation techniques (Departments of Homeland Safety and Transportation)

Area Transportation Cybersecurity Toolkit is made to present informative cyber possibility management tools and means for regulate programs that, for instance, perform on the mechanics of the vessel.


Department of Homeland Security’s Transportation Stability Administration’s Enhancing Rail Cybersecurity Directive requires steps, this sort of as conducting a cybersecurity vulnerability assessment and creating of cybersecurity incident response options for greater danger railroads.

Source: GAO analysis of agency documentation │ GAO-23-105327

Having said that, none of the chosen direct agencies had made metrics to assess the performance of their initiatives. Additional, the organizations had not conducted IoT and OT cybersecurity possibility assessments. Both equally of these routines are ideal tactics. Guide agency officers pointed out difficulty evaluating plan efficiency when relying on voluntary info from sector entities. Nevertheless, with out tries to measure performance and assess hazards of IoT and OT, the good results of initiatives supposed to mitigate hazards is mysterious.

The World wide web of Items Cybersecurity Improvement Act of 2020 generally prohibits organizations from procuring or using an IoT device right after December 4, 2022, if that device is deemed non-compliant with NIST-developed benchmarks. Pursuant to the act, in June 2021 NIST issued a draft steerage document that, among other issues, gives information for businesses, firms and business to get claimed vulnerabilities and for corporations to report found vulnerabilities. The act also requires the Place of work of Management and Price range (OMB) to build a standardized process for federal agencies to waive the prohibition on procuring or utilizing non-compliant IoT products if waiver requirements detailed in the act are satisfied.

As of November 22, 2022, OMB experienced not but formulated the mandated method for waiving the prohibition on procuring or working with non-compliant IoT equipment. OMB officers noted that the waiver system necessitates coordination and info accumulating with other entities. In accordance to OMB, it is focusing on November 2022 for the release of advice on the waiver approach. Presented the act’s limits on company use of non-compliant IoT devices beginning in December 2022, the deficiency of a uniform waiver system could consequence in a variety of inconsistent steps across businesses.

Why GAO Did This Review

Cyber threats to significant infrastructure IoT and OT characterize a substantial countrywide protection obstacle. New incidents—such as the ransomware attacks targeting well being care and important services throughout the COVID-19 pandemic—illustrate the cyber threats struggling with the nation’s essential infrastructure. Congress provided provisions in the IoT Cybersecurity Advancement Act of 2020 for GAO to report on IoT and OT cybersecurity efforts.

This report (1) describes total federal IoT and OT cybersecurity initiatives (2) assesses actions of selected federal organizations with a direct sector obligation for boosting IoT and OT cybersecurity and (3) identifies primary steerage for addressing IoT cybersecurity and decides the position of OMB’s procedure for waiving cybersecurity necessities for IoT gadgets. To describe over-all initiatives, GAO analyzed pertinent assistance and linked documentation from a number of federal organizations.

To evaluate guide company steps, GAO to start with determined the 6 critical infrastructure sectors deemed to have the best risk of cyber compromise. From these 6, GAO then picked for review three sectors that had substantial use of IoT and OT products and methods. The three sectors had been power, healthcare and public health, and transportation methods. For each and every of these, GAO analyzed documentation, interviewed sector officials, and compared lead company steps to federal prerequisites.

GAO also analyzed documentation, interviewed officials from the picked sectors, and as opposed all those sector’s cybersecurity endeavours to federal requirements. GAO also interviewed OMB officials on the status of the mandated waiver method.