Internet-connected technologies can improve services, but face the risks of cyber attacks

Our nation’s critical infrastructure includes industries that provide essential services, such as electricity, healthcare, and transportation. These industries increasingly rely on internet-connected technologies to support their mission and functioning, such as the Internet of Things. However, this use of technology also makes critical infrastructure vulnerable to cyber attacks, such as the May 2021 Ransomware cyberattack on an American oil pipeline system leading to regional gas shortages.

The federal government plays an important role in protecting this infrastructure from cyber attacks. Today’s WatchBlog post looks at the cybersecurity of internet-connected devices and our recent report about federal efforts to protect these devices.

Where are the potential vulnerabilities?

The use of the Internet of Things (IoT) and Operational Technology (OT) creates entry points that can make critical infrastructures vulnerable to cyber attacks.

  • Some examples of IoT in critical infrastructure include building access controls and badge readers, fuel usage or route monitoring, or applications such as those that notify passengers when the next bus or train is arriving. In healthcare, connected medical devices, such as pacemakers and MRIs, are also part of the IoT.
  • OTs can be found in environments as diverse as power plants and as part of energy grids, on the production lines of medical device and pharmaceutical manufacturers, in ship-to-shore cranes and in train speed control devices.

Representation of the critical infrastructure industry’s uses of Internet-connected devices

The IoT and OT devices and systems that support our nation’s critical infrastructure are inherently at risk. Risks include growing and emerging threats from around the world, new and more destructive attacks, and insider threats from knowing or unknowing employees.

Cyberthreats to IoT and OT can include targeted attacks, environmental disruptions, and human/machine errors. These incidents may cause damage to the national security and economic interests of the United States.

For example, in July 2022, federal agencies leading cybersecurity, law enforcement, and homeland security efforts warned healthcare entities (like hospitals) to lock down devices that use the IoT. This was in response to the threat of North Korean cyber attackers seeking to use the IoT (among other entry points) to gain access to medical IT systems and hold medical information and data for ransom.

Federal efforts to mitigate IoT and OT cybersecurity risks

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Science and Technology (NIST) have released guidelines and provided resources to help federal agencies and private entities manage the cyber risks associated with connected devices to the internet. In addition, each critical infrastructure sector has a lead agency responsible for the care and protection of one or more of the nation’s 16 critical infrastructures, including support for the designated sector’s security and resilience programs and associated activities. For example, the healthcare industry’s cybersecurity efforts are led by the Department of Health and Human Services.

For our December report, we sat down with agencies to see how they’re evaluating the effectiveness of their efforts. We found that they had not conducted risk assessments on their use of IoT and OT. Without conducting industry-wide risk assessments, organizations will not know what additional security protections they may need to address growing and evolving threats. We recommend them to conduct risk assessments that include IoT and OT.

Agencies responsible for providing leadership to our nation’s critical infrastructure sectors have told us that the relationship between the private sector and government is voluntary. This, they said, makes it difficult to gather intelligence and measure their progress toward cybersecurity goals. But we think these agencies could achieve more and have recommended that these agencies address these gaps in their cybersecurity planning.

Learn more about our work on cybersecurity risks in IoT and OPs and federal efforts to address them by auditing our full report.