Internet-connected technologies can improve services, but face risks of cyberattacks

Internet-connected technologies can improve services, but face risks of cyberattacks

Our country’s critical infrastructure includes sectors that provide essential services, such as electricity, health care and transportation. These sectors are increasingly relying on internet-connected technologies to support their mission and operation, such as the Internet of Things. However, this use of technology also makes critical infrastructure vulnerable to cyberattacks, for example, the May 2021 ransomware cyberattack on a US pipeline system that led to regional gas shortages.

The federal government plays an important role in protecting this infrastructure from cyberattacks. Today’s WatchBlog article examines the cybersecurity of internet-connected devices and our recent report on federal efforts to secure these devices.

Where are the potential vulnerabilities?

The use of the Internet of Things (IoT) and Operational Technology (OT) creates entry points that can make critical infrastructure vulnerable to cyberattacks.

  • Examples of IoT in critical infrastructure include building access controls and badge readers, fuel consumption or route monitoring, or applications such as those that notify passengers of the arrival of the next bus or train. In healthcare, connected medical devices, such as pacemakers and MRIs, are also part of the IoT.
  • OT can be found in environments as diverse as power plants and as part of energy grids, on the production lines of medical and pharmaceutical device manufacturers, in dockside cranes, and in train speed control devices. .

Representation of critical infrastructure industry uses of internet-connected devices

The IoT and OT devices and systems that support our nation’s critical infrastructure are inherently at risk. Risks include growing and emerging threats from around the world, new and more destructive attacks, and insider threats from knowing or unwitting employees.

Cyber ‚Äč‚Äčthreats to IoT and OT can include deliberate attacks, environmental disturbances, and human/machine error. These incidents may harm the national security and economic interests of the United States.

For example, in July 2022, federal agencies that lead cybersecurity, law enforcement, and homeland security efforts warned healthcare entities (like hospitals) to lock down devices that use IoT. This was in response to the threat from North Korean cyber attackers who sought to use the IoT (among other entry points) to access medical IT systems and hold medical information and data for ransom.

Federal Efforts to Mitigate IoT and OT Cybersecurity Risks

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Science and Technology (NIST) have published guidance and provided resources to help federal agencies and private entities manage cyber risks associated with connected devices to internet. In addition, each critical infrastructure sector has a lead agency responsible for assisting and protecting one or more of the country’s 16 critical infrastructure, including supporting the security and resilience programs and associated activities of their designated sector. For example, the healthcare industry’s cybersecurity efforts are led by the Department of Health and Human Services.

For our December report, we met with organizations to see how they rate the effectiveness of their efforts. We found that they had not carried out risk assessments regarding their use of IoT and OT. Without conducting industry-wide risk assessments, organizations will not know what additional security protections might be needed to address growing and evolving threats. We recommended that they conduct risk assessments that include IoT and OT.

Agencies charged with leading our country’s critical infrastructure sectors have told us that the relationship between the private sector and government is voluntary. According to them, this makes it difficult to collect information and measure their progress towards cybersecurity goals. But we believe these agencies could do more and have recommended that these agencies address these gaps in their cybersecurity planning.

To learn more about our work on cybersecurity risks in IoT and OP, and federal efforts to address them, view our full report.

#Internetconnected #technologies #improve #services #face #risks #cyberattacks

Leave a Comment

Your email address will not be published. Required fields are marked *