The deadline was the end of 2024. However, several federal agencies missed their recent deadlines to meet requirements for IoT cybersecurity programs specifically referred to in a law passed in 2020. US government agencies rely on Internet of Things devices for distribution of WiFi, managing printing, and even essentials like power and water, but a recent report from the Government Accountability Office says:
- Three agencies said they wouldnโt be able to finish their IoT inventories by the September 30 deadline.
- Six did not share their time frames for completing inventories.
- Oneโthe Small Business Administrationโsaid it does not use IoT and, therefore, would not be compiling an inventory.
In his blog for Manufacturing.net, xIoT security strategist John Terrill examines the issues surrounding these government agencies and offers solutions to address ongoing issues surrounding device security, landscape visibility, cybersecurity awareness, and investment priorities.
The recent General Accountability Office report on IoT security across federal agencies sheds light on an important problem: the ability of agency-level IT organizations to both understand and comply with federal directives.
Understanding the problem is the first step in solving it. A fundamental misunderstanding regarding the problem facing federal IT organizations exists because everyday devices often share the same networks as critical, but less visible devices. Our common devices present a contagion risk if an attacker breaches the network, even if the common devices are not directly exposed to the open Internet.
IoT and OT devices are not just specialized devices in network segments like robotic manufacturing or oil and gas meters. They include everyday, yet integral, devices in our professional lives. This includes things like ruggedized printers that create labels, as well as cameras, desk phones, temperature sensors, door controllers and even HVAC systems that often share the same networks as the rest of your traditional IT infrastructure.
These devices are unique in that they have a cyber-physical characteristic in that they impact the real world when tampered with. In the past, they were thought of as just another computer, but this really misrepresents the nature of an attack on them. Video conferencing equipment becomes a listening device, HVAC outages and door lock malfunctions can render office space unusable.
Terrill goes on to explain the sheer magnitude of the number of IoT and OT devices in use today and the challenges organizations face in gaining safe and accurate visibility of them. “Technical solutions exist to help address the inventory problem,” he writes. “Although an increase in resources may need to be part of a funding request to Congress, the inventory itself should be solvable within existing budget constraints. The real request for resources should focus on additional help for remediation.”
Read the full blog here.
Related Posts
While the TikTok ban has been staved off (for now), the debate over Chinese...
It seems that 2024 was a record-breaking year…for Mirai. Cloudflare reports having blocked the...
