A handful of federal agencies recently missed deadlines to complete Internet of Things cybersecurity requirements called out in a 2020 law, a new congressional watchdog report found. According to the Government Accountability Office:
- Three agencies said they wouldn’t be able to finish their IoT inventories by September 30.
- Six did not share their time frames for doing so.
- One — the Small Business Administration — said it does not use any IoT and therefore would not be compiling an inventory.
In the blog below John Terrill, CISO of xIoT cybersecurity firm Phosphorus Cybersecurity takes a look at the issues surrounding these government agencies – many of which manufacturers will find familiar. He also offers solutions in attacking ongoing issues surrounding device security, landscape visibility, cybersecurity awareness and investment priorities.
The recent General Accountability Office report on IoT security across federal agencies sheds light on an important problem: the ability of agency-level IT organizations to both understand and comply with federal directives.
Understanding the problem is the first step in solving it. A fundamental misunderstanding regarding the problem facing federal IT organizations exists because everyday devices often share the same networks as critical, but less visible devices. Our common devices present a contagion risk if an attacker breaches the network, even if the common devices are not directly exposed to the open Internet.
IoT and OT devices are not just specialized devices in network segments like robotic manufacturing or oil and gas meters. They include everyday, yet integral, devices in our professional lives. This includes things like ruggedized printers that create labels, as well as cameras, desk phones, temperature sensors, door controllers and even HVAC systems that often share the same networks as the rest of your traditional IT infrastructure.
These devices are unique in that they have a cyber-physical characteristic in that they impact the real world when tampered with. In the past, they were thought of as just another computer, but this really misrepresents the nature of an attack on them. Video conferencing equipment becomes a listening device, HVAC outages and door lock malfunctions can render office space unusable.
At Phosphorus, because we’ve observed billions of IoT/OT devices, we have a firm grasp on how many devices should be in a given space. For an office environment similar to that of much of the civilian federal workforce, there should be approximately three to five devices per employee or contractor. So for the roughly two million civilian employees within the federal government, there should be inventories of somewhere between six and 10 million IoT/OT devices.
Problematically, the GAO report outlines that none of the initial inventory numbers exceed 200. However, the report did acknowledge that at least one agency pointed out that those systems aren’t a count of devices, but of some higher level grouping.
The problem is that the devices are the target!
Manually trying to inventory an abstraction of these systems does not accurately address the problem. Inventorying these devices should be an automated – or at least technical – process looking at the devices on the network because they will be the target of an attack. This seems to be part of the misunderstanding of the issue.
There are additional supporting factors for this assumption including the multiple erroneous waivers that were submitted, the extensions to a September deadline for completing inventories, and, most egregiously, the Small Business Administration (SBA) claiming zero IoT devices.
These problems could also be partly a result of how the federal bureaucracy functions. The guidance that agency IT organizations are being directed to follow comes from seven different NIST publications, each dozens of pages long. The main takeaways of which were to change default passwords, upgrade firmware, and segment where possible.
Federal IT workers are not alone struggling to address these issues. A recent report from the EPA Office of the Inspector General highlighted similar challenges with addressing cyber security issues in public water and wastewater facilities across the country. These cybersecurity issues are not unique to the federal government, as every organization, large and small, is having to deal with them. What does seem unique here is the inability for many of these agencies to even properly recognize the problem.
These Agencies Need Help
Technical solutions exist to help address the inventory problem. Although an increase in resources may need to be part of a funding request to Congress, the inventory itself should be solvable within existing budget constraints. The real request for resources should focus on additional help for remediation. Finding cyber security problems is supposed to be the easy part. Fixing them takes the time and contextual understanding of the environment in question. The existing agency IT organizations are probably under-resourced and may require training, given the differences in IoT/OT and traditional IT.
Another approach would be to use Tiger Teams from an agency like CISA (Cybersecurity and Infrastructure Security Agency). They already perform a similar function for red team assessments. Assembling specialized teams to deploy into agencies in need of help, with the ability not only to rapidly inventory these IoT/OT devices, but also to begin fixing them. This would require a change in mindset and potentially a shift in the agency’s authority, as it has traditionally been advisory and not in a position to take action.
Another option, though unconventional and likely impractical unless supported by the incoming administration’s DOGE initiative, would be to centralize the IT function across all agencies. This would involve creating a single IT department to manage IT and the subsequent IoT and OT devices across the entire federal government, rather than having each agency handle its own. While it is a radical approach, it could enable more comprehensive and efficient management of these devices across the government, allowing agencies to focus on its core missions.