December 2022, the US Government Accountability Office (GAO) issued Critical Infrastructure Actions Needed to Better Secure Internet-Connected Devices (GAO-23-105327). According to GAO, the scope of the report was governed by a legislative mandate in The Internet of Things Cybersecurity Improvement Act of 2020, which (along with conversations with GAO’s Congressional clients), which dictated the terms of GAO’s review.
In a December 5, 2022 e-mail to me from GAO, GAO acknowledged the report did not address the more than 17 million control system cyber incidents identified in my November 18, 2022 blog. The GAO e-mail stated that given the importance of actual control system cyber incidents, GAO anticipates conducting future reviews. It is critical for GAO’s congressional sponsors and other government organizations to understand that process sensors are not being addressed by the term “IOT”. GAO also needs to clarify that cyber security issues specific to IOT such as consumer labeling are not applicable to process sensors.
There is a need for industry and standards organizations to clearly define the difference between IOT, IIOT, and process sensors and to address the lack of cyber security and authentication in legacy process sensors and IIOT devices.