The adage that “you can’t manage what you can’t measure” is a fact. That’s why the U.S. government and academia publish statistics on anything that is important for the public good—whether on unemployment rates, consumer price indexes, housing starts, and scholastic achievements. Ultimately, metrics provide leading and lagging indicators to enable leaders to make decisions.
That’s why I was encouraged when the “The Better Cybercrime Metrics Act'' and “Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA)” were signed into law in 2022. At a macro level, I believe these laws will start to provide insight into the volume, velocity, types, and trends around cybercrime, such that policy makers can make more informed decisions to protect public safety.
Unfortunately, the use of data to make better cybersecurity decisions in government is not widespread, as was recently made clear in a recently published Government Accountability Office (GAO) report that quantifies the extensive use of connected IoT and OT across the 16 critical infrastructure sectors.
The report points out that agencies have yet to implement two foundational risk management practices around assessing and measuring risk. Until that changes, as a nation we will not have the data to make good decisions about how to properly invest to mitigate risk to connected IoT and OT assets.
Compounding this, the GAO’s report, “Critical Infrastructure: Actions Needed to Better Secure Internet-Connected Devices,” notes that leading agencies—including the Departments of Energy, Health and Human Services, and Homeland Security and Transportation—have yet to define metrics to measure the effectiveness of their IoT and OT cybersecurity efforts. Furthermore, the report said lead agencies have yet to conduct risk assessments of their IoT and OT environments.
At Claroty, we have been working to add to the body of work available to help policymakers and practitioners make better decisions around threats to cyber-physical systems. This includes the vulnerability research conducted by Team 82, as well as our biannual State of XIoT Security report, in which we analyze trends in cyber-physical system vulnerabilities that impact the critical infrastructure sectors.
The creation and implementation of metrics to measure the success of IoT and OT cybersecurity initiatives is a crucial step toward understanding if existing efforts have been effective. IoT and OT risk assessments, would provide decision makers with additional context around unique threats to these environments beyond things such as ransomware and IT system vulnerabilities.
Until sector-wide risk assessments that include IoT and OT happen, any investments in technology and subsequent mitigations may not be adequate to combat the true risks critical infrastructure entities are facing.