GAO Critical Infrastructure Report on IoT: Key Recommendations

04 Jan 2023

By Dave Cullen, Field CTO

Cybersecurity threats to critical infrastructure OT and IoT pose a very real challenge to national security. Which key recommendations should be taken in light of the GAO's recent report?

The GAO Critical Infrastructure Report

The U.S. Government Accountability Office (GAO) serves as a congressional watchdog, providing auditing, evaluative, and investigative services for the U.S. Congress. In December 2022, the GAO released its report, Critical Infrastructure: Actions Needed to Better Secure Internet-Connected Devices. The GAO report outlines the shortcomings of government agencies in conducting assessments to mitigate cybersecurity risks that face Operational Technology (OT) and Internet of Things (IoT) devices and systems. 

In particular, the GAO's Critical Infrastructure Report calls attention to critical lapses at four federal agencies:

  • Department of Energy (DOE)
  • Department of Health and Human Services (HHS)
  • Department of Homeland Security (DHS)
  • Department of Transportation (DOT)

These departments focus on the energy, healthcare, and transportation systems sectors. The GAO concluded, however, that they failed to develop metrics to assess the effectiveness of their efforts and failed to conduct IoT and OT cybersecurity risk assessments, both of which are best practices. According to the GAO report, “without attempts to measure effectiveness and assess risks of IoT and OT, the success of initiatives intended to mitigate risks is unknown.” 

In 2010, the GAO issued public reports that made over 90 recommendations for protecting critical infrastructure. As of June 2022, more than 50 of those recommendations were still not yet implemented. Of the 14 recommendations designated as priorities, ten still had not yet been implemented. As a result, the congressional watchdog warns that “federal agencies may be limited in their ability to ensure the critical infrastructures are protected from harmful cybersecurity threats.”

OTORIO’s Key Recommendations

Critical infrastructure sectors in the U.S. rely heavily on electronic systems, including the Industrial Internet of Things (IIoT) and OT devices and systems. In light of the GAO report, OTORIO has several important recommendations to help federal agencies and private entities better manage their IoT and OT cybersecurity risks:

1. Carry out ongoing risk assessments

Ensure the health and safety of your OT environments by identifying hazards through continuous risk assessment. Get a clear picture of your OT environment’s cybersecurity strengths and weaknesses so you can develop a forward-thinking plan using the following approach:

  1. Set a baseline for your OT network design, assets, and communications.
  2. Test your OT security breach readiness cybersecurity penetration resilience and make use of specific playbooks and recommendations to improve your OT security posture.
  3. Utilize OTORIO’s risk assessment platform to audit your assets, a single site, or your entire organization’s security posture across multiple sites.

OTORIO’s solutions automatically assess your organization’s OT, IT, and IIoT security risks, and prioritize mitigating these vulnerabilities by their potential impact on your operations.

2. Create a cybersecurity or risk management program

As risks of OT cyber attacks on critical infrastructure continue to rise, adopting an integrated security strategy that goes further than traditional OT approaches will enable agencies to anchor security efforts to operational resilience.  All cyber-physical systems - OT, IoT, IIoT - and IT should be included in a joint governance model. 

When security disciplines (physical security, cybersecurity, and supply chain security) are separated by functional silos, the ensuing vulnerabilities are more likely to be exploited by malicious actors. A unified, comprehensive security strategy across the entire enterprise allows digital security threats to be assessed, triaged, and addressed quickly and reliably. This is a crucial component of what OTORIO delivers to our critical infrastructure, industrial manufacturing, and smart transportation clients. An integrated approach towards OT security allows security practitioners to continuously mitigate risks and safeguard operational environments based on a single source of truth. 

3. Integrate tools and automation

OT systems are designed for maximum performance and reliability, yet they face ongoing threats and have unique security vulnerabilities. The right tools and automation are needed in order to address them. Because they are vital to industrial operations and processes, protecting OT systems from the threat of cyber-attacks and accidental disruptions is the utmost priority. 

Automated security tools can effectively identify threats and help teams proactively mitigate risks. Automation simplifies and streamlines security processes, enabling organizations to identify and address vulnerabilities more efficiently. OTORIO’s automated security and compliance risk assessment platform helps ensure that ongoing operations are maintained whenever possible. OTORIO’s solutions propose practical recommendations in detailed reports and clearly outlined mitigation playbooks.

4. Go beyond asset visibility

Extended asset visibility is a vital part of effective OT security. It allows organizations to fully understand their operations and infrastructure, which is crucial for obtaining a 360° view of your OT assets and their communication. OTORIO gathers, orchestrates, and analyzes data from a broad range of security and industrial sources in your operational environment. The result is having much deeper context on the roles of assets within the environment and the potential impact of threats and vulnerabilities that exist.

5. Utilize OT-specific mitigation playbooks

Straightforward, OT-focused mitigation playbooks enable your OT security teams to quickly and successfully minimize and address security incidents, reducing their potential impact on critical industrial processes. 

OTORIO develops contextualized, automated risk-mitigation playbooks that are clear and practical so you can improve your Mean Time To Respond (MTTR). OTORIO’s playbooks address each organization’s unique OT environment. They guide OT and IT teams along each recommended step to mitigate vulnerabilities, security gaps, exposures, and compliance deviations. 


The GAO’s recent Critical Infrastructure Report called out OT and IoT cybersecurity compliance lapses at the same federal agencies whose expertise Congress sought to mitigate such security gaps. OTORIO’s extensive knowledge, authority, and global experience help critical infrastructure organizations like oil and gas, electricity, and water treatment companies proactively safeguard against and reduce OT and IIoT security risks and vulnerabilities with our RAM2 platform. Implementing the key recommendations above will allow the integrity and operational resilience of Industrial IoT and OT security for critical infrastructure to be optimally maintained.

Discover how OTORIO's oil and gas cybersecurity solution ensures operational continuity.

Contact us if your critical infrastructure organization wants to maintain operational resilience, be ransomware ready, enhance its security posture, and help prevent downtime.