Government agencies rely on IoT and OT devices to carry out their missions and manage everything from security cameras and personal identity verification (PIV) card readers that monitor and control access to facilities and data, to environmental controls that improve comfort, safety and efficiency. Data centers couldn’t operate around the clock without tightly controlled air conditioning, electricity and other physical infrastructure, much of which relies on IoT.
Organizations are overwhelmed with cybersecurity point solutions and the increasing complexity of their tech stacks. There are millions of device types running an infinite combination of operating systems and software. Identifying and securing them all takes a variety of active and passive techniques. No wonder there’s an appetite for simplifying and automating cybersecurity.
The convergence of IT, IoT and OT networks has rapidly accelerated in the last decade, but IoT and OT security hasn’t kept pace. Many of these assets were designed with little attention to security. Take security cameras. These devices can live on for decades, and cybersecurity didn’t fit into their production costs. As Vedere Labs recently demonstrated with its R4IoT proof-of-concept ransomware, security cameras and other vulnerable IoT devices can be exploited for initial access and lateral movement to IT and OT devices, with the aim of disrupting business operations.
Federal civilian agencies: extend CDM to IoT and OT
Government InfoSec leaders are well aware of the cyber challenges posed by the expanding attack surface – they’re responsible for securing everything on their network. For U.S. federal civilian agencies, the Office of Management and Budget’s (OMB’s) Zero Trust Architecture (ZTA) Strategy, released in January 2022, underscores that mandate.
Among other goals, the ZTA Strategy requires that agencies maintain a complete inventory of every device authorized and operated for official business, and be able to prevent, detect and respond to incidents on those devices. The implementation deadline is the end of FY24 – and it comes with no new funding.
Most civilian agencies likely have the tools to meet zero trust goals via their participation in CDM, CISA’s Continuous Diagnostics and Mitigation Program, which began in 2013. Forescout is CISA’s baseline tool for CDM hardware asset management (HWAM), and we currently deliver device visibility for nearly all federal agencies. So, compliance with this zero trust goal essentially means extending the deployment across a growing list of device types, including IoT and OT. The good news is: agencies can simply extend their Forescout Continuum Platform deployment to discover and secure IoT and OT devices on their network.
Securing government-owned critical infrastructure
Beyond civilian agencies, government authorities around the world rely on OT to monitor and control critical infrastructure – the core assets that make societies and economies function. Converged IT, IoT and OT systems enable governments to provide essential services to citizens with greater efficiency, at lower cost. (For public health systems, add the Internet of Medical Things, or IoMT.) All of this digitalization – newly connected devices, new communication flows and data exchange – also opens up the attack surface.
Hackers will always look for the easiest, most efficient way to breach a system or device. All too often that entry point is OT, or the intersection of IT and OT. Once bad actors gain access to the programmable logic controller (PLC) or other industrial control system (ICS), they can manipulate the equipment it controls – and penetrate the network.
Applying security patches to these assets may not be an option. For instance, the scale, complexity and mission-critical nature of OT such as water treatment plants often means they cannot be taken offline. Instead, the best way to isolate vulnerable assets, prevent unwanted communications or stop breaches from spreading is a combination of passive network monitoring and segmentation.
The right cybersecurity approach for every connected asset
The bottom line for government InfoSec leaders who manage converged IT/OT networks is this: Cybersecurity must be tackled as a whole. Any device connected to the network must be in scope of your initiatives.
Many governments already rely on Forescout to automate their asset inventory, continuously and with the right approach for every device type. It is a natural next step to include more networks and continuously assess the risks, check that vulnerability scans have been executed on every device and that endpoints get patched or segmented as needed. You can trust Forescout with securing any connected device because we do it every day.
Forescout Continuum continuously discovers, classifies and assesses all IP-connected assets – IT, IoT, IoMT and OT – from campus to data center to edge. We use over 20 monitoring techniques that leverage deep integration with leading IT and OT network switches, routers, wireless, access points, firewalls, VPN concentrators, and data center and cloud solution providers. Together, they discover what type of device is connecting, where and how it’s connecting, and who is using it.
Our platform also enables you to control network access – with or without 802.1X – plus enforce device compliance and automate incidence response across your existing security tools. These steps are foundational to zero trust – IF they encompass every connected device.
From protecting citizens’ private data to providing essential services and managing critical infrastructure, government entities are attractive targets for exploitation. Watch how Forescout Continuum provides zero trust security capabilities to better secure your expanding attack surface.