With hands-on training, state and local governments can better address the vulnerabilities of internet-connected devices.
A report released early this month by the Government Accountability Office highlighted federal challenges to standardizing security assessments for internet of things and operational technology devices. But state and local governments don’t have to wait for federal guidance, one expert said. They can seize the initiative by launching more cyber ranges.
Primarily used to train cybersecurity professionals through hands-on cybersecurity labs and realistic exercises, cyber ranges have grown in popularity in recent years, with state-level ones opened in Louisiana and Virginia, among others. Having more ranges available to state and local governments would help officials understand the vulnerabilities of IoT and OT devices and learn how to manage the risk, said Joel Bagnal, director of federal at security company SpyCloud.
The federal government “can train and … provide information papers and advisories all day long,” he said, “but there's nothing better that replaces hands-on experience.” A cyber range gives security staff the chance to see “vulnerabilities being exploited and then how to apply that direct knowledge back to [their] own network,” Bagnal said.
Bagnal noted that the Idaho National Laboratory has a section dedicated to researching critical infrastructure protection and IoT device security and is starting to make recommendations on mitigating vulnerabilities. Meanwhile, the National Initiative for Cybersecurity Education produced a guide detailing how cyber ranges can be used for education and training and said they are a key tool for “reducing the skills gap and securing society.”
But cyberattacks have become more sophisticated with the help of botnets and automated malware. Bagnal said the United States is “not keeping pace” with its adversaries, a situation especially troubling for critical infrastructure, which is closely monitored and deployed at the state and local level.
“The greatest risk right now is that we don't understand our vulnerabilities and the risks associated with OT and IoT as well as we should,” Bagnal said.”There are so many different embedded devices out there, there are so many different sensors and legacy systems that are still serving important functions that we simply don't know the vulnerabilities of.”
In the absence of firm guidance from the federal government on how to manage the cybersecurity risks associated with their IoT and OT devices, Bagnal said state and local governments should form closer partnerships and share information on vulnerabilities.
While federal grants should help bolster states’ threat monitoring capabilities, Bagnal warned that it may take more high-profile breaches to “identify the challenges” that still exist, which then “will then inspire even more energy and funding and resources” to get connected device security under control.