Nexus Podcast: Katherine Gronberg on the Federal Government and OT/IoT Cybersecurity

Operational technology asset owners and security leadership now overseeing connected internet-of-things devices have been front-and-center observers of a newfound prioritization of cybersecurity from the federal government.

The Biden administration’s 2021 Executive Order in Improving the Nation’s Cybersecurity, for starters, set a tone not only for the president’s expectations on cybersecurity but also for consumer and enterprise security practices that impact beyond the federal government. The EO, for example, specifically calls out for a consumer-focused labeling system for IoT devices, one that includes the levels of testing and assessments applied to so-called smart devices. In addition, it includes provisions for secure software development, and visibility into components that make up the technology backboning critical infrastructure. 

In this episode of the Nexus podcast, Katherine Gronberg, the head of government services at NightDragon, a cybersecurity venture capital firm, shared her insight into this rapid acceleration of activity from the federal government and how it will impact not only operators of federal computer systems, but also private-sector ownership of critical infrastructure.

“Section 4 of the Executive Order called for a labeling system for IoT; that’s very much on the consumer side,” she said, adding that NIST must spearhead this initiative and it’s aimed at vendors supplying consumers. “So that when they buy a device, maybe it’s just a connected doll, a Ring camera, or refrigerator, … but now there will have to be a labeling system that consumers can use (to learn the extent of security testing).”

Research looking into exploitable vulnerabilities in connected vehicles, to attacks against home security cameras and surveillance systems, to the Colonial Pipeline ransomware attack may have informed the White House’s extensive 2021 EO, but what likely prompted more of it was that the market was slow to act on its own, Gronberg said. 

“The more that IoT enters into our daily lives and can disrupt it, there you have government decision makers concluding they have to provide more support and help for consumers,” Gronberg said. 

Extending this connectivity to IoT sensors that support OT processes, or remote patient monitoring systems in healthcare, and a lag in market acclimation to vulnerabilities and risks posed by connectivity becomes impactful to human life and physical safety. To address vulnerabilities, for example, the government is elevating software assurance as a principle, calling for software bill of materials for government systems, and in the recent Omnibus bill, enabled provisions for post-market vulnerability remediation. 

“There is a lot of emphasis there in security by design, which I do believe officials think has been neglected for a long time,” Gronberg said of the EO and other government initiatives. “People can produce IoT devices that don’t have basic security requirements or produce software that has sloppy code. I think it’s fair to say that it’s time we have some introspection on how we build, design, and produce our devices.”