Federal agencies fall short in infrastructure risk management
Reprints
The nation’s critical infrastructure relies on the Internet of Things and operational technology devices and systems, but federal agencies are not following best practices in managing the associated cybersecurity risks, says a government report issued Thursday.
The U.S. Government Accountability Office said in the report that to help private entities and federal agencies manage the cybersecurity risks associated with IoT and OT, the Department of Homeland Security’s Cyber Security and Infrastructure Security Agency and the National Institute of Standards and Technology have issued guidance and provided resources.
“However, none of the selected lead agencies had developed metrics to assess the effectiveness of their efforts,” the report says. “Further, the agencies had not conducted IoT and OT cybersecurity risk assessments. Both of these activities are best practices.”
The report says lead agency officials have noted difficulty assessing program effectiveness when relying on securer entities’ voluntary information.
“Nevertheless, without attempts to measure effectiveness and assess risks of IoTt and OT, the success of initiatives intended to mitigate risks I unknown,” the report says.
The GAO’s recommendations include that the Departments of Energy, Health and Human Services, Homeland Security and Transportation each establish and use metrics to assess the effectiveness of sector IoT and OT cybersecurity efforts, and evaluate each sector’s IoT and OT cybersecurity risks.
The GAO said in a report issued last month that the Department of Defense should improve its reporting of cybersecurity incidents involving it and the nation’s defense industrial base.
