The nation’s critical infrastructure relies on the Internet of Things and operational technology devices and systems, but federal agencies are not following best practices to manage the associated cybersecurity risks, a government report released Thursday said.
The US Government Accountability Office said in the report that to help private entities and federal agencies manage the cybersecurity risks associated with IoT and OT, the Department of Homeland Security’s Cyber Security and Infrastructure Security Agency and the National Institute of Standards and Technology have issued guidance and provided resources.
“However, none of the selected lead agencies had developed metrics to assess the effectiveness of their efforts,”; the report said. “Furthermore, the agencies had not conducted IoT and OT cybersecurity risk assessments. Both of these activities are best practices.”
The report says senior agency officials have noted difficulties in assessing the program’s effectiveness when relying on the voluntary information of safer entities.
“Yet, without attempts to measure the effectiveness and assess the risks of IoTt and OT, the success of initiatives aimed at mitigating risks is unknown,” the report states.
GAO’s recommendations include that the Departments of Energy, Health and Human Services, Homeland Security and Transportation each establish and use metrics to assess the effectiveness of the sectors’ IoT and OT cybersecurity efforts, and evaluate each sector’s IoT and OT cybersecurity risks.
The GAO said in a report issued last month that the Defense Department should improve its reporting of cybersecurity incidents involving it and the nation’s defense industrial base.