The US Government Accountability Office (GAO) has urged several federal agencies to conduct cybersecurity-related assessments in an effort to improve the protection of certain critical infrastructure sectors.
The GAO pointed out that the DHS, CISA and NIST have issued guidance, alerts, advisories, and other resources in an effort to help federal and private entities manage the cybersecurity risks associated with internet-of-things (IoT) and operational technology (OT) systems.
While steps have been taken to protect critical infrastructure against cyberattacks, GAO believes more should be done by certain agencies.
The US Energy Department has initiatives focusing on OT cybersecurity monitoring technologies and cybersecurity for OT environments. The Department of Health and Human Services provides pre-market and post-market cybersecurity management guidance for medical device manufacturers. The DHS and the Transportation Department’s initiatives include a surface transportation cybersecurity toolkit and a directive on enhancing rail cybersecurity.
These agencies have a leading role in protecting the energy, healthcare, and transportation critical infrastructure sectors against cyberattacks, and the aforementioned initiatives show their commitment to achieving their goals.
[ Read: Increasing Number of Threat Groups Targeting OT Systems in North America ]
However, the GAO is displeased with the fact that none of the three agencies have developed metrics to assess the effectiveness of these initiatives. In addition, they have not conducted IoT and OT cybersecurity risk assessments for the sector as a whole, which prevents them from knowing what other protections might be needed.
“Lead agency officials noted difficulty assessing program effectiveness when relying on voluntary information from sector entities. Nevertheless, without attempts to measure effectiveness and assess risks of IoT and OT, the success of initiatives intended to mitigate risks is unknown,” the GAO said.
The GAO has made a series of eight recommendations to the four agencies in charge of the energy, healthcare, and transportation sectors, focusing on the needs to establish and use metrics for assessing the effectiveness of IoT/OT cybersecurity efforts, and evaluating cybersecurity risks.
“The Departments of Homeland Security and Transportation concurred with the recommendations while Energy said it would not respond to the recommendations until after further coordination with other agencies. Health and Human Services neither agreed nor disagreed with the recommendations but noted planned actions. Specifically, the department said it planned to update its sector-specific plan but asserted that it cannot compel adoption of the plan in the private sector,” the GAO reported.
The agency pointed out that the IoT Cybersecurity Improvement Act of 2020 prohibits government organizations from buying or using IoT devices that are not compliant with NIST security standards after December 4, 2022. However, the Office of Management and Budget (OMB) had failed to develop a standardized process for waiving this prohibition by November 22, when GAO finished up its report. The GAO is concerned that this could lead to inconsistent actions being taken across agencies.
Related: US Offshore Oil and Gas Infrastructure at Significant Risk of Cyberattacks
Related: Over 12,000 Cyber Incidents at DoD Since 2015, But Incident Management Still Lacking
Related: Electricity Distribution Systems at Increasing Risk of Cyberattacks, GAO Warns

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Hive Ransomware Operation Shut Down by Law Enforcement
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
- Dozens of Cybersecurity Companies Announced Layoffs in Past Year
- Security Update for Chrome 109 Patches 6 Vulnerabilities
- New Open Source OT Security Tool Helps Address Impact of Upcoming Microsoft Patch
- Forward Networks Raises $50 Million in Series D Funding
Latest News
- Critical Vulnerability Impacts Over 120 Lexmark Printers
- BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- Microsoft Urges Customers to Patch Exchange Servers
- Iranian APT Leaks Data From Saudi Arabia Government Under New Persona
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Cyberattacks Target Websites of German Airports, Admin
- US Infiltrates Big Ransomware Gang: ‘We Hacked the Hackers’
