The US Government Accountability Office (GAO) has urged several federal agencies to conduct cybersecurity-related assessments in an effort to improve the protection of certain critical infrastructure sectors.
The GAO pointed out that the DHS, CISA and NIST have issued guidance, alerts, advisories, and other resources in an effort to help federal and private entities manage the cybersecurity risks associated with internet-of-things (IoT) and operational technology (OT) systems.
While steps have been taken to protect critical infrastructure against cyberattacks, GAO believes more should be done by certain agencies.
The US Energy Department has initiatives focusing on OT cybersecurity monitoring technologies and cybersecurity for OT environments. The Department of Health and Human Services provides pre-market and post-market cybersecurity management guidance for medical device manufacturers. The DHS and the Transportation Department’s initiatives include a surface transportation cybersecurity toolkit and a directive on enhancing rail cybersecurity.
These agencies have a leading role in protecting the energy, healthcare, and transportation critical infrastructure sectors against cyberattacks, and the aforementioned initiatives show their commitment to achieving their goals.
[ Read: Increasing Number of Threat Groups Targeting OT Systems in North America ]
However, the GAO is displeased with the fact that none of the three agencies have developed metrics to assess the effectiveness of these initiatives. In addition, they have not conducted IoT and OT cybersecurity risk assessments for the sector as a whole, which prevents them from knowing what other protections might be needed.
“Lead agency officials noted difficulty assessing program effectiveness when relying on voluntary information from sector entities. Nevertheless, without attempts to measure effectiveness and assess risks of IoT and OT, the success of initiatives intended to mitigate risks is unknown,” the GAO said.
The GAO has made a series of eight recommendations to the four agencies in charge of the energy, healthcare, and transportation sectors, focusing on the needs to establish and use metrics for assessing the effectiveness of IoT/OT cybersecurity efforts, and evaluating cybersecurity risks.
“The Departments of Homeland Security and Transportation concurred with the recommendations while Energy said it would not respond to the recommendations until after further coordination with other agencies. Health and Human Services neither agreed nor disagreed with the recommendations but noted planned actions. Specifically, the department said it planned to update its sector-specific plan but asserted that it cannot compel adoption of the plan in the private sector,” the GAO reported.
The agency pointed out that the IoT Cybersecurity Improvement Act of 2020 prohibits government organizations from buying or using IoT devices that are not compliant with NIST security standards after December 4, 2022. However, the Office of Management and Budget (OMB) had failed to develop a standardized process for waiving this prohibition by November 22, when GAO finished up its report. The GAO is concerned that this could lead to inconsistent actions being taken across agencies.
Related: US Offshore Oil and Gas Infrastructure at Significant Risk of Cyberattacks
Related: Over 12,000 Cyber Incidents at DoD Since 2015, But Incident Management Still Lacking
Related: Electricity Distribution Systems at Increasing Risk of Cyberattacks, GAO Warns

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- High-Severity Privilege Escalation Vulnerability Patched in VMware Workstation
- GoAnywhere MFT Users Warned of Zero-Day Exploit
- UK Car Retailer Arnold Clark Hit by Ransomware
- EV Charging Management System Vulnerabilities Allow Disruption, Energy Theft
- Unpatched Econolite Traffic Controller Vulnerabilities Allow Remote Hacking
- Google Fi Data Breach Reportedly Led to SIM Swapping
- Microsoft’s Verified Publisher Status Abused in Email Theft Campaign
- British Retailer JD Sports Discloses Data Breach Affecting 10 Million Customers
Latest News
- Fraudulent “CryptoRom” Apps Slip Through Apple and Google App Store Review Process
- US Downs Chinese Balloon Off Carolina Coast
- Microsoft: Iran Unit Behind Charlie Hebdo Hack-and-Leak Op
- Feds Say Cyberattack Caused Suicide Helpline’s Outage
- Big China Spy Balloon Moving East Over US, Pentagon Says
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Cyber Insights 2023: Venture Capital
- Atlassian Warns of Critical Jira Service Management Vulnerability
