A brand new report from the U.S. Authorities Accountability Workplace (GAO) discovered many of the nation’s crucial infrastructure have but to take steps towards adopting an almost decade-old framework to enhance cybersecurity.
Simply three of 16 recognized crucial infrastructure sectors that present necessities corresponding to electrical energy, water, oil and fuel, banking, manufacturing, and transportation have adopted the Nationwide Institute of Requirements and Expertise’s (NIST) “Framework for Bettering Important Infrastructure Cybersecurity,” the GAO concluded in its report to Congress.
GAO mentioned cyber threats to the nation’s infrastructure proceed to extend and threaten nationwide safety.
“Current incidents—such because the ransomware assault on the Colonial pipeline and assaults focusing on well being care and important companies throughout the [COVID-19] pandemic—illustrate the urgent have to strengthen federal and significant infrastructure cybersecurity,” GAO mentioned. Cyber assaults on community administration firm SolarWinds Corp., meat processing firm JBS, and software program agency Kaseya moreover show the chance to infrastructure.
GAO mentioned 4 different sectors “have taken preliminary steps” to undertake the framework however “the remaining 11 sectors didn’t determine enhancements and weren’t in a position to describe potential successes from their sectors’ use of the framework.”
Federal companies charged with defending the 16 crucial infrastructure sectors are referred to as sector threat administration companies. They embrace the departments of agriculture (USDA), protection (DOD), and Vitality (DOE), transportation (DOT), homeland safety (DHS), Well being and Human Companies (HHS), Environmental Safety Company (EPA), Common Companies Administration (GSA) and the Treasury.
An govt order in early 2013 appeared to enhance cybersecurity in crucial infrastructure and resulted in NIST issuing the framework a 12 months later. The define of requirements and greatest practices is voluntary.
GAO mentioned it has made dozens of suggestions in reviews to boost cybersecurity and measure NIST framework adoption however “as of November 2021, a majority of those suggestions had not been applied.”
The report acknowledged challenges to framework adoption. For example, the Treasury reported that until monetary regulators require adherence, entities are unlikely to implement the framework. The DHS mentioned lack of subject material professional sources was a priority and the EPA cited an absence of cybersecurity data amongst utilities it oversees.
Thinking about Cyber?
Get automated alerts for this matter.