Federal IoT, OT cyber risk review urged to bolster critical infrastructure defenses

Several U.S. federal agencies have been pushed by the Government Accountability Office to perform cybersecurity risk assessments on internet of things and operational technology systems in a bid to bolster critical infrastructure sectors' cybersecurity posture, according to SecurityWeek. The GAO noted that despite the Energy Department's initiatives aimed at OT environment cybersecurity and OT cybersecurity monitoring technologies, the Department of Health and Human Services' cyber guidance for medical device vendors, and the Department of Homeland Security and Transportation Department's surface transportation cybersecurity toolkit and railroad cybersecurity directive, no metrics have been developed by the agencies to measure the initiatives' effectiveness. "Lead agency officials noted difficulty assessing program effectiveness when relying on voluntary information from sector entities. Nevertheless, without attempts to measure effectiveness and assess risks of IoT and OT, the success of initiatives intended to mitigate risks is unknown," said the GAO, whose recommendations have been concurred by the DHS and Transportation Department. The Energy Department said that it will still coordinate with other agencies before issuing its response, while HHS said that it is planning actions even though it neither agreed nor disagreed with the GAO report.