The nation’s critical infrastructure relies on the Internet of Things and operational technology devices and systems, but federal agencies are not following best practices in managing the associated cybersecurity risks, says a government report issued Thursday.
The U.S. Government Accountability Office said in the report that to help private entities and federal agencies manage the cybersecurity risks associated with IoT and OT, the Department of Homeland Security’s Cyber Security and Infrastructure Security Agency and the National Institute of Standards and Technology have issued guidance and provided resources.
“However, none of the selected lead agencies had developed metrics to assess the effectiveness of their efforts,” the report says. “Further, the agencies had not conducted IoT and OT cybersecurity risk assessments. Both of these activities are best practices.”
The report says lead agency officials have noted difficulty assessing program effectiveness when relying on securer entities’ voluntary information.
“Nevertheless, without attempts to measure effectiveness and assess risks of IoTt and OT, the success of initiatives…
