Most Critical Infrastructure Sectors Haven’t Adopted NIST Cybersecurity Framework

A new report from the U.S. Government Accountability Office (GAO) found most of the country’s critical infrastructure have yet to take steps toward adopting a nearly decade-old framework to improve cybersecurity.

Just three of 16 identified critical infrastructure sectors that provide essentials such as electricity, water, oil and gas, banking, manufacturing, and transportation have adopted the National Institute of Standards and Technology’s (NIST) “Framework for Improving Critical Infrastructure Cybersecurity,” the GAO concluded in its report to Congress.

GAO said cyber threats to the nation’s infrastructure continue to increase and threaten national security.

Ensuring the Cybersecurity of the Nation

“Recent incidents—such as the ransomware attack on the Colonial pipeline and attacks targeting health care and essential services during the [COVID-19] pandemic—illustrate the pressing need to strengthen federal and critical infrastructure cybersecurity,” GAO said. Cyber attacks on network management company SolarWinds Corp., meat processing company JBS, and software firm Kaseya furthermore demonstrate the risk to infrastructure.

GAO said four other sectors “have taken initial steps” to adopt the framework but “the remaining 11 sectors did not identify improvements and were not able to describe potential successes from their sectors’ use of the framework.”

White House, Big Tech, Insurers Vow to ‘Raise the Bar’ on Cybersecurity

Federal agencies charged with protecting the 16 critical infrastructure sectors are called sector risk management agencies. They include the departments of agriculture (USDA), defense (DOD), and Energy (DOE), transportation (DOT), homeland security (DHS), Health and Human Services (HHS), Environmental Protection Agency (EPA), General Services Administration (GSA) and the Treasury.

An executive order in early 2013 looked to improve cybersecurity in critical infrastructure and resulted in NIST issuing the framework a year later. The outline of standards and best practices is voluntary.

[inline-ad-1]

GAO said it has made dozens of recommendations in reports to enhance cybersecurity and measure NIST framework adoption but “as of November 2021, a majority of these recommendations had not been implemented.”

The report acknowledged challenges to framework adoption. For instance, the Treasury reported that unless financial regulators require adherence, entities are unlikely to implement the framework. The DHS said lack of subject matter expert resources was a concern and the EPA cited a lack of cybersecurity knowledge among utilities it oversees.