Industry needs government help to protect infrastructure, GAO study says
U.S. critical infrastructure protection is a patchwork process depending primarily on voluntary public- and private-sector cooperation that could leave large portions inadequately protected, according to a recent study by the Government Accountability Office.
There is no lack of cybersecurity guidance for protecting infrastructure operated by the private sector, but government could do a better job of providing advice and assistance to non-regulated industries in protecting themselves, GAO concluded.
“Entities operating under a federal regulatory environment are required to adhere to cybersecurity standards to meet their regulatory requirements or face enforcement mechanisms,” the GAO report said. “Entities not subject to regulation do not face such enforcement mechanisms, but may voluntarily implement cybersecurity guidance.”
DHS outlines goals for nation's critical infrastructure
After 13 years, critical infrastructure security still lacking
There are good business reasons for securing themselves, but deciding what to do and how to do it might not be simple.
“Given the plethora of guidance available, individual entities within the sectors may be challenged in identifying the guidance that is most applicable and effective in improving their security posture,” GAO said.
A better understanding of the available guidance on industry standards and best practices could help both federal and private-sector decision-makers coordinate protection of critical cyber-reliant assets. This information often is not included in the sector-specific plans developed by agencies for the industries they oversee, however. GAO recommended that better cybersecurity guidance be included in these plans.
The Homeland Security Department, the lead agency for critical infrastructure protection, plans to assess what cybersecurity guidance should be included in private-sector protection plans. Rep. Bennie G. Thompson (D-Miss.), one of the requesters of the study, supported the call for better security plans.
“On a positive note, this report shows that cybersecurity compliance guidance is readily promoted and disseminated,” Thompson said in a statement. “However, in the future we should ensure that this guidance is included in DHS-required Critical Infrastructure sector planning documents. This practice would be common sense and security focused.”
Critical infrastructures are those utilities and industrial and supply systems on which the nation’s security and economy depend. Threats to these systems have been growing with the increasing number and sophistication of online attacks, and the impact of attacks could be amplified by the increasingly networked nature of these systems. Cyber-critical infrastructure protection has been identified by GAO as a high-risk area since 2003.
In the most recent study, GAO looked at seven of 18 critical infrastructure sectors: banking and finance; communications; energy; health care and public health; information technology; nuclear reactors, material and waste; and water.
DHS is the lead agency for both government and private-sector cybersecurity and is responsible for developing national critical infrastructure protection plans, helping the private sector in development and promotion of best security practices, and providing assistance when requested. Other agencies assist in this work, together with sector-specific coordinating councils that include government and private entities. Agencies and coordinating councils are required to develop sector plans and provide annual reports for their sectors. DHS has made sector-specific planning a priority after GAO identified shortcomings in plan development in 2009. To date, 17 plans have been finalized and one is being reviewed.
Most of the protection plans do not identify key guidance and standards for cybersecurity because this was not specifically suggested by DHS, however.
A number of the sectors included in GAO’s review are required to meet mandatory cybersecurity standards established by regulation under federal law or face enforcement mechanisms, such as civil monetary penalties. The North American Electric Reliability Corp., an electric industry regulatory body, in July penalized one company $75,000 for a high-risk factor violation. It imposed penalties totaling about $496,000 for 65 medium-risk violations and penalties of about $375,000 for 24 low-risk violations.
But non-regulated businesses adopt cybersecurity protections voluntarily. “The competitive market place, desire to maintain profits, and customer expectation of information security — rather than federal regulation — drive the adoption of best practices,” the report said.
The report did not assess the security status of the infrastructures, but said additional steps to promote cybersecurity practices should be taken. “More could be done to identify guidance and standards applicable to entities within the sectors and to promote their implementation.”