A new US Government Accountability Office (GAO) assessment of the cybersecurity of the nation's critical infrastructure recommends a more robust role for the federal government in protecting industrial control systems (ICS) — particularly those operating the country's energy grid and communications networks.
The GAO in its report noted that the US Department of Energy's cybersecurity plan does not address vulnerabilities in individual energy grids' distribution systems.
"We recommended that, in developing plans to implement the national cybersecurity strategy for the grid, DOE coordinate with DHS, states, and industry to more fully address risks to the grid’s distribution systems from cyberattacks," the report said.
The GAO's assessment also calls on the Cybersecurity and Infrastructure Agency (CISA) to improve coordination and incident management among all levels of government — local, regional, and national — to protect against ransomware cyberattacks.
CISA is also called out by the GAO for its lack of attention on US communications network cybersecurity. The report added CISA has not updated its Communications Sector-Specific plan since 2015. CISA should also engage with the US Secret Service to respond to ransomware attacks on tribal, state, local, and territorial governments, the GAO report recommends.
This latest audit of infrastructure and industrial control systems is the third from the GAO on the cybersecurity of the nation. In the new report, GAO calls out the federal government for its slow response to previous recommendations by the agency.
"We've made 106 public recommendations in this area since 2010," the report said. "Nearly 57% of those recommendations had not been implemented as of December 2022."