Infrastructure protectionGAO: critical infrastructure operators need more coherent regulations

Published 23 January 2012

A recent Government Accountability Office (GAO) report found that the bulk of U.S. critical infrastructure is inadequately protected as operators lack a coherent set of guidelines

A recent Government Accountability Office (GAO) report foundthat the bulk of U.S. critical infrastructure is inadequately protected as operators lack a coherent set of guidelines.

In recent years, the government has passed a spate of cybersecurity regulations for certain critical infrastructure sectors, but many industries have been left largely unregulated and vulnerable as a result.

With the majority of critical infrastructure owned and operated by the private sector, security has been scattershot and inconsistent across industries.

“Entities operating under a federal regulatory environment are required to adhere to cybersecurity standards to meet their regulatory requirements or face enforcement mechanisms,” the report said. “Entities not subject to regulation do not face such enforcement mechanisms, but may voluntarily implement cybersecurity guidance.”

In particular, without clear and applicable guidelines available, operators face challenges in finding the right security standards.

“Given the plethora of guidance available, individual entities within the sectors may be challenged in identifying the guidance that is most applicable and effective in improving their security posture,” GAO said.

The report concluded that a better understanding of available guidance on industry standards and best practices could help both the federal government and the private sector coordinate critical infrastructure security measures in relation to cybersecurity.

In response to the GAO report, Representative Bennie G. Thompson (D – Mississippi), one of the study’s requestors, called on DHS to assess what cybersecurity guidance should be included in private sector critical infrastructure protection plans.

“On a positive note, this report shows that cybersecurity compliance guidance is readily promoted and disseminated,” Thompson said. “However, in the future we should ensure that this guidance is included in DHS-required Critical Infrastructure sector planning documents. This practice would be common sense and security focused.”