A new report from the Government Accountability Office (GAO) has highlighted the lack of oversight of ransomware protections in critical infrastructure by US federal agencies, posing a threat to the White House’s goal of bolstering cyber resilience.

The GAO found that federal agencies responsible for assessing the cybersecurity of critical sectors such as energy and healthcare only focused on basic cybersecurity protections and general guidance, rather than federal guidelines specific to addressing ransomware. The report specifically analyzed ransomware mitigation strategies in critical manufacturing, energy, healthcare and public health, and transportation sectors.

While the GAO noted that most federal agencies leading and managing the risk for the critical sectors have assessed or plan to assess risks associated with ransomware, they have not fully gauged the use of leading cybersecurity practices or whether federal support has effectively mitigated the risks in these sectors.

This report comes at a time when ransomware attacks have been on the rise, with notable incidents affecting energy and water companies at the beginning of 2024, underscoring the urgent need to strengthen the cyber resilience of critical industries.

The National Institute of Standards and Technology (NIST) developed a cybersecurity framework for managing ransomware risk in February 2022. However, the GAO found that none of the Sector Risk Management Agencies (SRMAs) assessed had determined the extent of adoption of the NIST ransomware profile as recommended by the National Infrastructure Protection Plan (NIPP).

According to the GAO, understanding the extent of sectors’ adoption of NIST or similar practices intended to improve security and resilience against ransomware attacks is crucial for achieving the White House’s goal of bolstering critical infrastructure resilience.

The report also pointed out that the risk and management agencies identified seven other sets of practices from federal agencies and the cybersecurity industry to address ransomware. However, these practices mainly focused on foundational cybersecurity protections for managing various cyber threats beyond ransomware and did not fully align with leading federal practices established by NIST.

In response to these findings, the GAO made a total of 11 recommendations for the SRMAs to improve federal oversight of specific ransomware protections in critical infrastructure sectors. These recommendations aimed at developments of routine evaluation procedures to measure the effectiveness of federal support and the adoption of leading cybersecurity practices in addressing ransomware threats.

The Department of Homeland Security (DHS) and Department of Health and Human Services (HHS) agreed with the recommendations, while the Department of Energy (DOE) partially agreed with one recommendation and disagreed with another. The Department of Transportation (DOT) agreed with one recommendation, partially agreed with one, and disagreed with a third.

Commenting on the report, Mark B. Cooper, President & Founder of PKI Solutions, emphasized the need for a more coordinated approach across agencies and a deeper level of assessment in critical infrastructure to strengthen operational resilience against the evolving cybersecurity threat landscape.

In conclusion, the GAO’s report highlights the pressing need for federal agencies to improve oversight of ransomware protections in critical infrastructure and ensure the adoption of leading cybersecurity practices to mitigate the growing and evolving cyber threats facing these sectors. Failure to do so would pose significant challenges to the White House’s goal of bolstering cyber resilience in critical industries.

Source link