Watchdog: Critical Infrastructure Needs More Cyber Metrics

Brian Guest/

Most sector-specific agencies still need to develop metrics to evaluate their critical infrastructure sectors' cybersecurity progress, GAO said.

Although the majority of agencies responsible for U.S. critical infrastructure sectors acknowledge the cyber risk as "significant," most still lack metrics and data on the effort to mitigate this threat.

That’s according to a Government Accountability Office report, released yesterday, which examined eight agencies responsible for 15 of the country's critical infrastructure sectors. Its authors determined that only the departments of Energy, Defense and Health and Human Services had established these critical metrics.

Those agencies responsible for the remaining sectors had not launched metrics, which meant they were not evaluating cyber risk mitigation activities or cybersecurity posture, according to the report. Although the authors did note that some had started to work toward launching such a system.

While these agencies were largely working to ease their critical infrastructures sectors’ cyber-based risks and vulnerabilities, these metrics are a key aspect to keeping such issues in check, according to the report.

Until these performance metrics are developed and data collected, these agencies "may be unable to adequately monitor the effectiveness of their cyber risk mitigation activities and document the resulting sectorwide cybersecurity progress,” the report stated.

For example, Energy built an interactive tool called ieRoadmap so the sector's stakeholders could examine their energy delivery system cybersecurity efforts in comparison to those milestones laid out in the "Roadmap to Achieve Energy Delivery Systems Cybersecurity."

The report also highlighted HHS' efforts, including its work to keep tabs on such cybersecurity metrics as which subscribers received security alerts and notifications on health information security breaches.

Although the Agriculture Department and HHS did not offer any comments in response to GAO’s recommendations, the remaining four said they agreed with them, according to the report.

GAO's authors analyzed policy, plans and interviewed public and private sector officials representing the 15 critical infrastructure sectors, according to the report.

(Image via Brian Guest/