Endpoint Security , Governance & Risk Management , Information Sharing
CISA Lacks Staff With Skills Needed to Safeguard OT
GAO Report Criticizes CISA's Info-Sharing Programs for Critical InfrastructureThe U.S. Government Accountability Office has found inefficiencies in the Cybersecurity and Infrastructure Security Agency's information-sharing practices with critical infrastructure stakeholders - warning that the agency is understaffed for handling OT incidents.
The watchdog agency also pointed out a deficiency in the Pipeline and Hazardous Materials Safety Administration's approach to disseminating cyber threat information to owners and operators.
Assessing 13 operational technology cybersecurity products and services provided by CISA, the GAO report unveiled positive experiences reported by 12 out of the 13 non-federal organizations surveyed. Simultaneously, it drew attention to challenges faced by CISA and seven of the entities under review.
The seven organizations identified challenges in the delivery of operational technology products and services. These challenges revolved around encountering negative experiences with CISA's products and services and facing a shortage of CISA staff possessing OT skills.
"CISA officials stated that its four federal employees and five contractor staff on the threat hunting and incident response service are not enough staff to respond to significant attacks impacting OT systems in multiple locations at the same time," the report said.
The seven agencies identified encountered difficulties with CISA's products and services are Department of Defense's Defense Cyber Crime Center; DOD's National Security Agency; Department of Energy's Office of Cybersecurity, Energy Security, and Emergency Response; Department of Homeland Security's Transportation Security Administration; DHS' U.S. Coast Guard; Department of Transportation's Federal Railroad Administration; and DOT's Pipeline and Hazardous Materials Safety Administration.
The GAO requested officials from these seven designated agencies to pinpoint challenges encountered in collaborating with CISA to mitigate OT cyber risks. The GAO conducted a comparative analysis, reviewing documentation from both the seven agencies and CISA aligned with five specifically chosen leading collaboration practices.
The report found that CISA has not comprehensively evaluated customer service for its OT products and services, nor has it executed effective workforce planning for its OT personnel.
An unnamed nonfederal entity also told the GAO that the time lapse between the initial reporting of a vulnerability through CISA's process and its public disclosure often extends beyond one year.
Between October 2018 and November 2023, CISA delivered 13 operational technology cybersecurity products and services free of charge to critical infrastructure owners and operators.
The National Defense Authorization Act of Fiscal Year 2022 includes a provision for GAO to report on CISA's support for industrial control systems. Federal guidance now addresses these systems under the broader category of OT.
CISA contributed four OT cybersecurity products to critical infrastructure owners and operators. Among these, two were designed to facilitate the sharing of cyber threat information and best practices specific to OT.
The remaining two products served as tools, allowing owners and operators to assess their OT security practices and analyze OT network traffic and logs.
In addition to products, CISA offered nine OT cybersecurity services to critical infrastructure stakeholders. These services can be categorized as follows:
- Vulnerability Identification Services: Four services concentrated on aiding owners and operators in identifying vulnerabilities within their OT networks, offering actionable steps for mitigation.
- Preparation Services: Three services focused on providing critical infrastructure owners and operators with training, exercises and relevant information to better prepare for potential cyberattacks on their OT networks.
- Response Services: Two services aimed to assist in identifying, analyzing or responding to malicious cyber activity occurring within owner and operator OT networks.
To bolster these products and services, CISA formed the Industrial Control Systems working group in April 2022 as an integral component of its Joint Cyber Defense Collaborative.
This working group serves the purpose of strategically planning the optimal protection of the nation's OT systems, shaping the government's directives on OT cybersecurity and fostering information sharing among private and public partners within the OT domain.