Connect with us

Hi, what are you looking for?



CISA’s OT Attack Response Team Understaffed: GAO

GAO study finds that CISA does not have enough staff to respond to significant OT attacks in multiple locations at the same time.

The US Government Accountability Office (GAO) has conducted a study focusing on the operational technology (OT) cybersecurity products and services offered by CISA and found that some of the security agency’s teams are understaffed.

OT environments continue to be targeted by sophisticated threat actors and CISA has been designated as the lead agency in helping critical infrastructure organizations address risks associated with industrial control systems (ICS) and other OT systems. 

CISA provides over a dozen OT security products and services, including security advisories, best practices guidance, evaluation and analysis tools, risk analysis, architecture design reviews, vulnerability coordination, exercises and training, and threat hunting and incident response. 

For its study, the GAO worked with 13 non-federal entities, including representatives of OT sectors that are more likely to be targeted by threat actors, cybersecurity researchers who contributed to CISA’s OT advisories, and OT vendors that are part of a CISA collaboration group. The study is also based on information collected from CISA itself and seven other federal agencies of the Departments of Defense, Energy, Homeland Security, and Transportation.

According to the GAO report, 12 of the 13 non-federal entities were able to provide examples of positive experiences with CISA’s OT-focused products and services. However, there have also been some complaints and one significant issue appears related to insufficient staff with the requisite OT skills. 

For example, at the time of the study, CISA had four federal employees and five contractors on the threat hunting and incident response team, which the agency said was not enough to respond to significant OT cyberattacks in multiple locations at the same time.

CISA receives significant funding from the government, but the agency’s officials had requested additional staff and funding for contractor travel required for incident response services.

Another example is related to validated architecture design reviews. Between 2019 and May 2023, CISA was only able to fulfill 125 of 572 OT-related review requests due to not having enough staff. 

Advertisement. Scroll to continue reading.

The GAO report advises CISA to perform more effective workforce planning. However, the study was conducted several months ago and the security agency told the GAO at the time that it had been working on addressing workforce-related issues. 

SecurityWeek reached out to CISA on Monday to find out if it has addressed these issues and whether its incident response team is still understaffed, but the agency has not responded.

Update: CISA Executive Assistant Director for Cybersecurity Eric Goldstein provided the following statement to SecurityWeek:

“Hiring cybersecurity experts, particularly those with experience in Industrial Control Systems (ICS), is a universally acknowledged challenge for every organization and is a strategic focus for CISA. We’ve continued our efforts to deepen and expand our operational technology (OT) and ICS workforce, including bringing on team members with deep ICS expertise across our organization.

We continue to align our organization to most effectively support our partners in managing ICS cybersecurity risks, such as by establishing a new cyber-physical forensics team and hiring a senior leader to guide our critical infrastructure threat detection strategy. More broadly, we continue to refine our approaches to recruit and hire ICS cybersecurity personnel, including by updating technical competency requirements and assessments for ICS cybersecurity positions and implementing a sustained hiring strategy for ICS roles.”

Related: US Gov Rolls Out National Cyber Workforce, Education Strategy

Related: Government Shutdown Could Bench 80% of CISA Staff

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


Municipal Water Authority of Aliquippa in Pennsylvania confirms that hackers took control of a booster station, but says no risk to drinking water or...


Mandiant's Chief analyst urges critical infrastructure defenders to work on finding and removing traces of Volt Typhoon, a Chinese government-backed hacking team caught in...


Energy giants Schneider Electric and Siemens Energy confirm being targeted by the Cl0p ransomware group in the campaign exploiting a MOVEit zero-day.


US National Cybersecurity Strategy pushes regulation, aggressive 'hack-back' operations.