The US Government Accountability Office (GAO) has conducted a study focusing on the operational technology (OT) cybersecurity products and services offered by CISA and found that some of the security agency’s teams are understaffed.
OT environments continue to be targeted by sophisticated threat actors and CISA has been designated as the lead agency in helping critical infrastructure organizations address risks associated with industrial control systems (ICS) and other OT systems.
CISA provides over a dozen OT security products and services, including security advisories, best practices guidance, evaluation and analysis tools, risk analysis, architecture design reviews, vulnerability coordination, exercises and training, and threat hunting and incident response.
For its study, the GAO worked with 13 non-federal entities, including representatives of OT sectors that are more likely to be targeted by threat actors, cybersecurity researchers who contributed to CISA’s OT advisories, and OT vendors that are part of a CISA collaboration group. The study is also based on information collected from CISA itself and seven other federal agencies of the Departments of Defense, Energy, Homeland Security, and Transportation.
According to the GAO report, 12 of the 13 non-federal entities were able to provide examples of positive experiences with CISA’s OT-focused products and services. However, there have also been some complaints and one significant issue appears related to insufficient staff with the requisite OT skills.
For example, at the time of the study, CISA had four federal employees and five contractors on the threat hunting and incident response team, which the agency said was not enough to respond to significant OT cyberattacks in multiple locations at the same time.
CISA receives significant funding from the government, but the agency’s officials had requested additional staff and funding for contractor travel required for incident response services.
Another example is related to validated architecture design reviews. Between 2019 and May 2023, CISA was only able to fulfill 125 of 572 OT-related review requests due to not having enough staff.
The GAO report advises CISA to perform more effective workforce planning. However, the study was conducted several months ago and the security agency told the GAO at the time that it had been working on addressing workforce-related issues.
SecurityWeek reached out to CISA on Monday to find out if it has addressed these issues and whether its incident response team is still understaffed, but the agency has not responded.
Update: CISA Executive Assistant Director for Cybersecurity Eric Goldstein provided the following statement to SecurityWeek:
“Hiring cybersecurity experts, particularly those with experience in Industrial Control Systems (ICS), is a universally acknowledged challenge for every organization and is a strategic focus for CISA. We’ve continued our efforts to deepen and expand our operational technology (OT) and ICS workforce, including bringing on team members with deep ICS expertise across our organization.
We continue to align our organization to most effectively support our partners in managing ICS cybersecurity risks, such as by establishing a new cyber-physical forensics team and hiring a senior leader to guide our critical infrastructure threat detection strategy. More broadly, we continue to refine our approaches to recruit and hire ICS cybersecurity personnel, including by updating technical competency requirements and assessments for ICS cybersecurity positions and implementing a sustained hiring strategy for ICS roles.”
Related: US Gov Rolls Out National Cyber Workforce, Education Strategy
