CISA needs better workforce planning to handle operational technology risks, GAO says
The Cybersecurity and Infrastructure Security Agency has an understaffed and often ill-equipped workforce to deal with risks to the nation’s key operational technology systems, the Government Accountability Office said in a new report Thursday.
The crucial role that OT systems play in critical infrastructure makes them especially vulnerable to cyberattacks, but owners and operators told the GAO that they face challenges in working with CISA to combat those threats, citing a lack of agency staffers that have the “necessary skills.”
In producing the report, the GAO spoke with officials from CISA and 13 nonfederal entities about the various OT-related challenges they face. Those entities included councils that represented OT-prevalent sectors and subsectors with infrastructures especially vulnerable to cyber threat risks, OT vendors that participated in a CISA collaboration group, and cybersecurity researchers that assisted in the development of CISA’s OT advisories.
While 12 of the 13 detailed positive experiences with CISA’s OT products and services, seven also highlighted negative experiences, including one that cited a year-plus gap between the first report of a vulnerability and the public disclosure from CISA.
CISA officials and one nonfederal entity were aligned in acknowledging that the agency has “insufficient” staff with compulsory OT skills; there are just four federal employees and five contractors at CISA who work on threat hunting and incident response service. CISA officials said that is “not enough staff to respond to significant attacks impacting OT systems in multiple locations at the same time.”
Staffing shortcomings also appeared to manifest in the agency’s information-sharing capabilities. In reviewing documentation from seven federal agencies that routinely collaborate with CISA — the Department of Defense’s Defense Cyber Crime Center; the National Security Agency; the Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response; the Transportation Security Administration; the U.S. Coast Guard; the Federal
Railroad Administration; and the Pipeline and Hazardous Materials Safety Administration — the GAO found positive outcomes from six, but notable challenges from four.
Three agencies — CESER, FRA and USCG — said CISA has been “ineffectively sharing information with critical infrastructure owners and operators,” while PHMSA said CISA is falling short on a process to inform those stakeholders about cyber threats, the report said.
“PHMSA officials told us that they would like CISA to leverage their expertise and daily interaction with the sector to help increase communication of threats to all pipeline operators and their OT systems,” the GAO stated.
The GAO offered four recommendations to the director of CISA: “measure customer service for its OT products and services, perform effective workforce planning for OT staff, issue guidance to the sector risk management agencies on how to update their plans for coordinating on critical infrastructure issues, and develop a policy on agreements with sector risk management agencies with respect to collaboration.”
The Department of Homeland Security concurred with the GAO’s recommendations for CISA.
