The Cybersecurity and Infrastructure Security Agency has an understaffed and often ill-equipped workforce to deal with risks to the nation’s key operational technology systems, the Government Accountability Office said in a new report Thursday.

The crucial role that OT systems play in critical infrastructure makes them especially vulnerable to cyberattacks, but owners and operators told the GAO that they face challenges in working with CISA to combat those threats, citing a lack of agency staffers that have the “necessary skills.”

In producing the report, the GAO spoke with officials from CISA and 13 nonfederal entities about the various OT-related challenges they face. Those entities included councils that represented OT-prevalent sectors and subsectors with infrastructures especially vulnerable to cyber threat risks, OT vendors that participated in a CISA collaboration group, and cybersecurity researchers that assisted in the development of CISA’s OT advisories.

While 12 of the 13 detailed positive experiences with CISA’s OT products and services, seven also highlighted negative experiences, including one that cited a year-plus gap between the first report of a vulnerability and the public disclosure from CISA.

CISA officials and one nonfederal entity were aligned in acknowledging that the agency has “insufficient” staff with compulsory OT skills; there are just four federal employees and five contractors at CISA who work on threat hunting and incident response service. CISA officials said that is “not enough staff to respond to significant attacks impacting OT systems in multiple locations at the same time.”

Staffing shortcomings also appeared to manifest in the agency’s information-sharing capabilities. In reviewing documentation from seven federal agencies that routinely collaborate with CISA — the Department of Defense’s Defense Cyber Crime Center; the National Security Agency; the Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response; the Transportation Security Administration; the U.S. Coast Guard; the Federal

Railroad Administration; and the Pipeline and Hazardous Materials Safety Administration — the GAO found positive outcomes from six, but notable challenges from four.

Three agencies — CESER, FRA and USCG — said CISA has been “ineffectively sharing information with critical infrastructure owners and operators,” while PHMSA said CISA is falling short on a process to inform those stakeholders about cyber threats, the report said.

“PHMSA officials told us that they would like CISA to leverage their expertise and daily interaction with the sector to help increase communication of threats to all pipeline operators and their OT systems,” the GAO stated.

The GAO offered four recommendations to the director of CISA: “measure customer service for its OT products and services, perform effective workforce planning for OT staff, issue guidance to the sector risk management agencies on how to update their plans for coordinating on critical infrastructure issues, and develop a policy on agreements with sector risk management agencies with respect to collaboration.”

The Department of Homeland Security concurred with the GAO’s recommendations for CISA.

The post CISA needs better workforce planning to handle operational technology risks, GAO says appeared first on CyberScoop.

Leave a Reply

Your email address will not be published. Required fields are marked *

Explore More

Fifth of British Kids Have Broken the Law Online

February 19, 2024 0 Comments 0 tags

A new National Crime Agency study reveals 20% of 10- to 16-year-olds have violated the Computer Misuse Act

Report: Manufacturing bears the brunt of industrial ransomware

February 20, 2024 0 Comments 0 tags

Manufacturing continues to be the industrial sector hardest hit by ransomware, according to a new report by industrial cybersecurity firm Dragos. The firm’s year-in-review reported more than 900 ransomware incidents

After LockBit takedown, police try to sow doubt in cybercrime community

February 23, 2024 0 Comments 0 tags

After seizing the digital infrastructure of the ransomware group LockBit earlier this week, the law enforcement agencies behind that operation have carried out an unusual messaging campaign designed to create