Two rounds of cybersecurity news hit the Cybersecurity and Infrastructure Security Agency’s (CISA) over the past week including an attack on their system and a report saying the agency is not equipped to handle operational technology (OT) incidents.

The report found there are inefficiencies in the CISA’s information-sharing practices with critical infrastructure stakeholders in addition to not having enough staffers to handle OT incidents, according to the U.S. Government Accountability Office (GAO).

In addition, there was a deficiency in CISA’s and the Pipeline and Hazardous Materials Safety Administration’s approach to disseminating cyber threat information to owners and operators.

Assessing 13 OT cybersecurity products and services provided by CISA, the GAO found positive experiences reported by 12 out of the 13 non-federal organizations surveyed. Simultaneously, it drew attention to challenges faced by CISA and seven of the entities under review.

Challenges in Service Delivery
Seven organizations identified challenges in the delivery of OT products and services, according to the report. These challenges revolved around encountering negative experiences with CISA’s products and services and facing a shortage of CISA staff possessing OT skills.

Schneider Bold

“CISA officials stated that its four federal employees and five contractor staff on the threat hunting and incident response service are not enough staff to respond to significant attacks impacting OT systems in multiple locations at the same time,” the report said.

Seven agencies identified encountering difficulties with CISA’s products and services are Department of Defense’s Defense Cyber Crime Center; DOD’s National Security Agency; Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response; Department of Homeland Security’s Transportation Security Administration; DHS’ U.S. Coast Guard; Department of Transportation’s Federal Railroad Administration; and DOT’s Pipeline and Hazardous Materials Safety Administration.

The GAO requested officials from these seven designated agencies to pinpoint challenges encountered in collaborating with CISA to mitigate OT cyber risks.

The report found CISA has not comprehensively evaluated customer service for its OT products and services, nor has it executed effective workforce planning for its OT personnel.

Disclosure Took Over a Year
In an environment where time is often of the essence, an unnamed nonfederal entity said the time lapse between the initial reporting of a vulnerability through CISA’s process and its public disclosure often extends beyond one year.

Between October 2018 and November 2023, CISA delivered 13 OT cybersecurity products and services free of charge to critical infrastructure owners and operators.

As a result of the report, GAO made four recommendations to CISA to implement processes and guidance to improve its OT products and services and collaboration, including:

  • Measure customer service for its OT products and services
  • Perform effective workforce planning for OT staff
  • Issue guidance to the sector risk management agencies on how to update their plans for coordinating on critical infrastructure issues
  • Develop a policy on agreements with sector risk management agencies with respect to collaboration.

DHS concurred with the four recommendations to CISA and described actions the agency plans to take to implement them:

First recommendation: The Director of CISA should (1) measure customer service for all of its OT products and services and (2) use the results of such measures to make improvements to the products and services.

Second recommendation: The Director of CISA should (1) develop OT competency and staffing requirements, (2) assess OT competency and staffing gaps, and (3) develop strategies for filling any gaps.

Third recommendation: The Director of CISA should issue guidance on how SRMAs should update sector-specific plans that reflects the five selected leading collaboration practices when agencies are mitigating cyber OT risks.

Fourth recommendation: The Director of CISA should (1) develop an agency-wide policy on agreements with SRMAs regarding collaboration to mitigate OT risks and (2) implement that policy with the selected agencies.

Meanwhile, CISA is dealing with a hack into two systems that forced the agency to shut down them down.

Attack on Ivanti Products
A CISA spokesperson said in The Record report the organization “identified activity indicating the exploitation of vulnerabilities in Ivanti products the agency uses.”

“The impact was limited to two systems, which we immediately took offline. We continue to upgrade and modernize our systems, and there is no operational impact at this time,” the spokesperson said.

CISA shared no further details, but it appears the two systems affected included the Infrastructure Protection (IP) Gateway, and the Chemical Security Assessment Tool (CSAT).

The IP gateway holds “critical information” about the interdependency of U.S. infrastructure, while the CSAT holds “private sector chemical security plans.”


Pin It on Pinterest

Share This