Adrian Johnson
TLDR:
- CISA is understaffed and ill-equipped to handle risks to operational technology systems
- GAO report highlights challenges faced by CISA and nonfederal entities in combating cyber threats
The Government Accountability Office (GAO) has highlighted the need for better workforce planning at the Cybersecurity and Infrastructure Security Agency (CISA) to effectively manage risks to operational technology (OT) systems. The GAO report found that CISA lacks sufficient staff with the necessary skills to handle simultaneous attacks impacting OT systems, which are crucial to critical infrastructure. The report revealed challenges faced by both CISA and nonfederal entities in collaborating to combat cyber threats, with a particular emphasis on staffing shortages and ineffective information sharing.
The GAO spoke with officials from CISA and various nonfederal entities to gather insights into the challenges faced in dealing with OT-related risks. While some entities expressed positive experiences with CISA’s OT products and services, others highlighted negative experiences, such as delays in vulnerability disclosures. The report identified staffing shortages at CISA, with only nine individuals dedicated to threat hunting and incident response services. This lack of staff was deemed insufficient to respond to significant attacks impacting OT systems across multiple locations simultaneously.
The GAO offered several recommendations to CISA, including measuring customer service for OT products and services, performing effective workforce planning, issuing guidance to sector risk management agencies, and developing policies for collaboration. The Department of Homeland Security concurred with the GAO’s recommendations, signaling a need for better coordination and preparedness to address OT-related risks in critical infrastructure.
