The US Government Accountability Office has conducted a study focusing on the operational technology cybersecurity products and services offered by CISA and found that some of the security agency's teams are understaffed.
OT environments continue to be targeted by sophisticated threat actors and CISA has been designated as the lead agency in helping critical infrastructure organizations address risks associated with industrial control systems and other OT systems.
CISA provides over a dozen OT security products and services, including security advisories, best practices guidance, evaluation and analysis tools, risk analysis, architecture design reviews, vulnerability coordination, exercises and training, and threat hunting and incident response.
For its study, the GAO worked with 13 non-federal entities, including representatives of OT sectors that are more likely to be targeted by threat actors, cybersecurity researchers who contributed to CISA's OT advisories, and OT vendors that are part of a CISA collaboration group.
The study is also based on information collected from CISA itself and seven other federal agencies of the Departments of Defense, Energy, Homeland Security, and Transportation.
According to the GAO report, 12 of the 13 non-federal entities were able to provide examples of positive experiences with CISA's OT-focused products and services.
There have also been some complaints and one significant issue appears related to insufficient staff with the requisite OT skills.
At the time of the study, CISA had four federal employees and five contractors on the threat hunting and incident response team, which the agency said was not enough to respond to significant OT cyberattacks in multiple locations at the same time.
CISA receives significant funding from the government, but the agency's officials had requested additional staff and funding for contractor travel required for incident response services.
Another example is related to validated architecture design reviews.
Between 2019 and May 2023, CISA was only able to fulfill 125 of 572 OT-related review requests due to not having enough staff.
The GAO report advises CISA to perform more effective workforce planning.
The study was conducted several months ago and the security agency told the GAO at the time that it had been working on addressing workforce-related issues.
SecurityWeek reached out to CISA on Monday to find out if it has addressed these issues and whether its incident response team is still understaffed, but the agency has not responded.
This Cyber News was published on www.securityweek.com. Publication date: Tue, 12 Mar 2024 14:13:06 +0000