GAO uncovers mixed feedback on CISA’s OT cybersecurity services when it comes to addressing risks

The U.S. Government Accountability Office (GAO) conducted a review of the 13 OT (operational technology) cybersecurity products and services of the Cybersecurity and Infrastructure Security Agency (CISA). The review found that while 12 of the 13 non-federal entities reported positive experiences with CISA’s offerings, it also highlighted challenges by CISA and seven of them.

The GAO report identified that seven non-federal entities encountered difficulties with CISA’s products and services, categorizing their experiences as negative. The seven selected agencies are the Department of Defense’s (DOD) Defense Cyber Crime Center (DC3); the DOD’s National Security Agency (NSA); the Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER); Department of Homeland Security’s (DHS) Transportation Security Administration (TSA); DHS’ U.S. Coast Guard (USCG); Department of Transportation’s (DOT) Federal Railroad Administration (FRA); and DOT’s Pipeline and Hazardous Materials Safety Administration (PHMSA). 

A notable issue raised involved the lengthy process associated with vulnerability reporting through CISA. One entity shared with the GAO that it often experienced delays exceeding a year from the initial vulnerability report to its public disclosure.

GAO also asked officials from CISA and 13 selected non-federal entities to identify any challenges with the OT products and services. The selected entities included councils representing one sector and three sub-sectors where OT was prevalent and the intelligence community highlighted their infrastructures as being at risk from cyber threat actors, OT vendors who joined a CISA OT collaboration group, and cybersecurity researchers that contributed to the development of CISA’s OT advisories. 

The recent report identified two types of challenges associated with delivering OT products and services. These challenges are related to negative experiences using CISA’s products and services, and insufficient CISA staff with the requisite OT skills. It then compared CISA’s efforts to address those challenges against leading practices regarding measuring customer service and workforce planning. However, CISA has not fully measured customer service for its OT products and services or performed effective workforce planning for its OT workforce. 

GAO focused on these agencies or departmental components because each was within agencies designated as the lead for helping to protect the selected sector and three subsectors and responsible for helping critical infrastructure owners and operators to mitigate cyber OT risks. The watchdog also asked officials from seven selected agencies to identify any challenges in collaborating with CISA to mitigate cyber OT risks. GAO then compared documentation from the seven agencies and CISA against five selected leading collaboration practices.

CISA provided 13 OT cybersecurity products and services between October 2018 and November 2023 at no cost to critical infrastructure owners and operators. It delivered four OT cybersecurity products to critical infrastructure owners and operators. Two of these products were aimed at sharing cyber threat information and best practices about OT. The remaining two OT products were tools that owners and operators can use to evaluate their OT security practices and analyze their OT network traffic and logs.

CISA provided nine OT cybersecurity services to critical infrastructure owners and operators. Specifically, of the nine services, four services were focused on helping owners and operators identify cyber vulnerabilities in their OT networks and steps that can be taken to mitigate them. Three services were aimed at providing critical infrastructure owners and operators with training, exercises, and other information needed to prepare for cyberattacks on their OT networks. Two services were focused on helping to identify, analyze, or respond to malicious cyber activity on owner and operator OT networks. 

In addition, to help enhance these products and services, in April 2022 CISA established the Industrial Control Systems working group as part of its Joint Cyber Defense Collaborative. CISA explained that the working group is intended to help plan for how best to protect the nation’s OT, inform the government’s guidance on OT cybersecurity and contribute to information sharing across private and public partners in the OT space. 

The GAO report added that twelve non-federal entities identified positive experiences using nine of CISA’s products and services. Examples of positive experiences highlighted by selected non-federal entities include the industrial control system advisories and best practice guidance products, which are effective and have helped consumers stay informed of threats and find vulnerabilities in their environment. The Cyber Security Evaluation Tool was user-friendly and useful in explaining the risk assessment to customers who may not have extensive cyber literacy.

It also included the Validated Architecture Design Review which had a positive impact in supporting compliance efforts. Concerning the Vulnerability Coordination service, CISA is an excellent partner in the process of coordinating vulnerability disclosures and can help with contacting impacted vendors. CISA’s OT training is among the best training on the subject. The skill sets, tools, and capabilities of the CISA staff engaged in the threat hunting and incident response service have been of high quality.

GAO said that the seven selected non-federal entities identified negative experiences in using six of CISA’s OT cybersecurity products and services. It added that CISA does not have enough staff to provide the reviews to all that requested it. Demand for this service increased after the TSA required that certain pipeline owners and operators conduct architecture design reviews of their OT systems, and stated that validated architecture design reviews conducted by CISA would satisfy this requirement.

Secondly, when it comes to vulnerability coordination service, GAO noted that vulnerabilities reported through CISA’s process often take more than a year between the initial report of a vulnerability and public disclosure. This process can be lengthy because CISA waits for the vendor to develop a patch for the vulnerability before public disclosure and believes that it does not have the authority to force vendors to patch these vulnerabilities promptly. 

In addition, CISA accidentally added a security researcher to an email thread regarding a vulnerability for which the researcher had no prior knowledge. This mistake could have led to the sale of this vulnerability on the black market for exploitation.

To address the challenge of negative experiences in using products and services, GAO had previously reported on the importance of measuring customer service. Taking a portfolio-based approach to measuring customer service can position agencies to determine whether allocated resources are yielding the intended results across a portfolio of projects, products, or services. 

In addition, this approach can allow agencies to reallocate resources as needed within the portfolio to achieve an optimal return on investment. In particular, GAO said it has previously highlighted the importance of agencies adopting measure customer service, analyzing the results of customer service measures, and making needed improvements.

GAO is making four recommendations to CISA to implement processes and guidance to improve its OT products and services and collaboration. Specifically, GAO is recommending that CISA measure customer service for its OT products and services, perform effective workforce planning for OT staff, issue guidance to the sector risk management agencies on how to update their plans for coordinating critical infrastructure issues and develop a policy on agreements with sector risk management agencies concerning collaboration. DHS concurred with the four recommendations to CISA and described actions that the agency plans to take to implement them. 

Last month, the U.S. House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection committee conducted a hearing to address threats to OT across critical infrastructure sectors, including the water sector, and to discuss the CISA role in securing OT.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.