THE Government Accountability Office (GAO) recently conducted a study on operational technology (OT) products and services provided by CISA and found that some teams were inadequately staffed.
CISA is the lead aid agency critical infrastructure organizations to determine the risks in industrial control systems (ICS) as OT environments are increasingly targeted by malicious actors. It provides risk analyses, assessment and analysis tools, best practice guidelines, security advisories, training and exercises, among other things.
Of the 13 non-federal entities with which GAO conducted the study, including researchers contributing to CISA’s OT alerts and OT vendors contributing to a CISA Collaborative Group, 12 were able to identify positive experiences in products and services CISA OT. There have, however, been complaints about it the staff was insufficient.
One example is that at the time of the study the threat hunting and incident response team consisted of four federal employees and five contractors. According to the agency, nine people are not enough to respond to OT cyber attacks in different locations.
Likewise, over four years, CISA was only able to fulfill 125 of 572 requests for OT products and services due to staffing shortages.
Although CISA reportedly states that it is working to address these shortcomings, the GAO recommends that the agency perform more effective workforce planning.