Feds Say CISA Not Prepared to Defend OT
If that headline doesn’t keep you up at night, I don’t know what will. The Government Accountability Office (GAO) says they have have found inefficiencies in CISA’s information sharing practices, in particular with critical infrastructure stakeholders.
They also say that CISA is understaffed for handling OT incidents.
Just to make sure everyone is on the the same page, OT in this context means operational technology such as the computers that run, say, your local electric utility, water treatment plant or gasoline distribution center – among many others.
The GAO also said that the Pipeline and Hazardous Materials Safety Administration ‘s approach to sharing threat information with infrastructure owners was “inadequate”.
Guess how many OT experts CISA has?
I’ll give you a clue. YOU have more fingers than they have experts.
They have FOUR employee experts and FIVE contractors. For most of us, that is less than the number of fingers we have.
The GAO asked some of CISA’s federal agency customers about how things were going. The agencies were: Department of Defense’s Defense Cyber Crime Center; DOD’s National Security Agency; Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response; Department of Homeland Security’s Transportation Security Administration; DHS’ U.S. Coast Guard; Department of Transportation’s Federal Railroad Administration; and DOT’s Pipeline and Hazardous Materials Safety Administration.
The 2022 National Defense Authorization Act requires the GAO to report on CISA’s preparedness for dealing with industrial control systems. Suffice it to say, they did not get a gold star.
That doesn’t mean CISA is sitting on their hands. They are now offering nine OT cybersecurity services. But given that there are almost 150,000 public water systems alone in the United States, that means each of the 9 people have to cover, roughly 15,000 systems. Of course, that doesn’t cover any other critical infrastructure. So, maybe, after you add all the other OT in use, maybe each person needs to cover, say, 30,000 systems. or maybe 50,000 systems.
If that makes you sleep well, you are a better person than me.
On the other hand, if you need help, please contact us.
Credit: Data Breach Today