Cybersecurity: Improvements Needed in Addressing Risks to Operational Technology
Fast Facts
Operational technology systems control processes or production, and are often used in critical infrastructure—e.g., a system of sensors, controllers, and actuators that open and close the valves in oil pipelines. Cyberattacks pose a significant threat to these systems.
The Cybersecurity and Infrastructure Security Agency provides technical assistance to help critical infrastructure owners and operators address those cyber risks. But owners and operators had some challenges working with the agency. For example, there isn't always enough staff with the necessary skills.
We recommended that the agency improve its workforce planning and more.
A digital sensor for a heat pipe
Highlights
What GAO Found
Operational technology (OT) systems and devices are used to control, among other things, distribution processes (e.g., oil and natural gas pipelines) and production systems (e.g., electric power generation). Figure 1 shows the key components of an OT system using a pipeline system as an illustrative example.
Figure 1: Key Components of a Pipeline Operational Technology (OT) System
Although 12 of the 13 selected nonfederal entities cited examples of positive experiences with the Cybersecurity and Infrastructure Security Agency's (CISA) OT products and services, CISA and seven of the nonfederal entities identified two types of associated challenges. Specifically:
Seven selected nonfederal entities identified negative experiences using CISA's products and services as a challenge. For example, one nonfederal entity told GAO that vulnerabilities reported through CISA's process often take more than a year between the initial report of a vulnerability and public disclosure (see figure 2).
CISA officials and one nonfederal entity identified the insufficient CISA staff with requisite OT skills as a challenge. For example, CISA officials stated that its four federal employees and five contractor staff on the threat hunting and incident response service are not enough staff to respond to significant attacks impacting OT systems in multiple locations at the same time.
To address these types of challenges, best practices highlight the importance of (1) measuring customer service and (2) performing effective workforce planning. However, CISA has not fully addressed these practices. Until CISA does so, the agency will not be optimally positioned to deliver products and services needed to address OT risks.
Figure 2: Cybersecurity and Infrastructure Security Agency (CISA) Operational Technology (OT) Cybersecurity Products and Services
Six of the seven selected agencies cited examples of where their collaboration with CISA yielded positive outcomes to addressing cyber OT risks. However, four agencies also identified two challenges in coordinating with CISA: (1) CISA ineffectively sharing information with critical infrastructure owners and operators, and (2) CISA and the Pipeline and Hazardous Materials Safety Administration lacking a process to share cyber threat information with owners and operators.
To address these types of challenges, it is important to adopt leading collaboration practices. However, CISA did not fully address any of five selected leading collaboration practices when coordinating with seven selected agencies (see table).
Extent to Which the Cybersecurity and Infrastructure Security Agency (CISA) Addressed Selected Leading Collaboration Practices with Seven Selected Agencies to Mitigate Cyber Operational Technology Risks to Critical Infrastructure
Collaboration practices |
CESER |
DC3 |
FRA |
NSA |
PHMSA |
TSA |
USCG |
---|---|---|---|---|---|---|---|
Define common outcomes |
◑ |
◑ |
◑ |
◑ |
◑ |
◑ |
◑ |
Ensure accountability |
○ |
○ |
◑ |
○ |
◑ |
◑ |
◑ |
Bridge organizational cultures |
◑ |
◑ |
◑ |
◑ |
◑ |
◑ |
◑ |
Clarify roles and responsibilities |
◑ |
◑ |
◑ |
◑ |
◑ |
◑ |
◑ |
Develop and update written guidance and agreements |
○ |
◑ |
○ |
○ |
○ |
○ |
◑ |
Source: GAO analysis of agency information. | GAO 24 106576
Legend: ●=Generally addressed. ◑=Partially addressed. ○=Not addressed.
Note: CESER (Cybersecurity, Energy Security, and Emergency Response), DC3 (Department of Defense Cyber Crime Center), FRA (Federal Railroad Administration), NSA (National Security Agency), PHMSA (Pipeline and Hazardous Materials Safety Administration), TSA (Transportation Security Administration), and USCG (U.S. Coast Guard).
The practices were not fully addressed, in part, because of the lack of (1) guidance from CISA to the sector risk management agencies on how to update their plans for coordinating on critical infrastructure issues and (2) a CISA policy for developing agreements with sector risk management agencies with respect to collaboration. Until CISA takes action to address these weaknesses, it and the selected agencies will not be well-positioned to coordinate on mitigating cyber OT risks.
Why GAO Did This Study
Much of the nation's critical infrastructure relies on OT—systems that interact with the physical environment—to provide essential services. However, malicious cyber actors pose a significant threat to these systems. Federal law designates CISA as the lead agency in helping critical infrastructure owners and operators address cyber risks to OT.
The National Defense Authorization Act of Fiscal Year 2022 includes a provision for GAO to report on CISA's support for industrial control systems. Federal guidance now addresses these systems under the broader category of OT. Accordingly, this report examines, among other things: (1) challenges in delivering CISA's OT products and services, and (2) challenges to collaborating between CISA and the seven selected agencies.
GAO reviewed documentation describing CISA's 13 OT cybersecurity products and services. GAO also asked officials from CISA and 13 selected nonfederal entities to identify any challenges with the OT products and services. The selected entities included (1) councils representing one sector and three subsectors where OT was prevalent and the intelligence community highlighted their infrastructures as being at risk from cyber threat actors, (2) OT vendors who joined a CISA OT collaboration group, and (3) cybersecurity researchers that contributed to the development of CISA's OT advisories. GAO then compared CISA's efforts to address those challenges against leading practices regarding measuring customer service and workforce planning.
In addition, GAO reviewed documentation describing CISA’s efforts to collaborate with seven selected agencies to mitigate cyber OT risks. The seven selected agencies are: (1) Department of Defense’s (DOD) Defense Cyber Crime Center (DC3); (2) DOD’s National Security Agency (NSA); (3) Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER); (4) Department of Homeland Security’s (DHS) Transportation Security Administration (TSA); (5) DHS’s U.S. Coast Guard (USCG); (6) Department of Transportation’s (DOT) Federal Railroad Administration (FRA); and (7) DOT’s Pipeline and Hazardous Materials Safety Administration (PHMSA). GAO focused on these agencies or departmental components because each was (1) within agencies designated as the lead for helping to protect the selected sector and three subsectors and (2) responsible for helping critical infrastructure owners and operators to mitigate cyber OT risks. GAO also asked officials from seven selected agencies to identify any challenges in collaborating with CISA to mitigate cyber OT risks. GAO then compared documentation from the seven agencies and CISA against five selected leading collaboration practices.
Recommendations
GAO is making four recommendations to CISA to implement processes and guidance to improve its OT products and services and collaboration. Specifically, GAO is recommending that CISA
- measure customer service for its OT products and services,
- perform effective workforce planning for OT staff,
- issue guidance to the sector risk management agencies on how to update their plans for coordinating on critical infrastructure issues, and
- develop a policy on agreements with sector risk management agencies with respect to collaboration.
DHS concurred with the four recommendations to CISA and described actions that the agency plans to take to implement them.
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
Cybersecurity and Infrastructure Security Agency | The Director of CISA should (1) measure customer service for all of its OT products and services and (2) use the results of such measures to make improvements to the products and services. (Recommendation 1) |
In providing comments on this March 2024 report, DHS on behalf of CISA concurred with this recommendation and has begun to take steps to implement it. In August 2024, the department stated that it collects and measures customer service data for eight of nine OT services, including best practice guidance, advisories, and other tools. DHS added that CISA is finalizing the scope of a program to standardize customer service metric collection for its services, including OT. Additionally, DHS stated that CISA is finalizing an agency-wide Customer Experience Strategic Action Plan, which builds on federal policy supporting customer service work and allows CISA to take a more unified and intentional approach toward building and measuring customer experience, including OT customer service. The department estimated that these efforts would be completed by December 31, 2024. Until CISA finalizes and implements its customer service metric collection program and related action plan to improve OT products and services, the agency may not have information on how its OT products and services are performing that it could use to make improvements to such products and services. We will continue to evaluate the department's progress in implementing this recommendation.
|
Cybersecurity and Infrastructure Security Agency | The Director of CISA should (1) develop OT competency and staffing requirements, (2) assess OT competency and staffing gaps, and (3) develop strategies for filling any gaps. (Recommendation 2) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
Cybersecurity and Infrastructure Security Agency | The Director of CISA should issue guidance on how SRMAs should update sector-specific plans that reflects the five selected leading collaboration practices when agencies are mitigating cyber OT risks. (Recommendation 3) |
In providing comments on this March 2024 report, DHS on behalf of CISA concurred with this recommendation and has begun to take steps to implement it. In August 2024, DHS explained that, pursuant to National Security Memorandum-22, CISA in June 2024 released guidance templates for Sector Risk Management Agencies (SRMA) to use in developing their Sector-Specific Risk Assessments and Sector-Specific Risk Management Plans. According to the department, these templates identify priority risk areas and mitigations SRMAs should consider in their sector-specific risk assessments and plans, and include collaboration best practices for mitigating all-hazards risks, to include cyber OT risk. However, CISA has not yet provided us with this guidance. We will continue to evaluate the department's progress in implementing this recommendation.
|
Cybersecurity and Infrastructure Security Agency | The Director of CISA should (1) develop an agency-wide policy on agreements with SRMAs regarding collaboration to mitigate OT risks and (2) implement that policy with the selected agencies. (Recommendation 4) |
In providing comments on this March 2024 report, DHS on behalf of CISA concurred with this recommendation and has begun to take steps to implement it. In August 2024, DHS stated that pursuant to National Security Memorandum-22, all Sector Risk Management Agencies (SRMA) must develop and submit an SRMA Operating Plan to the National Security Council by October 27, 2024. According to DHS, once finalized, these plans will identify how SRMAs will fulfill their statutory requirements. DHS stated that, through the Office of the National Coordinator, CISA's Stakeholder Engagement Division will use these plans to identify operational gaps across SRMAs and determine how best to develop and deploy agency-wide policy agreements with SRMAs. The department estimated that these efforts would be completed by April 30, 2025. Until CISA develops and implements a policy on agreements with SRMAs regarding collaboration to mitigate cyber OT risks, CISA may continue to experience challenges in interagency collaboration. We will continue to evaluate the department's progress in implementing this recommendation.
|