What GAO Found
Operational technology (OT) systems and devices are used to control, among other things, distribution processes (e.g., oil and natural gas pipelines) and production systems (e.g., electric power generation). Figure 1 shows the key components of an OT system using a pipeline system as an illustrative example.
Figure 1: Key Components of a Pipeline Operational Technology (OT) System
Although 12 of the 13 selected nonfederal entities cited examples of positive experiences with the Cybersecurity and Infrastructure Security Agency’s (CISA) OT products and services, CISA and seven of the nonfederal entities identified two types of associated challenges. Specifically:
Seven selected nonfederal entities identified negative experiences using CISA’s products and services as a challenge. For example, one nonfederal entity told GAO that vulnerabilities reported through CISA’s process often take more than a year between the initial report of a vulnerability and public disclosure (see figure 2).
CISA officials and one nonfederal entity identified the insufficient CISA staff with requisite OT skills as a challenge. For example, CISA officials stated that its…
