As agencies work to implement the Cybersecurity and Infrastructure Security Agency’s (CISA) Continuous Diagnostics and Mitigation (CDM) program capabilities, agency officials today said that operational technology (OT) has proved to be “one of the biggest challenges” for the program – and represents an unknown territory for both CISA and partner agencies.
At an FCW event today, Amy Hamilton, the senior cybersecurity advisor at the Department of Energy (DoE), explained that her agency is still in the process of doing asset management for traditional IT, but her team is already concerned about how they are going to do automated asset management for OT devices.
“I think OT is one of the biggest challenges that many of the different agencies have,” Hamilton said. “We are actually in the process of standing up a community of practice and that is going to be through the Federal CIO Council Innovation Committee, and looking at our principles of zero trust as it applies to OT and also principles of cloud adoption as it comes to OT.”
The new OT community of practice, or CoP, that the DoE is helping to stand up, will join the five existing CoPs within the Federal CIO Council. Those include the Accessibility CoP, Cloud and Infrastructure CoP, Federal Mobility Group, Federal Technology Investment Management CoP, and the Small and Micro Agency CIO and CISO Council.
“Looking at what is the future of this OT-IT nexus is very exciting and very unknown at this point,” she said. “I think this is going to be a real challenge, but also a real opportunity for us to expand this partnership [with CISA].”
CISA said it is also aware that OT poses a big challenge to agencies and is currently working to gain more insight into the problem area.
“We’ve been working with a couple of select agencies really just to truly understand the problem space around OT, because we obviously have to approach it with a different level of sensitivity,” said Paul Loeffler, the portfolio management section chief at CISA.
The CDM program has been working for several years to lead agencies through the process of network asset discovery, installing endpoint detection and response capabilities, and reporting related data to CISA through the CDM dashboard. However, Loeffler said the OT space remains largely unknown and faces a long road ahead.
He explained that CISA is currently working with partner agencies to gain access to some of their OT environments, utilizing some of the technologies that the agency already has in place.
“We’ve really been challenged in terms of getting … complete visibility across just the core assets,” he said. “We have our challenges there. So, we’ve only started to really dabble into some of the OT technology.”
“While I think CDM has taken surely a long duration for some of these capabilities, and we’ve invested in many of them concurrently… when we get into the OT space, I think those timelines significantly increase because of the level of possibility of us changing something and the impact that it could have,” Loeffler said. “So, that’s going to be a very long road as well, probably much longer than some of the other activities.”