Watchdog: CISA Needs to Update Plans to Protect Critical Infrastructure

The Cybersecurity and Infrastructure Security Agency is behind on updating a plan to protect national infrastructure that was last issued eight years ago and has generally mismanaged the security of the nation’s dams, according to the Department of Homeland Security inspector general.

Under a 2013 presidential policy directive, CISA is “required to establish a process to measure and analyze the Nation’s ability to manage and reduce risks to dams and other critical infrastructure,” reads a report the inspector general’s office released Wednesday. “However … the [National Infrastructure Protection Plan], which provides overall strategic direction for the national effort to focus on critical infrastructure activities, has not been updated since 2013.”

Recent incidents such as the Colonial Pipeline hack and those on water treatment facilities have since highlighted cyber and physical realms becoming increasingly fused, and hackers have a history of attacking the supervisory control and data acquisition, or SCADA, systems used in dams and other operational technology environments, according to the FBI. 

When CISA became an agency in 2018, officials created a National Risk Management Center and made it responsible for strategic planning and a cross-sectional approach to managing cyber and physical threats to critical infrastructure. 

Responding to the inspector general, CISA Director Jen Easterly said the National Infrastructure Protection Plan will be updated by September 30, 2022. In a previous report, CISA estimated the plan would be ready by December 2020, the inspector general said.

In April, the NRMC published a list of critical functions toward taking a more integrated approach across agencies and departments. But the inspector general also reported CISA’s own internal divisions are not sufficiently coordinating with each other.

“​​CISA has not: coordinated or tracked its Dams Sector activities; updated overarching national critical infrastructure or Dams Sector plans; or collected and evaluated performance information on Dams Sector activities,” the report reads. “Although responsible for coordinating the security and resilience of the Dams Sector … CISA did not properly manage its own internal Dams Sector efforts to ensure these offices shared and leveraged information.”

In one example, the inspector general said CISA’s Infrastructure Division conducted on-site risk assessments but that the information was protected from disclosure. “Full and open exchange of information is key to a coordinated effort by CISA … to ensure the Dams Sector is secure and resilient, risks are identified, and responses are properly managed,” the inspector general said.  

CISA concurred with all of the inspector general’s recommendations and provided due dates for meeting information sharing and coordination objectives, in addition to updating strategic and operational plans.