Something missing from CIP guidance

On May 1st ( a holiday in Europe) CISA came out with a fact sheet addressing recent threat actors who “seek to compromise industrial control systems (ICS) and small-scale operational technology (OT) systems” (I guess large scale OT is safe for now 😊 ).

I see valuable guidance in the fact sheet, but something is missing, and is evident from those that are not represented in the preparation of the alert.  Besides US DoE there is very little representation from engineering organisations. https://www.cisa.gov/resources-tools/resources/defending-ot-operations-against-ongoing-pro-russia-hacktivist-activity  This lack of engineering information IMO has weakened the recommendations.

For example, in their quick win list of things to do they recommend “Immediately change all default passwords of OT devices”.  One would have expected the term ICS be used here but the general OT is used instead.  The recommendation sounds good until one realises that some Protection Devices come with only two passwords, one for “Admin” and the other for “user”.  They cannot be changed. I am sure if engineers were part of the group they would have expressed their words about OT differently and perhaps modified the suggested “Actions to take today”  listed in a bullet box here: https://www.cisa.gov/sites/default/files/2024-05/defending-ot-operations-against-ongoing-pro-russia-hacktivist-activity-508c.pdf

Here is CISA’s list or organisations that contributed to the fact sheet:

“Federal Bureau of Investigation (FBI)

National Security Agency (NSA)

Environmental Protection Agency (EPA)

Department of Energy (DOE)

United States Department of Agriculture (USDA)

Food and Drug Administration (FDA)

Multi-State Information Sharing and Analysis Center (MS-ISAC)

Canadian Centre for Cyber Security (CCCS)

United Kingdom’s National Cyber Security Centre (NCSC-UK)”

IMO a way must be found to get more engineering-oriented organisations added to the list of participants to balance out the IT cybersecurity heavy membership.  Engineering organisations are made up of professionals who know how things run and can provide what is missing. Otherwise, there is a risk of gaps where confusion about "OT" and "ICS" will make it hard to come up with good CIP policy.

One should remember that before CISA there was a US-CERT and US ICS-CERT.  Later they were merged to create today’s CISA but in many of the public pronouncements of CISA it seems that the legacy office IT oriented US-CERT is far too dominant.  Like Cinderella’s stepsisters “Anastasia and Drizella”.  Perhaps this is an opportunity for the engineering community to put on that glass slipper?