CISA’s Matthew Rogers, INL’s Ollie Gagnon on driving cyber resilience in critical infrastructure
The Cybersecurity and Infrastructure Security Agency is working to expand the reach of its cybersecurity services geared toward operational technology systems, as CISA and other agencies warn of the increasing cyberthreat to U.S. critical infrastructure.
CISA offers a range of free cybersecurity services to partners across the public and private sector. Matthew Rogers, OT cyber lead at CISA, said more than 10,000 critical infrastructure organizations have signed up to use the agency’s free vulnerability scanning services.
And the agency is “at the limit of our current capacity” for risk assessments that it offers to outside organizations. But Rogers, who is focused on helping organizations secure the operational technology that runs most critical infrastructure, said CISA wants to expand to more organizations.
“We’re actively in the process of improving the services so that they can scale to more people,” Rogers said during Federal News Network’s Cyber Leaders Exchange 2025. “It might be a lower fidelity version than sending a bunch of OT experts to your door in person but seeing where we can actually improve and scale those offerings to give everybody a little bit more of a bit of a security insight into their operational technology network.”
Rogers said CISA typically prioritizes “systemically important entities,” or a subset of critical infrastructure that are particularly important to national security, the economy, and public health and safety.
“But we still have to help everybody else, because if that critical infrastructure goes down, it’s still a bad day for a lot of people,” Rogers said. “We’re working to scale our services that we can get broader uptake amongst those smaller groups.”
Cyber-resilience keys
The planned expansion comes as CISA works to spread awareness about a growing array of cyberthreats to critical infrastructure networks.
Rogers highlighted both lower level threat groups targeting insecure devices in critical infrastructure networks, as well as sophisticated nation-state groups like the China-linked Volt Typhoon. CISA and other agencies have warned that Volt Typhoon is targeting power, water and other U.S. critical infrastructure systems for potential disruption during a future conflict.
“That’s why a lot of the CISA efforts are focused on, how do we uplift the resiliency of existing infrastructure such that even if there is a successful attack, the impact of it is lower?” Rogers said.
CISA works closely with the Idaho National Laboratory to help develop those resiliency techniques. INL has pioneered approaches to cyber-informed engineering, which is aimed at integrating cybersecurity practices into critical infrastructure engineering.
“Entities are still chasing vulnerabilities and responding to threats, and they’re not really starting with the main piece, which is consequence,” Ollie Gagnon, INL’s chief homeland security advisor, said during the Cyber Leaders Exchange event.
The lab’s Resilience Optimization Center can conduct full-scale testing to replicate cyberattacks on electric grids, water utilities, wireless systems and other critical systems. And INL also conducts assessments across different states and sectors to gauge cyber readiness.
While a deficit of cybersecurity talent is a challenge, Gagnon said INL’s risk assessments have revealed a more pressing challenge.
“The biggest finding we found is not on the tech side — it’s that managers don’t understand cyber risk,” Gagnon said. “So when you have people that are sitting in procurement, human resources, operations, if they’re not understanding cyber risk, they’re making decisions that impact cyber risk.”
Amid those management challenges, a major blind spot for many organizations is determining who is responsible for securing operational technology, Rogers said.
“Whose responsibility is what, between the edge of the IT network to the DMZ to the networking devices and OT, versus the actual engineering components,” Rogers said. “It varies significantly by organization.”
Promoting secure by design approach across government
Rogers said part of the solution is making devices more secure from the start. Since 2021, CISA has been pushing major technology vendors to adopt secure by design principles.
“What we’re really pushing for from the CISA side is, how do we put more responsibility on the manufacturers, on the integrators, to deploy these things in such a way that, yes, it fits within the operator workflow? Yes, it meets all of these 24/7 operational demands, but it’s also secure,” Rogers said. “Some of that just comes from, how do we encourage people at the manufacturer level to include their cybersecurity teams with their actual product development teams?”
Meanwhile, as organizations adopt newer technologies like artificial intelligence and machine learning, Gagnon said resilience must be part of the adoption equation. But cyber resilience approaches will need to be tailored across 16 critical infrastructure sectors and 54 subsectors, he added.
“They all have unique needs, so it’s got to be something that’s scalable and applicable as an overall approach,” he said.
Discover more articles and videos now on our Cyber Leaders Exchange 2025 event page.
Copyright
© 2025 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
link
