Critical Infrastructure and Cybersecurity in the United States We live in a new world, one with a digital landscape full of cyber threats and vulnerabilities. As a collective we are headed to a future where both public and private sector security professionals must employ a highly collaborative and interconnected platform to maintain both physical and cyber security for critical infrastructure. “Critical infrastructure” is a term used often by governments to describe the assets that are essential for the functioning of a society or economy — their most important infrastructure. Critical infrastructure describes the physical and cyber systems and assets that are so vital to the United States that their incapacity or destruction would have a debilitating impact on our physical or economic security or public health or safety. The 16 Sectors of Critical Infrastructure in the United States This information was provided by and pulled from the official CISA webpage on critical infrastructure. This page may be viewed here. Chemical Sector: The Chemical Sector is an integral component of the U.S. economy that manufactures, stores, uses, and transports potentially dangerous chemicals upon which a wide range of other critical infrastructure sectors rely. Commercial Facilities Sector: The Commercial Facilities Sector includes a diverse range of sites that draw large crowds of people for shopping, business, entertainment, or lodging. Facilities within the sector operate on the principle of open public access, meaning that the general public can move freely without the deterrent of highly visible security barriers. Communications Sector: The Communications Sector is an integral component of the U.S. economy, underlying the operations of all businesses, public safety organizations, and government. Presidential Policy Directive 21 identifies the Communications Sector as critical because it provides an “enabling function” across all critical infrastructure sectors. Over the last 25 years, the sector has evolved from predominantly a provider of voice services into a diverse, competitive, and interconnected industry using terrestrial, satellite, and wireless transmission systems. Critical Manufacturing Sector: The Critical Manufacturing Sector is crucial to the economic prosperity and continuity of the United States. A direct attack on or disruption of certain elements of the manufacturing industry could disrupt essential functions at the national level and across multiple critical infrastructure sectors. Dams Sector: The Dams Sector delivers critical water retention and control services in the United States, including hydroelectric power generation, municipal and industrial water supplies, agricultural irrigation, sediment and flood control, river navigation for inland bulk shipping, industrial waste management, and recreation. Defense Industrial Base Sector: The Defense Industrial Base Sector is the worldwide industrial complex that enables research and development, as well as design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts, to meet U.S. military requirements. Emergency Services Sector: The Emergency Services Sector (ESS) is a community of millions of highly-skilled, trained personnel, along with the physical and cyber resources, that provide a wide range of prevention, preparedness, response, and recovery services during both day-to-day operations and incident response. The ESS includes geographically distributed facilities and equipment in both paid and volunteer capacities organized primarily at the federal, state, local, tribal, and territorial levels of government, such as city police departments and fire stations, county sheriff’s offices, Department of Defense police and fire departments, and town public works departments. The ESS also includes private sector resources, such as industrial fire departments, private security organizations, and private emergency medical services providers. Energy Sector: The U.S. energy infrastructure fuels the economy of the 21st century. Without a stable energy supply, health and welfare are threatened, and the U.S. economy cannot function. Presidential Policy Directive 21 identifies the Energy Sector as uniquely critical because it provides an “enabling function” across all critical infrastructure sectors. More than 80 percent of the country’s energy infrastructure is owned by the private sector, supplying fuels to the transportation industry, electricity to households and businesses, and other sources of energy that are integral to growth and production across the nation. Financial Services Sector: The Financial Services Sector represents a vital component of our nation’s critical infrastructure. Large-scale power outages, recent natural disasters, and an increase in the number and sophistication of cyberattacks demonstrate the wide range of potential risks facing the sector. Food and Agriculture Sector: The Food and Agriculture Sector is almost entirely under private ownership and is composed of an estimated 2.1 million farms, 935,000 restaurants, and more than 200,000 registered food manufacturing, processing, and storage facilities. This sector accounts for roughly one-fifth of the nation’s economic activity. The Food and Agriculture Sector has critical dependencies with many sectors, but particularly with the Water and Wastewater Systems, Transportation Systems, Energy Systems, and Chemical Systems. Government Facilities Sector: The Government Facilities Sector includes a wide variety of buildings, located in the United States and overseas, that are owned or leased by federal, state, local, and tribal governments. Many government facilities are open to the public for business activities, commercial transactions, or recreational activities while others that are not open to the public contain highly sensitive information, materials, processes, and equipment. These facilities include general-use office buildings and special-use military installations, embassies, courthouses, national laboratories, and structures that may house critical equipment, systems, networks, and functions. In addition to physical structures, the sector includes cyber elements that contribute to the protection of sector assets (e.g., access control systems and closed-circuit television systems) as well as individuals who perform essential functions or possess tactical, operational, or strategic knowledge. Healthcare and Public Health Sector: The Healthcare and Public Health Sector protects all sectors of the economy from hazards such as terrorism, infectious disease outbreaks, and natural disasters. Because the vast majority of the sector’s assets are privately owned and operated, collaboration and information sharing between the public and private sectors is essential to increasing resilience of the nation’s Healthcare and Public Health critical infrastructure. Information Technology Sector: The Information Technology Sector is central to the nation’s security, economy, and public health and safety as businesses, governments, academia, and private citizens are increasingly dependent upon Information Technology Sector functions. These virtual and distributed functions produce and provide hardware, software, and information technology systems and services, and—in collaboration with the Communications Sector—the Internet. The sector’s complex and dynamic environment makes identifying threats and assessing vulnerabilities difficult and requires that these tasks be addressed in a collaborative and creative fashion. Nuclear Reactors, Materials, and Waste Sector: From the power reactors that provide electricity to millions of Americans, to the medical isotopes used to treat cancer patients, the Nuclear Reactors, Materials, and Waste Sector covers most aspects of America’s civilian nuclear infrastructure. The Nuclear Sector-Specific Agency within the Department of Homeland Security is responsible for coordinating the security and resilience of the Nuclear Sector. Transportation Systems Sector: The Department of Homeland Security and the Department of Transportation are designated as the Co-Sector-Specific Agencies for the Transportation Systems Sector. The nation’s transportation system quickly, safely, and securely moves people and goods through the country and overseas. Water and Wastewater Systems Sector: Safe drinking water is a prerequisite for protecting public health and all human activity. Properly treated wastewater is vital for preventing disease and protecting the environment. Thus, ensuring the supply of drinking water and wastewater treatment and service is essential to modern life and the Nation’s economy. Founding CISA to Protect Critical Infrastructure With formal identification of these sectors complete, attention turned to the establishment of agencies and programs to assist these sectors with their cyber security efforts. On November 16th, 2018 the Cybersecurity and Infrastructure Security Act of 2018 was signed into law. . This landmark piece of legislation elevated the mission of the former National Protection and Programs Directorate (NPPD) within the Department of Homeland Security (DHS). This directorate also established the Cybersecurity and Infrastructure Security Agency, or CISA. CISA coordinates security and resilience efforts using trusted partnerships across both public and private sectors, and delivers technical assistance and assessments to both federal stakeholders and infrastructure owners and operators worldwide. CISA is the Nation’s risk advisor, working with partners to defend against today’s threats and collaborating to build more secure and resilient infrastructure for the future. Specifically relating to infrastructure security, CISA’s main area of focus involves: Providing free tools and resources for government and private sector partners Facilitating Critical Infrastructure Vulnerability Assessments Strengthening security and resilience across the chemical sector Providing training, encouraging information sharing, and fostering sector partnerships and international engagement. The Department of Homeland Security’s Strategy to Critical Infrastructure Security The government believes that the protection of critical infrastructure is of the utmost importance. This is echoed by the United States Department of Homeland Security, who employ a risk-informed, all-hazards approach to safeguarding critical infrastructure in cyberspace. This approach emphasizes protections for privacy and civil liberties, transparent and accessible security processes, and domestic and international partnerships that further collective action. To take action on these priorities, the DHS coordinates with sector-specific agencies, other federal agencies, and private sector partnerships to share information on and analysis of cyber threats and vulnerabilities. Additionally, the coordination is done to understand the interdependency of infrastructure systems nationwide. This collective approach to prevent, protect against, mitigate, respond to, investigate, and recover from cyber incidents prioritizes understanding and meeting the needs of their partners, and is consistent with the growing recognition among corporate leaders that cyber and physical security are interdependent and must be core aspects of their risk management strategies. Additional Programs Enacted to Protect Critical Infrastructure The Department of Homeland Security has founded many programs, centers, and initiatives in order to protect critical infrastructure. While there are many in existence today, here are some of the most vital: National Cybersecurity and Communications Integrations Center (NCCIC) The National Cybersecurity and Communications Integration Center’s (NCCIC) mission is to reduce the risk of systemic cybersecurity and communications challenges in our role as the Nation’s flagship cyber defense, incident response, and operational integration center. Since 2009, the NCCIC has served as a national hub for cyber and communications information, technical expertise, and operational integration, and by operating out 24/7 situational awareness, analysis, and incident response center. The NCCIC shares information among the public and private sectors to provide greater understanding of cybersecurity and communications situation awareness of vulnerabilities. intrusions, incidents, mitigation, and recovery actions. NCCIC ICs works to reduce risks within and across all critical infrastructure sectors by partnering with law enforcement agencies and the intelligence community and coordinating efforts among Federal, state, local, and tribal governments and control systems owners, operators, and vendors. Cybersecurity and infrastructure protection experts from NCCIC ICS provide assistance to owners and operators of critical systems by responding to incidents and restoring services, and analyzing potentially broader cyber or physical impacts to critical infrastructure. Additionally, NCCIC collaborates with international and private sector Computer Emergency Response Team (CERTs) to share control system-related security incidents and mitigation measures. Critical Infrastructure Cyber Community Voluntary Program (C3VP) Because cybersecurity and physical security are increasingly interconnected, DHS has partnered with the critical infrastructure community to establish a voluntary program to encourage use of the Framework for Improving Critical Infrastructure Cybersecurity to strengthen critical infrastructure cybersecurity. The Critical Infrastructure Cyber Community C³ (pronounced “C Cubed”) Voluntary Program is the coordination point within the federal government for critical infrastructure owners and operators interested in improving their cyber risk management processes. The C³ Voluntary Program aims to support industry in increasing its cyber resilience; increase awareness and use of the Framework for Improving Critical Infrastructure Cybersecurity; and encourage organizations to manage cybersecurity as part of an all hazards approach to enterprise risk management. National Infrastructure Coordinating Center (NICC) The National Infrastructure Coordinating Center (NICC), which is part of the DHS National Operations Center, is the dedicated 24/7 coordination and information sharing operations center that maintains situational awareness of the nation’s critical infrastructure for the federal government. When an incident or event affecting critical infrastructure occurs and requires coordination between DHS and the owners and operators of our Nation’s critical infrastructure, the NICC serves as that information sharing hub to support the security and resilience of these vital assets. The NICC and the NCCIC share cyber and physical security information to enhance the efficiency and effectiveness of the U.S. government’s work to secure critical infrastructure and make it more resilient.
Vulnerability Assessment vs Penetration Testing: Understanding the Key Differences Vulnerability Assessment vs Penetration Testing READ ARTICLE
Unlocking Continuous Threat Exposure Management: New Features for Prioritizing Remediation Based on Business Impact The evolution of product security READ ARTICLE