Critical Infrastructure Security and Resilience Cyber Infrastructure November 2023


What is Critical Infrastructure?

Critical infrastructure includes the assets, systems, facilities, networks, and other elements that society relies upon to maintain national security, economic vitality, and public health and safety. We know critical infrastructure as the power used in homes, the water we drink, the transportation that moves us, the stores where we shop, and the Internet and communications we rely on to maintain our contact with friends, family, and colleagues. This physical and cyber infrastructure is typically owned and operated by the private sector, though some is owned by federal, state, or local governments. Not all infrastructure within an industry sector is critical to a nation or region. It is necessary to identify which infrastructure is both critical to maintain continued services or functions and vulnerable to some type of threat or hazard. Prioritizing the allocation of available resources to that subset of infrastructure can enhance a nation’s security, increase resiliency, and reduce risk.

There are four designated lifeline functions – transportation, water, energy, and communications, which means that their reliable operations are so critical that a disruption or loss of one of these functions will directly affect the security and resilience of critical infrastructure within and across numerous sectors. For example, energy stakeholders provide essential power and fuels to stakeholders in the communication, transportation, and water sectors, and, in return, the energy sector relies on them for fuel delivery (transportation), electricity generation (water for production and cooling), as well as control and operation of infrastructure (communication).

These connections and interdependencies between infrastructure elements and sectors mean that the loss of one or more lifeline function(s) typically has an immediate impact on the operation or mission in multiple sectors. As a result, additional loss of other functions may arise over time. Further, identifying and officially recognizing industry sectors that are lifeline sectors and/or have cross-sector interdependencies facilitates collaboration and information exchange that promotes continuity of operations and services. The choice of sectors prioritized in outreach efforts should reflect an understanding of the infrastructure’s interconnectedness and interdependencies, recognize existing industry associations, and align to government agencies’ roles and oversight responsibilities.

Critical infrastructure encompasses functions in addition to the lifelines. For example, in 2017, in the US Election Infrastructure was designated a subsector of the Government Facilities Sector due to the importance of free and fair democratic elections as a foundation of the American way of life. Working to reduce risk in partnership with the public and private sector entities responsible for providing this kind of critical function is a crucial element of maintaining public confidence in the Nation’s critical infrastructure.

Current Critical Infrastructure Sectors

Chemical                                                          Financial Services

Commercial Facilities Food and Agriculture

Communications Government Facilities

Critical Manufacturing Healthcare and Public Health

Dams Information Technology

Defense Industrial Base Nuclear Reactors, Materials, and Waste

Emergency Services Transportation Systems

Energy Water and Wastewater Systems

What are the “Threats and Hazards” to Critical Infrastructure?

Both natural and man-made (deliberate or accidental) incidents have the potential to harm, damage, incapacitate, or destroy critical infrastructure. Rather than focusing on one type of threat or hazard at a time, such as hurricanes or terrorism, States should identify all threats and hazards that pose the greatest risks to critical infrastructure, which allows for more effective and efficient planning and resource allocation.

Critical infrastructure has long been subject to risks associated with physical threats and natural disasters, and is also now increasingly exposed to cyber risks. These risks stem from a growing integration of information and communications technologies with critical infrastructure and adversaries focused on exploiting potential cyber vulnerabilities. As physical infrastructure becomes more reliant on complex cyber systems for operations, critical infrastructure can become more vulnerable to certain cyber threats, including transnational threats.

Connections and interdependencies between infrastructure elements and sectors means that damage, disruption, or destruction to one infrastructure element can cause cascading effects, impacting continued operation of another. Identifying and understanding interdependencies (two-way) or dependencies (one-way) between infrastructure elements and sectors are important for assessing the risks and vulnerabilities and for determining which steps may be taken to increase security and resilience. For example, the electric grid relies on integrated information and communication systems from other critical infrastructure sectors in order to operate. One example of the immediate need for energy is in recovery operations following a

natural disaster. Until the energy system is restored, water and wastewater systems cannot provide clean water, natural gas cannot flow to provide heat, and generation and telecommunications systems quickly become inoperative once backup power sources begin to fail.

Soft Targets and Crowded Places

From cyber to physical security threats, we live in a world where terrorist activity is increasing and becoming more diffuse, where attacks can be either simple and opportunistic in nature or complex and organized. The rising number of attacks against soft targets/crowded places in multiple cities worldwide from EU to Orlando, New Zealand, San Bernardino to Sri Lanka, demonstrates that the nature of the threat is evolving and reinforces the need for global vigilance, preparedness, and collaboration. National and international efforts seek to address the trend toward attacking soft targets and crowded places.

For example, the EU is working domestically with all levels of government to provide training, resources, and materials to enhance and promote soft target and crowded places security.

On the international front, countries are working together to share good practices, lessons learned and experiences on attacks against soft targets and crowded places to help create and advance a global culture of security. The Global Counterterrorism Forum (GCTF) Soft Target Protection Initiative, co-led by the United States and Turkey, involved a series of regional workshops with government and the private sector aimed at raising awareness, increasing preparedness, and creating the first set of non-binding international good practices on soft target protection in a counterterrorism context.

The good practices are meant to inform and guide governments and private industry as they work together to develop policies, practices, guidelines, programs, and approaches in protecting their citizens from terrorist attacks on soft targets and crowded places. Discussions acknowledged that States have the primary responsibility for ensuring security in their territory and protecting their civilians in accordance with the United Nations (UN) Charter. The UN Security Council Resolution 2341 (2017) outlines the role of States on the protection of critical infrastructure and particularly vulnerable targets, such as public places, from terrorist attacks, including through public-private partnerships as appropriate.

Threats and Hazards

Threats and hazards may be specific to geographic regions, or across an entire country, and may even have global ramifications; such as:

  • Climatological Events (extreme temperatures, drought, wildfires)
  • Hydrological Events (floods)
  • Meteorological Events (tropical cyclones, severe convective storms, severe winter storms)
  • Geophysical Events (earthquakes, tsunamis, volcanic eruptions)
  • Pandemics (global disease outbreaks)
  • Space Weather Events (geomagnetic storms)
  • Technological and Industrial Accidents (structural failures, industrial fires, hazardous substance releases, chemical spills)
  • Unscheduled Disruptions (aging infrastructure, equipment malfunction, large scale power outages)
  • Criminal Incidents and Terrorist Attacks (vandalism, theft, property damage, active shooter incidents, kinetic attacks)
  • Cyber Incidents (denial-of-service attacks, malware, phishing)
  • Supply Chain Attacks (exploiting vulnerabilities to cause system or network failure)
  • Foreign Influence Operations (to spread misinformation or undermine democratic processes)
  • Untrusted Investment (to potentially give foreign powers undue influence over critical infrastructure)

These threats and hazards must be analyzed to determine their potential impacts on infrastructure and how likely they are to occur.